Notice & Consent Alternatives

Some of the cornerstones of data privacy law are the principle of notice and consent. The notice portion means that consumers need to be notified what data is being collected about them and how it will be used. The consent piece means that consumers then can have a choice whether or not they want to continue with using the service. In the modern world, this is achieved by using privacy policies and terms of service agreements. Unfortunately, this model is flawed and in need of a dramatic change.

It is a well-known that almost nobody reads privacy policies or terms of service agreements while online. When one these notices is not read than it is rendered completely useless as a method of notice and thus there can be no educated consent. We are need of a new strategy. One that will empower consumers without putting unrealistic demands on their time and attention. In this post I discuss different methods that have existed or have been proposed as new method of protecting consumers’ privacy.

Why does notice and consent fail?

Consumers spend very little amounts of time of privacy policies in comparison to how long it takes to read them. A 2018 study investigated this futher. The researchers developed a mock social media platform and a privacy policy and terms of service agreement that was modeled off of LinkedIn’s. The researchers then had their respondents sign up for the platform. It was found that while the privacy policy and terms of service should take 29 minutes and 15 minutes respectively to read, the respondents spent a median time of about 14 seconds on either policy (Obar, 2018). People are simply not spending enough time on these policies to have any idea what the policies are stating.

This is not just because consumers are lazy. These policies have many issues, but perhaps the largest is that these policies are simply too long. A 2008 study found that for one person to read the privacy policy of every site they visit would spend over 30 eight-hour working days of just reading these policies every year. If employees were to read all the policies, they came across at work it would cost companies 617 billion dollars at the national level (McDonald 2008). Not to mention that this study was done in 2008. The average number of sites visited and the number of sites with privacy policies has probably increased since then.

These are just a few of the reasons why this model has failed. To learn about other reasons this method is unsuccessful, read my post Why Privacy Policies Suck.

What alternatives do we have? 

There have been several proposed and implemented alternatives and supplements to this model. They all generally boil down to one of three categories. The first being altering either the content or the style of these notices. The second being supplements, or additional tools designed to be used along with these disclosures in order to make them more effective. The final option of course being a complete replacement or alternative to the notice and consent model. 

Altering Notices 

Simplification and Standardization

Since policy length causes so many of these policies to go unread, finding ways to make shorter, more concise, and standardized policies would theoretically help people to read more policies and understand them. A 2012 study attempted to create a privacy notice that helped readers to understand as much of the statement as possible. The researchers were studying mail out paper notices, but there is no reason the study couldn’t be recreated on a digital interface. After much research as to what the most educational format was, the researchers prepared 3 different privacy policies for three fictitious banks. Respondents were then shown then shown the policies and asked what bank they would want to use. In the end respondents who saw the optimized privacy notice were more likely to give correct, fact-based reasons for their selection than ones who received other, less consumer-centric policies (Garrison 2012).

Entertainment

Making privacy policies more appealing to read is another option that might help motivate consumers to use them. A great example of this is Google’s privacy policy. It has a few short videos embedded in the document that would presumably make the content a little more digestible for users and in turn motivate them to read the policy. 

Supplements

Using AI to Scan Policies

In 2018 a tool called PrivacyGuide was developed to help consumers be able to understand policies without taking the time to read them. The policy would be read by the program and it would output an easy to read report card that ranked the site on 11 different aspects ranging from third-party sharing to policy changes. This simplified report would be easier to understand and take less time to understand than reading the policy as a whole. Some issues may still be that consumers wouldn’t take the time to use the tool or that it would make wrongful judgements. However, the developers found that it reported the associated risk level of a policy with 90% accuracy (Tesfay 2018)

Internet Seals of Approval

There have been several third parties that endorse other companies and are intended to show consumers that their endorsee has completed certain steps that keep its users safe. Some examples are TRUSTe and BBB. These two sites claim that users will trust you more if you display their respective badges on your site. While new research is lacking on these kinds of services, a 2005 study found that they may not be all that helpful to consumers. 

Unfortunately, the study found that having a seal did not appear to influence how compliant the site was with FTC guidelines regarding privacy policies. Worse still, the study found that when a site does display one of these icons, some respondents were more likely to say that they would be more willing to share their information with the site. This is a big issue considering that displaying one of these icons may not necessarily mean that the site is more invested in your privacy (Miyazaki 2005). Again, this study was done in 2005 and hopefully these organizations have cracked down on how their icons are used more than in the past, but there is no easy way to know.

Replacements

Legal Control

This argument claims that notice and consent should be completely replaced by stricter privacy laws that restrict what data companies can collect and what they can do with the data.  This method would push for changes in privacy laws around the world that place more protections on consumers, but also wouldn’t burden companies with attaining consent for some of their data usage (Cate 2016).

Monetization

Companies are profiting off of collecting your data and then selling in to interested parties. This idea of monetization lies in you selling your data to the end user and cutting out the middleman. Here’s an example, let’s say you are going to buy ice cream. You go the ice cream parlor and they would sell you the ice cream at a discount if you shared your location for the last hour with the company. This way, you can decide what data you share and who you share it with, and you are compensated in return. The ice cream shop also benefits as they can use your data to improve their product offering. 

This is already being done in some cases, take progressive’s snapshot program. Users willingly sell their driving data to progressive in hopes of receiving a lower rate. Watch Stuart Lacey’s Ted Talk to learn more about the monetization alternative

Which choice is best?

I don’t know. This is a big decision and there are many factors in play. I believe that attempts at changing policies but keeping them as the primary method will not be effective. The percentage of people who are not looking at these policies is too great, and I don’t believe that including videos, tables, or standard formats will change the behavior of the masses. I believe that good supplementation can give more power to consumers to make selections based on privacy issues. Still, I am also a supporter of stricter and revised regulations that are built with our current practices in mind instead of focusing on outdated principles that were built at a time before smart phones. What alternatives do you think would be the most effective?

Sources

Cate. F (2016) The Failure of Fair Information Practice Principles. Consumer Protection in the Age of the Information Economy.

Doneen, D. (2020) Why Privacy Policies Suck. Retrieved from https://datadigested.com/2020/10/11/why-privacy-policies-suck/

Garrison, L., Hastak, M., Hogarth, M., Kleimann, S., Levy, A. (2012) Designing Evidence‐based Disclosures: A Case Study of Financial Privacy Notices. Journal of Consumer Affairs, 46:2. doi: 10.1111/j.1745-6606.2012.01226.x

Lacey, S. (2005) The Future of Your Personal Data – Privacy vs Monetization. Retrieved from https://www.youtube.com/watch?v=JIo-V0beaBw

Miyazaki, A. (2005) Internet Seals of Approval: Effects on Online Privacy Policies and Consumer Perceptions. Journal of Consumer Affairs, 36:1. doi: 10.1111/j.1745-6606.2002.tb00419.x

McDonald, A. M., Cranor, L. F. (2008) The Cost of Reading Privacy Policies. I/S A Journal of Law and Policy, 4:3 543-568.

Obar, J. A., Oeldorf-Hirsch, A. (2018) The Biggest Lie on the Internet: ignoring the privacy policies and terms of service policies of social networking services. Information, Communication & Society23:1, 128-147. doi: 10.1080/1369118X.2018.1486870

Tefsay, W., Hofmann, P., Nakamura, T., Kiyomoto, S., Serna. J. (2018) PrivacyGuide: Towards an Implementation of the EU GDPR on Internet Privacy Policy Evaluation. Proceedings of the fourth ACM International Workshop on Security and Privacy Analytics. doi: 10.1145/3180445.3180447

Published by Devin Doneen

MSBA student

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: