Do these policies matter?
However, that is not always the case. One day in 2010, 7,500 users of GameStation unknowingly agreed to pay an extremely high price for using the online service. No person could have expected a terms of service agreement to claim something this important to its users. Below is an excerpt of that terms of service policy:
By placing an order via this Web site on the first day of the fourth month of the year 2010 Anno Domini, you agree to grant us a non transferable option to claim, for now and for ever more, your immortal soul. Should We wish to exercise this option, you agree to surrender your immortal soul, and any claim you may have on it, within 5 (five) working days of receiving written notification from gamesation.co.uk or one of its duly authorized minions.
7,500 users unknowingly surrendered their immortal souls in the “immortal soul clause” buried in the terms and conditions (Smith, 2010). Yes, this was a joke and no souls were claimed. However, similar clauses were used in an 2018 academic study (Obar, 2018).
3.1.1 NameDrop Data […] Any and all data generated and/or collected by NameDrop, by any means, may be shared with third parties. For example, NameDrop may be required to share data with government agencies, including the U.S. National Security Agency, and other security agencies in the United States and abroad. NameDrop may also choose to share data with third parties involved in the development of data products designed to assess eligibility. This could impact eligibility in the following areas: employment, financial service (bank loans, insurance, etc.), university entrance, international travel, the criminal justice system, etc. Under no circumstances will NameDrop be liable for any eventual decision made as a result of NameDrop data sharing.
2.3.1 Payment types (child assignment clause): In addition to any monetary payment that the user may make to NameDrop, by agreeing to these Terms of Service, and in exchange for service, all users of this site agree to immediately assign their first-born child to NameDrop, Inc. If the user does not yet have children, this agreement will be enforceable until the year 2050. All individuals assigned to NameDrop automatically become the property of NameDrop, Inc. No exceptions
Both of these examples had little effect in real-life, but that is not always the case. A nigeran instant loan app called Okash has been known to use some pretty harsh collection methods for users who don’t make their loan payments.
Twitter users complained that the company was messaging their contacts and telling them that the user was not paying their loan back. Users brought up stories of the loan company messaging or calling their supervisors, friends, even priests and informing them of the user’s financial woes.
I am sure that no person would want their financial issues shared with all of their contacts. So, what allowed Okash to do this? At the bottom of clause 11 of Okash’s Terms Of Service (at the time of writing this) they state the following:
11. We may contact you and/or your emergency contact. […] In the event we cannot get in contact with you or your emergency contact, you also expressly authorize us to contact any and all persons in your contact list.
Every Okash user agreed to this policy whether they knew it or not. There is little chance that many of the users understood that the company would resort to these shaming methods. This is a real-life example of one of these policies actively infringing on its users privacy and that of their contacts. This caused unnecessary harm and embarrassment for users who did not know what they were agreeing to.
This is not the only issue that has come up. There have been serious concerns about many companies’ policies in the US. Perhaps the most famous is the Cambridge Analytica Scandal. In which an app called “This Is Your Digital Life” was stealing its users’ and their Facebook friends’ data. The data was used by Cambridge Anlaytica who was working for the Trump campaign. An estimated 87 million Facebook users had their data stolen as a result (Kang, 2018).
Does anyone read these policies?
Perhaps even more concerning, the study also found that 90% of respondents claimed that they use quick-join clickwraps often or sometimes. This means that these users agree to the policy without ever even seeing any part of it (Obar, 2018).
The lack of people reading these statements has inspired countless references from comedians and tv shows. Even an FTC chairman said, “We all agree that no one is reading privacy policies” (Cate, 2020).
Should I read these policies?
Yes, but no. Of course, everyone should know what a company is doing with their data. But it’s pretty unlikely that anyone could read all of the policies that they come across. In fact, PayPals’ privacy notice has 36,275 words which is longer than Hamlet (Warner 2020).
Clearly, people cannot be expected to take the time necessary to read these policies. But can they even understand them? Another study done in 2002 looked at the average reading level required to understand privacy policies of the top 25 internet health sites. They found that the policies ranged from “somewhat difficult” to “very difficult” and were written at a 14th grade reading level. Meaning that two years of college would be expected before someone could read and comprehend the policies (Gerber, 2002). A similar study was done in 2005. It that found that a 14th grade reading level was still required. This is extremely concerning considering that an 8th grade level is recommended for general consumption (Sheehan, 2005).
Worse still, there was another study in 2005 that analyzed the communicative strategies that were used in online privacy policies and found that they often employed problematic language. First, they downplayed certain qualities of the policy by using words like “carefully selected” or “occasionally”. Second, companies tended to obfuscate reality by using cautious language or by deceiving and confusing readers. This is done with terms like “may”. Furthermore, companies try to forge intimate relationships with their readers in order to build more trust. This is done by using first-person pronouns like I, my, you, and your (Pollach 2005). Not only are these policies difficult to read, they are actively using language that is designed to make you more likely to accept the policy regardless of how problematic the contents are.
So, these policies are first, simply too long and too plentiful to read. Second, they are written at a prohibitively high reading level. Third, they use advanced literary strategies in order to convince readers to agree. It cannot be argued that these policies effectively inform users how a company will use their personal data or what data they will collect.
What does this mean?
This model of informed consent is broken and needs dramatic change. Several ideas have been advanced over time as to how to deal with the issues presented in this post. I discuss these in my post Notice & Consent Alternatives.
Cate, F. (2020) Data Privacy and Consent. Retrieved from https://www.youtube.com/watch?v=2iPDpV8ojHA&t=422s
Graber, M. A., D’Alessandro D. M., Johnson-West, J.(2002) Reading Level of Privacy Policies on Internet Health Web Sites. Journal of Family Practice 51:7 642-642
Kang, C., Frenkel, S. (2018) Facebook Says Cambridge Analytica Harvested Data of Up to 87 Million Users. Retrieved from https://www.nytimes.com/2018/04/04/technology/mark-zuckerberg-testify-congress.html
McDonald, A. M., Cranor, L. F. (2008) The Cost of Reading Privacy Policies. I/S A Journal of Law and Policy, 4:3 543-568.
Obar, J. A., Oeldorf-Hirsch, A. (2018) The Biggest Lie on the Internet:
ignoring the privacy policies and terms of service policies of social networking services. Information, Communication & Society, 23:1, 128-147. doi: 10.1080/1369118X.2018.1486870
Pollach, I. A (2005). Typology of Communicative Strategies in Online Privacy Policies: Ethics, Power and Informed Consent. Journal of Business Ethics 62, 221-235. doi: 10.1007/s10551-005-7898-3
Sheehan, K. B., (2005) In Poor Health: An Assessment of Privacy Policies at Direct-to-Consumer Web Sites. Journal of Public Policy & Marketing, 24:2 278-283.
Smith, C. (2010) 7,500 Online Shoppers Accidentally Sold Their Souls to Gamestation. Retrieved from https://www.huffpost.com/entry/gamestation-grabs-souls-o_n_541549
Warner, R. (2020) Notice and Choice Must Go: The Collective Control Alternative. SMU Science & Technology Law Review, forthcoming