Table of Contents
Fetching ...

Jurisdiction as Structural Barrier: How Privacy Policy Organization May Reduce Visibility of Substantive Disclosures

Thomas Brackin

TL;DR

This study identifies jurisdiction-siloed disclosure as a structural barrier to meaningful privacy notice, where substantive practices are disclosed only in jurisdiction-specific sections. Using a purposive audit of 123 major companies across 14 industries, the authors develop a 14-category taxonomy and employ a three-model LLM ensemble to classify policy segments, revealing that a majority of firms place substantive disclosures in regional sections. They propose universal substantive disclosure, grounding it in autonomy, fairness, and truthfulness, and illustrate it with case studies ranging from biometric data to automated decision-making. The work combines normative arguments with a detailed methodology and released dataset to enable replication, calling for regulatory and scholarly validation of the pattern and encouraging structural reforms to improve notice for all users, regardless of jurisdiction.

Abstract

Privacy policies are supposed to provide notice. But what if substantive information appears only where users skip it? We identify a structural pattern we call jurisdiction-siloed disclosure: information about data practices appearing in specific, actionable form only within regional compliance sections labeled "California Residents" or "EU/UK Users," while general sections use vague or qualified language for the same practices. Our audit of 123 major companies identifies 282 potential instances across 77 companies (62.6% of this purposive sample). A conservative estimate restricted to practice categories validated against OPP-115 human annotations finds 138 instances across 54 companies (44%); post-2018 categories central to our findings await independent validation. If users skip jurisdiction-labeled sections as information foraging theory predicts, users outside regulated jurisdictions would receive less specific information about practices affecting them--a transparency failure operating through document architecture rather than omission. We propose universal substantive disclosure: practices affecting all users should appear in the main policy body, with regional sections containing only procedural rights information. This standard finds support in analogous disclosure regimes (securities, truth-in-lending, nutritional labeling) where material information must reach all affected parties. Regulators could operationalize this through the FTC's "clear and conspicuous" standard and GDPR transparency principles. This work is hypothesis-generating: we establish that the structural pattern exists and ground the transparency concern in behavioral theory, but direct measurement of jurisdiction-specific section skipping remains the critical validation priority. We release our methodology and annotated dataset to enable replication.

Jurisdiction as Structural Barrier: How Privacy Policy Organization May Reduce Visibility of Substantive Disclosures

TL;DR

This study identifies jurisdiction-siloed disclosure as a structural barrier to meaningful privacy notice, where substantive practices are disclosed only in jurisdiction-specific sections. Using a purposive audit of 123 major companies across 14 industries, the authors develop a 14-category taxonomy and employ a three-model LLM ensemble to classify policy segments, revealing that a majority of firms place substantive disclosures in regional sections. They propose universal substantive disclosure, grounding it in autonomy, fairness, and truthfulness, and illustrate it with case studies ranging from biometric data to automated decision-making. The work combines normative arguments with a detailed methodology and released dataset to enable replication, calling for regulatory and scholarly validation of the pattern and encouraging structural reforms to improve notice for all users, regardless of jurisdiction.

Abstract

Privacy policies are supposed to provide notice. But what if substantive information appears only where users skip it? We identify a structural pattern we call jurisdiction-siloed disclosure: information about data practices appearing in specific, actionable form only within regional compliance sections labeled "California Residents" or "EU/UK Users," while general sections use vague or qualified language for the same practices. Our audit of 123 major companies identifies 282 potential instances across 77 companies (62.6% of this purposive sample). A conservative estimate restricted to practice categories validated against OPP-115 human annotations finds 138 instances across 54 companies (44%); post-2018 categories central to our findings await independent validation. If users skip jurisdiction-labeled sections as information foraging theory predicts, users outside regulated jurisdictions would receive less specific information about practices affecting them--a transparency failure operating through document architecture rather than omission. We propose universal substantive disclosure: practices affecting all users should appear in the main policy body, with regional sections containing only procedural rights information. This standard finds support in analogous disclosure regimes (securities, truth-in-lending, nutritional labeling) where material information must reach all affected parties. Regulators could operationalize this through the FTC's "clear and conspicuous" standard and GDPR transparency principles. This work is hypothesis-generating: we establish that the structural pattern exists and ground the transparency concern in behavioral theory, but direct measurement of jurisdiction-specific section skipping remains the critical validation priority. We release our methodology and annotated dataset to enable replication.
Paper Structure (70 sections, 2 figures, 5 tables)

This paper contains 70 sections, 2 figures, 5 tables.

Figures (2)

  • Figure 1: Jurisdiction-siloed disclosure (left) versus universal substantive disclosure (right): illustrative comparison. In the current pattern, substantive disclosures about data practices appear only within jurisdiction-specific sections, which users outside those jurisdictions are predicted to skip based on information foraging theory. Under the proposed standard, substantive content appears in the main policy body accessible to all users, while jurisdiction-specific sections contain only procedural information about exercising rights. Abstract labels represent categories of disclosure, not prescribed policy text.
  • Figure 2: Predicted information visibility by user jurisdiction under jurisdiction-siloed disclosure. Each cell represents the disclosure quality a user in a given jurisdiction would encounter for a given practice category. This is a theoretical illustration of predicted effects, not measured behavior; the behavioral assumption that users skip jurisdiction-labeled sections they perceive as geographically irrelevant, while grounded in information foraging theory (Section \ref{['sec:behavioral_validation']}), remains unvalidated through direct observation of privacy policy navigation. Solid dark cells with checkmarks indicate specific, structured disclosure; diagonal hatching indicates vague or hedged language; crosshatch pattern indicates no disclosure. Grayscale shading and pattern fills provide redundant encoding for accessibility. Users outside regulated jurisdictions (bottom row) would encounter systematically less specific information despite being subject to the same data practices, if the predicted navigation patterns obtain. This illustrative pattern is derived from the disclosure asymmetries documented in our case studies (Section 5.2) and should not be read as representing any single company's policy.