Jurisdiction as Structural Barrier: How Privacy Policy Organization May Reduce Visibility of Substantive Disclosures
Thomas Brackin
TL;DR
This study identifies jurisdiction-siloed disclosure as a structural barrier to meaningful privacy notice, where substantive practices are disclosed only in jurisdiction-specific sections. Using a purposive audit of 123 major companies across 14 industries, the authors develop a 14-category taxonomy and employ a three-model LLM ensemble to classify policy segments, revealing that a majority of firms place substantive disclosures in regional sections. They propose universal substantive disclosure, grounding it in autonomy, fairness, and truthfulness, and illustrate it with case studies ranging from biometric data to automated decision-making. The work combines normative arguments with a detailed methodology and released dataset to enable replication, calling for regulatory and scholarly validation of the pattern and encouraging structural reforms to improve notice for all users, regardless of jurisdiction.
Abstract
Privacy policies are supposed to provide notice. But what if substantive information appears only where users skip it? We identify a structural pattern we call jurisdiction-siloed disclosure: information about data practices appearing in specific, actionable form only within regional compliance sections labeled "California Residents" or "EU/UK Users," while general sections use vague or qualified language for the same practices. Our audit of 123 major companies identifies 282 potential instances across 77 companies (62.6% of this purposive sample). A conservative estimate restricted to practice categories validated against OPP-115 human annotations finds 138 instances across 54 companies (44%); post-2018 categories central to our findings await independent validation. If users skip jurisdiction-labeled sections as information foraging theory predicts, users outside regulated jurisdictions would receive less specific information about practices affecting them--a transparency failure operating through document architecture rather than omission. We propose universal substantive disclosure: practices affecting all users should appear in the main policy body, with regional sections containing only procedural rights information. This standard finds support in analogous disclosure regimes (securities, truth-in-lending, nutritional labeling) where material information must reach all affected parties. Regulators could operationalize this through the FTC's "clear and conspicuous" standard and GDPR transparency principles. This work is hypothesis-generating: we establish that the structural pattern exists and ground the transparency concern in behavioral theory, but direct measurement of jurisdiction-specific section skipping remains the critical validation priority. We release our methodology and annotated dataset to enable replication.
