Privacy Policies: Perception vs. Reality

New paper: "What Californians Understand About Privacy Online," by Chris Jay Hoofnagle and Jennifer King. From the abstract:

A gulf exists between California consumers' understanding of online rules and common business practices. For instance, Californians who shop online believe that privacy policies prohibit third-party information sharing. A majority of Californians believes that privacy policies create the right to require a website to delete personal information upon request, a general right to sue for damages, a right to be informed of security breaches, a right to assistance if identity theft occurs, and a right to access and correct data.

These findings show that California consumers overvalue the mere fact that a website has a privacy policy, and assume that websites carrying the label have strong, default rules to protect personal data. In a way, consumers interpret "privacy policy" as a quality seal that denotes adherence to some set of standards. Website operators have little incentive to correct this misperception, thus limiting the ability of the market to produce outcomes consistent with consumers' expectations. Drawing upon earlier work, we conclude that because the term "privacy policy" has taken on a specific meaning in the minds of consumers, its use should be limited to contexts where businesses provide a set of protections that meet consumers' expectations.

Posted on September 4, 2008 at 1:15 PM • 18 Comments

Comments

Benjamin WrightSeptember 4, 2008 1:47 PM

Privacy policies are governed in good part by contract law. Contract law is a two-way street. Just as banks, web administrators and software vendors can communicate to visitors/customers what they assert to be the legal terms, customers can communicate back!

In principle, contract law does not favor either businesses or customers/users. As the future of privacy law unfolds, individuals may be able to use contract law to assert their legal terms on other parties, such as search engines or advertisers. Why shouldn't a consumer be able to broadcast what she expects to be the legal terms under which she does business? --Ben http://hack-igations.blogspot.com/2008/05/... My ideas are not legal advice for any particular situation; they are just ideas for public discussion.

mooSeptember 4, 2008 1:57 PM

In practice, contracts are often contracts of adhesion: if you want service, you're forced to agree to the (unmodified) terms of the phone company, or other large service provider. Contract law is supposed to require a "meeting of minds" but sadly, the large corporation can often tilt the playing field so much in their favor, that you have little recourse if they do something bad to you.

Pat CahalanSeptember 4, 2008 1:59 PM

> In a way, consumers interpret "privacy policy" as a quality
> seal that denotes adherence to some set of standards.

Man, the public is gullible.

Dorian TaylorSeptember 4, 2008 1:59 PM

Wasn't the unambiguous communication of privacy policies the goal of P3P? That is, as an individual, you plug in what you consider acceptable, and then compare that against the P3P statement of a given site. If the supplied policy doesn't match your expectations, you don't continue browsing. (This is the theory, anyway; in practice it's about as easy as getting people to care about SSL cert mismatches or even keeping secure passwords. Moreover, I don't think there are any mainstream implementations to speak of.)

http://www.w3.org/TR/P3P/#goals_and_capabs

Clive RobinsonSeptember 4, 2008 2:11 PM

"These findings show that California consumers overvalue the mere fact that a website has a privacy policy"

They and the politicians...

I often get the feeling in the U.K. that the "Lords" have a resonable comprehension of modern technology. Whereas the "Commons" appear to only listen to those with a significant financial interest in keeping technology regulated the way they want. Usually this not the way the voter wants or needs...

I guess in these days when the political party currently incumbrent in the Commons is effectivly bankrupt, a bung in the parties pot directly or indirectly does get you what you want...

AnonymousSeptember 4, 2008 3:08 PM

@Dorian Taylor:

P3P has been left to die. Due to a missing legal framework to help it gain traction (some legislation requires privacy policy statements, none require them in machine-readable format such as P3P provides), it never did.

It also rather unfortunately was finished right in the middle of the dot-burst aftermath when e-commerce was not a hot topic anymore, which didn't help its adoption problem.

Ironically, Internet Explorer is the only remaining popular browser that implements P3P and lets you adjust some privacy related settings (cookie acceptance) to take a published P3P policy into account.

Mozilla used to have a more complete implementation, but it was unceremoniously axed when the Mozilla Suite was abandoned in favour of Firefox.

I do not recommend reading the bugzilla entries related to that, since it is quite depressing material.
Essentially, the maintainer of that particular area (of the UI!) figured that the P3P implementation was a big chunk of disposable code with an ugly interface and nobody objected. The actual functionality was finally removed from Firefox 2.

While it is debatable that P3P really provided an effective means of helping web clients actively protect the user's privacy online, it was the only web standard related to privacy that we ever had. Nearly ten years after the need to have such a standard was recognized, we are back to zero again today.

Davi OttenheimerSeptember 4, 2008 4:13 PM

At some point security becomes so expensive and time-consuming that only an elite can afford privacy. Is there a case to be made that regulation of the data market is needed to bring the cost down?

A question I often wonder about is what real costs do we bear today if we want to control our data and who benefits most from generating entropy (or lack of individual awareness/control)?

Particular Random GuySeptember 5, 2008 5:03 AM

I once read a privacy policy stating (literally): "You personal data will be used for marketing purposes only".

And I am pretty sure that they did not lie :)

PhillipSeptember 5, 2008 10:11 AM

Yet another example of the country I love being filled with....reality challenged people :(

mooSeptember 5, 2008 12:09 PM

@Phillip: There is an easy fix for that! http://it.slashdot.org/comments.pl?... (its not my post, but its an excellent idea):

"I'm a firm believer that there are simply too many people. Why can you pay someone $2 for this? It should cost more... but there are people willing to do it because there are too many people competing for the same jobs...

You can expand this to the food crisis, energy crisis, etc. bottom line is, there are too many people. And why? Because we're the top of the food chain. Because we heal ourselves, and live too long. Because someone that weighs 500 pounds lives alongside those fit for this society.

My proposal is to clone rapters [sic]. Then no longer would be be at the top of the food chain.. they could simply sculpt our society into one that we can manange. and lets face it, they could do it pretty effectively. Rapters are fast and intelligent, hunt in packs, and hell.. they can even open doors! Support rapter cloning!"

John David GaltSeptember 5, 2008 5:26 PM

If we can't get real privacy, we need laws to protect us from all the subtle kinds of discrimination that are likely to result from not having it.

posedge clkSeptember 7, 2008 5:56 PM

Question: do privacy policies have any legal weight whatsoever?

You can say anything you want in a privacy policy, but that's not a contract, and therefore not enforceable. Unless the privacy policy is explicitly referenced in the terms of service for a web site, I wouldn't think it would be enforceable. And if you've just bought something from an online store, the only contract in effect is that implied by the sale, and that does not reference a privacy policy.

Is there any legal precedent against an online service for a privacy policy violation, where the privacy policy is not referenced by a contract?

RobinSeptember 21, 2008 1:32 AM

These findings show that California consumers overvalue the mere fact that a website has a privacy policy, and assume that websites carrying the label have strong, default rules to protect personal data. In a way, consumers interpret "privacy policy" as a quality seal that denotes adherence to some set of standards. Website operators have little incentive to correct this misperception, thus limiting the ability of the market to produce outcomes consistent with consumers' expectations.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..