Skip to main content
Online Privacy Policies: Contracting Away Control Over Personal Information?
Penn State Law Review (2007)
  • Allyson W Haynes
Individuals disclose personal information to websites in the course of everyday transactions. The treatment of that personal information is of great importance, as highlighted by the recent spate of data breaches and the surge in identity theft. When websites share such personal information with third parties, the threat of its use for illegal purposes increases. The current law allows website companies to protect themselves from liability for sharing or selling visitors’ personal information to third parties by focusing on disclosures in privacy policies, not on substantive treatment of personal information. Because of the low likelihood that a visitor will read or understand that policy, websites have an incentive to protect themselves by allowing for a broad use of the visitor’s personal information. In turn, websites word those policies as contractual commitments, purportedly binding visitors to their terms, which often include forum selection provisions as well as privacy terms. In light of these two factors – little substantive protection, and privacy provisions that allow for broad use of personal information – such visitors may well find themselves in the position of challenging the enforceability of the privacy policy. I argue that the policies are challengeable primarily on lack of assent and unconscionability grounds.
  • Privacy,
  • Internet,
  • Contracts
Publication Date
March, 2007
Citation Information
Allyson W. Haynes, Online Privacy Policies: Contracting Away Control Over Personal Information?, 111 Penn. St. L. Rev. 587 (2007). Available at: