Indiana Law Journal

Document Type


Publication Date

Winter 2022

Publication Citation

98 Indiana Law Journal 75 (2022)


For decades, regulators, consumer advocates, and privacy theorists have grappled with one of privacy’s most important questions: how to protect private information that consumers unwittingly give away with the click of an “I accept” button. Reform efforts remain mired in a morass of text, focusing on the increasing volume and complexity of firms’ terms of service and privacy policies. This Article moves beyond such existing approaches. By analyzing terms of service and privacy policies from hundreds of top websites—which this Article calls “platform terms”—this Article demonstrates that the prevailing “notice and consent” paradigm of privacy regulation cannot provide meaningful protection.

This Article centers platforms’ unconstrained power as the flaw in notice-and-consent approaches. It makes three contributions to the contracts and privacy literatures. First, it explores the nuanced relationship between platform terms and contract law. Neither scholars nor courts agree on whether platform terms, and in particular privacy policies, constitute contracts. This Article shows that, in either case, both courts and regulators resort to contract reasoning to implement noticeand- consent approaches to privacy regulation. Second, it demonstrates that platforms enjoy complete authority over every aspect of their relationship with individuals. It explores the prevalence of unilateral modification provisions that obviate initial consent and remove any incentive for platforms to compete on terms. Platforms, software, and devices are also subject to unilateral change. Moreover, the trend toward industry consolidation likewise changes the party in possession of individuals’ data. This paradigm leaves consumers with things they did not bargain for, on terms they did not accept, in a relationship with a party they did not choose. Third, this Article contends that there can be no workable notice-and-consent approach to privacy protection. In light of the amorphous relationship between individual and platform, only direct regulation of platforms’ data collection, use, and transfer has the potential to protect individual privacy.