Screen with privacy policy settings showing problem of Catch-22 on privacy in the digital age
The Catch-22 of Privacy in the Digital Age by Lora Blum, Senior Vice President, General Counsel & Secretary at SurveyMonkey

The Catch-22 of Privacy in the Digital Age

We know that we’re supposed to care about privacy. In a recent poll of 4,000+ U.S. adults by SurveyMonkey and Axios, 87% of respondents said that it’s important to them to have a clear understanding of a company’s privacy policy before signing up for an online service. Yet in that same poll, more than half of respondents (56%) skip right by the “I accept” or “I agree” box beside the links to a company’s terms of service and privacy policy, most of the time or every time, without actually reading them.

That probably doesn’t surprise you (even lawyers are guilty of rushing to the end sometimes!)—but it should concern you. Reading a privacy policy is the only way consumers can understand what they’re getting into, and as technology evolves, the consequences of ignorance about privacy policies have become increasingly severe.

The tools we use every day are being leveraged for everything from delivering uncannily relevant ads to providing key evidence in murder trials, and it’s more important than ever for consumers to know what they are signing up for when they accept these policies. And yet, very few people do. So how did we get here? What happens next? And what responsibility do companies have to change the equation?

Full disclosure vs. information overload

To work the way they’re supposed to, privacy policies have to be exhaustive. Since mid-last year, most of us have been bombarded with privacy policy and terms of service updates from websites, services and apps. This influx is in part the result of Europe’s General Data Protection Regulation (GDPR), which requires companies to detail what personal data they collect, why they collect it, how they use it, how long they keep it, and how users can request access or deletion of the personal data. While well-intentioned, the ensuing policy updates can be notoriously long and laden with legalese.

It can take up to 27 minutes to read the privacy policy for some popular services, with totals adding up to roughly 600 hours of reading per user per year, or – put another way – 25 days of reading privacy policies – clearly an impossible ask. But companies are incentivized (and often required) to include anything and everything that’s relevant to user privacy. While privacy policies are meant to tell users what companies are doing with their data, they are also sometimes viewed as a way for companies protect themselves rather than their users.

Companies need to find a way to balance comprehensiveness with accessibility. For SurveyMonkey’s privacy policy, we opted against creating the wall of text that many companies use. Instead, we built a navigable legal center where people can (hopefully) easily find the answers they’re most curious about. It isn’t perfect, but we built it with our users in mind, and we think of it as a tool that we will continue to modify as our products and services change over time.

  • We use an interactive format that’s designed to be understandable by anyone from a Fortune 500 company executive to a teacher to a respondent taking a market research survey.
  • The page has a sidebar navigation so readers can skip to the section of interest and a drop-down menu with archived versions of our policies from previous years.
  • Key updates are highlighted so readers can instantly parse the new changes, and practical examples of use are given so the readers have a better understanding.
  • We use colloquial language wherever possible. We do our best to speak plain English and keep our policy direct, transparent and user-friendly.

Privacy policies are a step toward customer trust

Privacy policies are a chance for companies to show that they have their customers’ interests at heart. They should do their best to be as transparent and consistent as possible. State information clearly, and make it easy for your users to change the settings so that they are conscious of and comfortable with the information that they are sharing.

Our research has shown that the foundation of any relationship is trust. Only 9% of people said that they trust a brand when they first engage, but 67% feel trust by the time they return to buy again. Easily accessible, referenceable policy content that clearly outlines privacy practices can help companies earn faith from their customers—and deserve it.

In February of 2018, we surveyed over 5,000 people across the U.S. and Europe. Fifty-six percent of the people who responded thought that companies don’t do enough to inform them about their choices regarding their personal data. That’s major opportunity for improvement.

What’s at stake

When we broke down the data from our privacy-reading poll by age, older adults were more likely than younger adults to believe that knowing a privacy policy is important (91 percent of those aged 65 and older, but just 75 percent of those between 18 and 24).

In spite of the fact that younger generations are often called “digital natives,” they don’t guard their online privacy with as much focus as older generations. They’re likely to put more and more of their lives online and won’t pay as much attention to the policies that dictate what happens to that information. In their reality, people simply don’t read the terms and conditions—ever.

Consumers who don’t read privacy policies can unknowingly trade away their private information and legal rights in a binding contract, sometimes giving companies a wide berth for how it’s used. In one recent incident, a man found his picture—taken from a social media account—on a billboard in London. Because he’d never bothered to read the site’s privacy policy, he had no property rights. Similar stories are playing out across the globe.

In a recent poll, 87% of respondents said it’s important to understand a company’s #privacy policy but more than half do not read them.Click to Tweet

As a general counsel, it’s my job to protect my company, and my responsibility to make sure our customers can understand how we are using their data to make our products better. If we’re going to build a world where privacy literacy is expected, the onus is on companies to make reading and understanding our policies more realistic.