Some of the cornerstones of data privacy law are the principle of notice and consent. The notice portion means that consumers need to be notified what data is being collected about them and how it will be used. The consent piece means that consumers then can have a choice whether or not they want to continue with using the service. In the modern world, this is achieved by using privacy policies and terms of service agreements. Unfortunately, this model is flawed and in need of a dramatic change.
It is a well-known that almost nobody reads privacy policies or terms of service agreements while online. When one these notices is not read than it is rendered completely useless as a method of notice and thus there can be no educated consent. We are need of a new strategy. One that will empower consumers without putting unrealistic demands on their time and attention. In this post I discuss different methods that have existed or have been proposed as new method of protecting consumers’ privacy.
Why does notice and consent fail?
These are just a few of the reasons why this model has failed. To learn about other reasons this method is unsuccessful, read my post Why Privacy Policies Suck.
What alternatives do we have?
There have been several proposed and implemented alternatives and supplements to this model. They all generally boil down to one of three categories. The first being altering either the content or the style of these notices. The second being supplements, or additional tools designed to be used along with these disclosures in order to make them more effective. The final option of course being a complete replacement or alternative to the notice and consent model.
Simplification and Standardization
Since policy length causes so many of these policies to go unread, finding ways to make shorter, more concise, and standardized policies would theoretically help people to read more policies and understand them. A 2012 study attempted to create a privacy notice that helped readers to understand as much of the statement as possible. The researchers were studying mail out paper notices, but there is no reason the study couldn’t be recreated on a digital interface. After much research as to what the most educational format was, the researchers prepared 3 different privacy policies for three fictitious banks. Respondents were then shown then shown the policies and asked what bank they would want to use. In the end respondents who saw the optimized privacy notice were more likely to give correct, fact-based reasons for their selection than ones who received other, less consumer-centric policies (Garrison 2012).
Using AI to Scan Policies
In 2018 a tool called PrivacyGuide was developed to help consumers be able to understand policies without taking the time to read them. The policy would be read by the program and it would output an easy to read report card that ranked the site on 11 different aspects ranging from third-party sharing to policy changes. This simplified report would be easier to understand and take less time to understand than reading the policy as a whole. Some issues may still be that consumers wouldn’t take the time to use the tool or that it would make wrongful judgements. However, the developers found that it reported the associated risk level of a policy with 90% accuracy (Tesfay 2018)
Internet Seals of Approval
There have been several third parties that endorse other companies and are intended to show consumers that their endorsee has completed certain steps that keep its users safe. Some examples are TRUSTe and BBB. These two sites claim that users will trust you more if you display their respective badges on your site. While new research is lacking on these kinds of services, a 2005 study found that they may not be all that helpful to consumers.
Unfortunately, the study found that having a seal did not appear to influence how compliant the site was with FTC guidelines regarding privacy policies. Worse still, the study found that when a site does display one of these icons, some respondents were more likely to say that they would be more willing to share their information with the site. This is a big issue considering that displaying one of these icons may not necessarily mean that the site is more invested in your privacy (Miyazaki 2005). Again, this study was done in 2005 and hopefully these organizations have cracked down on how their icons are used more than in the past, but there is no easy way to know.
This argument claims that notice and consent should be completely replaced by stricter privacy laws that restrict what data companies can collect and what they can do with the data. This method would push for changes in privacy laws around the world that place more protections on consumers, but also wouldn’t burden companies with attaining consent for some of their data usage (Cate 2016).
Companies are profiting off of collecting your data and then selling in to interested parties. This idea of monetization lies in you selling your data to the end user and cutting out the middleman. Here’s an example, let’s say you are going to buy ice cream. You go the ice cream parlor and they would sell you the ice cream at a discount if you shared your location for the last hour with the company. This way, you can decide what data you share and who you share it with, and you are compensated in return. The ice cream shop also benefits as they can use your data to improve their product offering.
This is already being done in some cases, take progressive’s snapshot program. Users willingly sell their driving data to progressive in hopes of receiving a lower rate. Watch Stuart Lacey’s Ted Talk to learn more about the monetization alternative
Which choice is best?
I don’t know. This is a big decision and there are many factors in play. I believe that attempts at changing policies but keeping them as the primary method will not be effective. The percentage of people who are not looking at these policies is too great, and I don’t believe that including videos, tables, or standard formats will change the behavior of the masses. I believe that good supplementation can give more power to consumers to make selections based on privacy issues. Still, I am also a supporter of stricter and revised regulations that are built with our current practices in mind instead of focusing on outdated principles that were built at a time before smart phones. What alternatives do you think would be the most effective?
Cate. F (2016) The Failure of Fair Information Practice Principles. Consumer Protection in the Age of the Information Economy.
Doneen, D. (2020) Why Privacy Policies Suck. Retrieved from https://datadigested.com/2020/10/11/why-privacy-policies-suck/
Garrison, L., Hastak, M., Hogarth, M., Kleimann, S., Levy, A. (2012) Designing Evidence‐based Disclosures: A Case Study of Financial Privacy Notices. Journal of Consumer Affairs, 46:2. doi: 10.1111/j.1745-6606.2012.01226.x
Lacey, S. (2005) The Future of Your Personal Data – Privacy vs Monetization. Retrieved from https://www.youtube.com/watch?v=JIo-V0beaBw
Miyazaki, A. (2005) Internet Seals of Approval: Effects on Online Privacy Policies and Consumer Perceptions. Journal of Consumer Affairs, 36:1. doi: 10.1111/j.1745-6606.2002.tb00419.x
McDonald, A. M., Cranor, L. F. (2008) The Cost of Reading Privacy Policies. I/S A Journal of Law and Policy, 4:3 543-568.
Obar, J. A., Oeldorf-Hirsch, A. (2018) The Biggest Lie on the Internet: ignoring the privacy policies and terms of service policies of social networking services. Information, Communication & Society, 23:1, 128-147. doi: 10.1080/1369118X.2018.1486870