Informational privacy is a matter of control; it consists in the ability to control when one’s personal information is collected, how it is used, and to whom it is distributed. The degree of control we once enjoyed has vanished. Advances in information processing technology now give others considerable power to determine when personal information is collected, how it is used, and to it is whom distributed. Privacy advocates sound the alarm in regard to both the governmental and private sectors. I focus exclusively on the later. Relying on the extensive privacy advocate literature, I assume we should try to regain control over private sector information process. The question is how. I reject the claim that we can do so by requiring businesses to obtain consent – or more accurately to go through the motions of obtaining consent – prior to collecting personal information. I contend that adequate informational privacy requires a rich background of informational norms.
Informational norms are social norms that constrain the collection, use, and distribution of personal information. Under ideal conditions, norm-governed exchanges not only implement acceptable tradeoffs between informational privacy and competing goals, they also ensure consumers give free and informed consent to those tradeoffs. The restriction to ideal conditions does not deprive the point of interest; rather, it shows that the interest is normative, not empirical. The ideal conditions are a goal we should strive to approximate in practice. Unfortunately current practice fails to adequately approximate this ideal in significant cases. Lack of norms is one important reason. The rapid advance in information processing technology has outstripped the relatively slow evolution of social norms in a wide range of important cases.