People Don’t Get It

And companies don’t help them, because it’s not in their best interests.

On the other end of the transaction, data subjects also have to navigate a complex set of requirements that change from service to service; for example, what is private by default on Facebook may not be on WhatsApp.  

Each application and service comes with different settings for privacy preferences.  

Making things even more complex, for better or worse, until 2012 Google had 60 different privacy policies for the various products and services it offered (Rao, 2012).  

For owners of Social Network Sites (SNS) in particular, there is a significant profit motive to make ‘sharing’ as easy as possible, as more content and users drive increased ad revenue. 

Finally, as more and more services are available online only, the punitive damage associated with opting out is increasing.  For example, renewing a driver’s licence online (depending on location) may take less time than in-person wait times.  In addition, the Digital Divide comes in to play; being able to access the resources associated with online services can often be a problem in lower-income and / or rural areas, where Internet service can be an added expense or unavailable (Norris, 2001).

It is becoming easier for companies to collect data and analyze it, compared to the past when everything was paper-based.  For example, social network sites (SNS) are one of the most common forms of computer mediated communication (CMC), defined as sites that require the data subject is asked to create a profile, identify other users and explore the site based on those connections (Ellison & others, 2007).  

Such sites generate billions of unique data subject visits a month.

SNS focus on enhancing user connectivity.  They do not necessarily inform users about the privacy risks associated with increasing disclosure of their PI.  Most SNS do not enable a data subject to control what other users may post about them on the site.  In one study, 58% of participants report they are ‘very concerned’ that other users may reveal PI without their consent online, but 26% report willingness to disclose their friends’ photos and comments (Ho, Maiga, & Aïmeur, 2009).

Service providers of SNS’ have complete and unrestricted access to the data that users post about themselves and others.  They generate profit from providing these ‘free’ services by selling advertising based on the specificity of the user profile that can be created.  The more data a user shares, the more tailored the advertising can be and the more valuable that dataset for the company.

Privacy policies are another supporting instrument that organizations use to explicate their information management practices in respect of PI.  

Such policies are used by organizations to communicate with data subjects; as one maneuvers through websites, each different site is guided by a different set of policy expectations resulting in numerous policies to review.  Regardless of whether an organization is obligated to use consent or notice for collection, it is implicitly required and best practice determined by regulatory authorities to present the data subject with a privacy policy.[1]

Research has sought to evaluate the efficacy of privacy policies, noting that they are often unread, when read difficult to understand and generally unsupportive of data subject decision-making processes (McDonald & Cranor, 2008; Milne & Culnan, 2004).  

As early as 2007, research indicated 3% of people reviewed online privacy policies carefully, noting that policies were too time consuming to read and difficult to understand; yet noting that they were more comfortable at sites that have a privacy policy (Cranor & Tongia, 2007).

One particular study notes that the length of the policy is a factor in the infrequency with which they are reviewed by data subjects, concluding that data subjects are unlikely to understand the privacy risk of disclosing information online (McDonald & Cranor, 2008).  There are other structural issues with online privacy policies, first that they are designed to be read by a human and include language that is open to interpretation.  

Websites can include any volume of information in the policy, and online it is particularly easy to provide details. 

 Combined with differences in presentation, these factors make it difficult for data subjects to determine how a policy may apply and when it might change (Cranor, 2003).  Noting these difficulties, alternatives to privacy policies such as P3P have been suggested but have not garnered sustained broad adoption for reasons including design challenges (Cranor, 2003).