Commentary: If data privacy is so important, why do we click 'agree' on user agreements without reading?
We do not spend time reading the privacy policies meant to provide the protection we want. It’s called the privacy paradox, and businesses should look at ways to be more transparent about their policies in this digital age, says lawyer Bryan Tan.
SINGAPORE: Would you provide your first-born child as payment to use social media? How about sharing your instant messaging data with national security and intelligence agencies?
You may answer no now but research suggests you would have most likely said yes if these clauses had been in the privacy policy or terms of services when signing up for a social networking service.
In 2017, more than 500 students were invited to join NameDrop, a fictitious social network, as part of an experiment. Only 10 students picked out the “gotcha” clauses described above.
Almost all agreed to the policies, with three-quarters completely skipping the policy documents. The rest spent slightly more than a minute on average - likely skimming but not actually reading – an 8,000-word legal contract. That’s about how long you’ll take reading this 800-word commentary.
This is the privacy paradox, as coined by Professors Jonathan Obar and Anne Oeldorf-Hirsch who designed the NameDrop experiment.
On one hand, we all agree that privacy and protecting privacy are important. On the other, we do not spend time to reading the fine print of the very document meant to provide that protection we demand.
Regulators are taking a stern view of such behaviour. More recently, China fined Didi US$1.2 billion for privacy law violations, including the excessive collection of information from both passengers and drivers, and ordered the ride-hailing conglomerate’s removal from app stores.
BUILDING TRUST WITH CUSTOMERS
But how much are we users to blame if we don’t know what we consent or not consent to?According to online publisher Visual Capitalist, the terms of services of popular online services could take between 10 minutes to 1 hour to read. A 2008 paper by Carnegie Mellon University calculated it would take almost 250 hours a year to actually read and consent to privacy policies on all the websites the average American visited.
To put that in context, according to the US Law School Survey of Student Engagement, law students spend between close to 1,000 hours per year doing reading in preparation for classes so 250 hours is a significant amount of time to spend on a non-work activity.
Privacy policies and terms of service also tend to include a fair amount of legal language that can be daunting for a non-lawyer to understand.
In Singapore, the Personal Data Protection Act sets out the Openness Obligation, which means businesses that collect personal data must make available the terms under which such data is collected. But when the terms are too long and hard to understand, the consumer tends to just click skip.
ARGUMENT FOR PLAIN LANGUAGE POLICIES
Some businesses may argue that they have done their part and user complaints should be dismissed. After all, didn’t the user accept the terms of service?
Pushing all the blame on to the user for not reading policy is a myopic “victory”. Building trust is important both in consumer education and data protection. If businesses lose customers’ trust, what good is it to win the battle only to lose the war? In a 2019 PwC study, 71 per cent of consumers said they would buy less from a company in whom they had lost trust.Why not make terms of service simpler?
If companies want to communicate that they can be trusted, and not hide behind obscure, heavily qualified terms, they should state their privacy policy plainly for the man in the street.
A 2018 Harvard Business Review article describes plain-language contracts as something “a high schooler could understand with zero context or explanation”. The well-known KISS principle – or keep it short and simple – holds true.
Recently, the New Zealand government announced a Plain Language Bill to legislate (in public services), the ethos advocated by the plain English movement of the United Kingdom, United States and Canada,
WHAT IF USERS STILL DO NOT READ PRIVACY POLICIES?
But even if companies draft good privacy policies, does that effort make any impact if customers still do not read them?
There may not be a one-size-fits-all solution to make users do so, but businesses can consider some standardised language or format.
For example, in keeping privacy policies short and simple, websites can display them in bite-sized formats that a user needs to click through before gaining access to the services. The easier something is to understand, the easier it is to be engaged with.Or consider simple graphical representations, taking reference from how the Creative Commons project displays different types of licences or how energy consumption efficiency ticks indicate efficiency without having to go into the nitty gritty.
Of course there will be exceptions, but if most users can tell from one glance how their personal data will be treated without having to examine the fine print, wouldn’t that provide peace of mind and encourage responsible service providers?
According to a 2019 CISCO survey, 97 per cent of companies surveyed say they are receiving auxiliary benefits (like shorter sales cycles) from their data privacy investments beyond compliance requirements. It is ultimately in businesses’ interests to make respecting users’ privacy a value proposition, instead of just meeting the minimum.
Bryan Tan is a Technology, Media and Telecom partner at Reed Smith and former president of the Singapore chapter of the Internet Society.