[First published in the blog of the Berkeley Technology Law Journal, on June 22, 2016]
If privacy policies are meant to secure informed consent from consumers before their personal data is collected, several studies have shown that they have failed. Consumers do not know what privacy policies are, often because they either do not read them or they cannot understand them.
This creates a conundrum for consumer privacy law. The conventional wisdom is that consumers care about the privacy of their personal data, so honoring privacy policies is good for business. But this belief ought to be revisited if consumers are resigned to their personal data being harvested, or if they simply do not care about their online privacy.
How should consumer privacy regulators address this failure? Drawing on lessons from current failures, some researchers are advocating a “nutrition label” approach to privacy policies.
Why Privacy Policies Have Failed
Repeated studies show that consumers ignore privacy policies. As the then Commissioner of the Federal Trade Commission, Jon Leibowitz, said nearly a decade ago in 2007: “Initially, privacy policies seemed like a good idea. But in practice, they often leave a lot to be desired. In many cases, consumers don’t notice, read, or understand the privacy policies.”
This may be because privacy policies are difficult for most people to understand, as many rely on legalese only understood by some lawyers. A 2012 survey by the Internet Society found that only 15 percent of Internet users fully understood privacy terms and conditions. In California, which first mandated binding privacy policies by digital data collectors, the seriousness of the problem forced Attorney General Kamala Harris to issue guidelines in May 2014 that recommended the use of “plain, straightforward language.”
Privacy policies are notoriously long documents. In 2008, Aleecia McDonald and Lorrie Faith Cranor published a well-known study measuring the time and opportunity costs of reading privacy policies. They concluded that reading privacy policies “carries costs in time of approximately 201 hours a year, worth about $3,534 annually per American Internet user,” and that nationally, “the value of time lost would be $781 billion annually” if privacy policies were read word-for-word.
In addition to their inaccessibility and length, privacy policies also omit important information. A recent survey of the privacy policies of online tracking companies revealed deliberate silences with regard to practices consumers found relevant. In 2014, an FTC study found that most mobile shopping apps used vague and unclear terms in their privacy policies. The same year, the FTC reached a settlement with Snapchat after charging it with deceiving consumers about their privacy. Further, consumer websites are often designed to encourage users to skip quickly past privacy policies.
The Challenge of Improving Privacy Policies
The odds appear to be stacked against consumers to whom privacy still matters, despite privacy policies that have fallen short. According to two surveys by the Pew Research Center in 2015, most Americans believe their privacy is an important part of their lives.
In response to mounting criticism, some companies have attempted to simplify their privacy policies. A 2015 ranking by Time magazine of seven popular technology companies showed that Google and Facebook, which had both revamped their privacy policies not long before the ranking, had the easiest to understand privacy terms while Twitter and Lyft fared worse.
The root of this mismatch may lie with how consumer privacy regulation is conceptualized. Privacy policies are based on the “notice and choice” model, which purports that when all competing suppliers disclose their data practices, informed consumers will pick the one they like best. Reality is different. In a report in 2014 to President Barack Obama, his Council of Advisors on Science and Technology remarked: “Only in some fantasy world do users actually read these notices and understand their implications before clicking to indicate their consent.”
The notice and choice model treats privacy as a commodity that consumers demand from suppliers. Consumers are expected to trade their privacy for the convenience offered by the goods or services offered by the suppliers. The failure of the notice and choice model is partly because there is no privacy left for consumers to choose and because of the “tradeoff fallacy,” the condition of consumers having become so powerless that they think it is futile to try to control their data.
Consumers seem to have grown to expect the worst. An experiment by Lior Strahilevitz and Matthew Kugler showed that on reading sample privacy policies, consumers believed they had assented to highly-intrusive activities, such as facial recognition or automated email content analysis, even when the policies did not in fact support the intrusions.
Replacing Policies with Labels
The standard label format is a table with ten rows and six columns. Each row represents a type of consumer data whereas each column represents a type of commercial data practice. The intersecting squares bear colors and text to signify how the company handles that type of data. A short label format is also available with only six rows of consumer data types. Tests revealed the standard labels accurately conveyed more information about data practices to consumers than the short labels, while both accurately conveyed significantly more information than conventional privacy policies.
The Carnegie Mellon researchers also tested simplified short text similar to AVG’s hotly-debated one-page policy and “layered notices” like P&G’s privacy notice. A layered notice typically begins with highly-simplified summaries of data practices and contains links to more detailed information about each of those data practices for consumers to read if they are interested. In 2015, the European Union’s Article 29 Working Party endorsed this type of notice. Carnegie Mellon’s tests revealed that while the simplified short text was as successful as the shorter labels in conveying understandable information, the layered notices were as unsuccessful as conventional privacy policies.
Rethinking Privacy Policies Altogether
Privacy labels do not depart from the notice and choice model of privacy regulation; they only address the flaws regarding the length and complexity of privacy policies. There are proposals to devise an altogether new approach to privacy regulation based on preventing a broad interpretation of harm to consumers. Instead of focusing on consumers’ consent, the “harms-based approach” quantifies the various types of harm that may result from misuse of personal data, ranging from identity theft to irritating intrusions into people’s daily lives. The FTC explored the harms-based approach in the early 2000s and the National Do Not Call Registry is a significant manifestation of this approach.
Experiments with alternative ways to effectively convey privacy-related information are underway elsewhere too, such as The Good Notice Project based out of Stanford University. Such projects are vital for consumers. Indeed, the failure of the notice and choice model has caused a market failure in online privacy, which hurts consumers most of all.