by Jeff Sovern
At the Privacy Law Scholars Conference at GWU, hosted jointly by GWU and Berkeley Law Schools, on June 12 and 13, I served as a discussion leader for a session titled "Death to Privacy Policies" about how few people read privacy policies, why that is, and what could be done about that. In that capacity, I presented a short talk, about three minutes. But of course I would have liked to talk longer about the subject, so I'm posting here what I would have said if I'd had, say, five minutes (plus I'm tossing in a few cites). Privacy policies are only a subset of the many documents consumers don't read, such as contracts with cell phone providers, credit card issuers and the like, and much of what I say here is just as applicable to such documents.
One reason privacy polices may fail to attract attention is that those providing them typically have little incentive to attract attention to them and little incentive to make them clear. For example, many financial institutions sell their customer lists; if bank customers notice the privacy policies that banks send them and ask the banks not to sell their information, the banks lose money. So the banks have an incentive to construct their privacy policies in such a way as to minimize the attention they draw. Here, for example, is an excerpt from a scintillating privacy policy from Cap One:
We may share the information described on Page 1 under “information we may collect” with companies in the Capital One family or with business partners such as financial service providers (including credit bureaus, mortgage bankers, securities broker-dealers and insurance agents); nonfinancial companies (including retailers, online and offline advertisers, membership list vendors, direct marketers, airlines and publishers); companies that perform marketing services on our behalf, or other financial institutions with which we have joint marketing agreements; and others, such as non-profit organizations and third parties that you direct us to share information about you.
And, not surprisingly, what data is publicly available suggest that few consumers have opted out. See Testimony of John C. Dugan, Partner at Covington and Burling on behalf of the Financial Services Coordinating Council, Before the U.S. Sen. Com. On Banking, Housing and Urban Affairs, Sept. 19, 2002 (“opt-out rates have generally been low, and in nearly all cases under 10 percent.”); W.A. Lee, Opt-Out Notices Give No One A Thrill, 166 American Banker Issue 131, at 1 (July 10, 2001) (“5% opt-out rate . . . has been circulating as the unofficial industry figure . . . .”); ACB Survey (60% of financial institutions report that less than one percent of customers opted out). We know that companies sometimes respond to the incentive to create forms consumers won’t read because in Ting v. AT &T, 319 F.3d 1126 (9th Cir.), cert denied, 540 U.S. 811 (2003), AT&T conducted extensive market research to discover what it could write that would cause consumers to ignore its customer service agreement—and then it went with the form that would cause consumers to throw its letter out.
The incentives web sites face are less clear, in part because some web sites may find it in their interest to compete on the basis of privacy, as Ask.com does, but on the other hand, web site operators also face incentives to make privacy policies unclear and uninteresting. First, they may feel they want to make the privacy policy uninteresting because consumers who are reading privacy policies are taking time away from viewing items for sale. Second, because the FTC enforces promises made in privacy policies, the drafters of the policies want to write their policies in ways that will not cause the FTC to come after them, and that sometimes requires qualifications and limitations which may come at the expense of clarity.
Here are a couple of my favorite comments by respondents in one study, George R. Milne & Mary J. Culnan, Strategies for Reducing Online Privacy Risks: Why Consumers Read (Or Don’t Read) Online Privacy Notices, 18 J. Interactive Marketing No. 3 at 15, 23 (2004), about privacy policies: “privacy notices are deliberately made too long and verbose. How about the Privacy Notice for Dummies version?” Another: “I don’t have a law degree." Even HIPAA notices are unintelligible. See Mark Hochhauser, Compliance vs. Communication, Clarity 50 (November 2003) (notices written at average of second to fourth year college reading level despite instructions in regs that notices should be written in plain language). And there’s an externality: once consumers have read a few incomprehensible privacy notices, they probably won’t read any more, even the ones that can be understood—something they will never discover.
So far, government regulators have tried a couple of ways to deal with this problem. One is not to change the incentives but to require that businesses providing the policies comply with a set of regulations designed to increase the likelihood that consumers will notice them and the forms will be readable. So we get very detailed rules like Gramm-Leach-Bliley and its implementing regs [§6802(b)(1) : “A financial institution may not disclose nonpublic personal information to a nonaffiliated third party unless --(a) such financial institution clearly and conspicuously discloses to the consumer . . . that such information may be disclosed to such third party.”; §313.3(b)(1): “Clear and conspicuous means that a notice is reasonably understandable and designed to call attention to the nature and significance of the information in the notice.” In examples in (b)(2), the regulations elaborate on that phrase. Thus, something is reasonably understandable if it is presented in “clear concise sentences, paragraphs, and sections;” uses “short explanatory sentences,” and definite, concrete, everyday words;” avoids “multiple negatives” and legal and business terminology. The regs require that notices contain “concise sentences, paragraphs, and sections.”)
It’s too soon to be certain, but so far it appears that micromanaging the disclosure hasn’t worked when the institutions have an incentive not to make the privacy policy readable. Certainly that’s been true under GLB.
Another approach is to change the incentives so that companies have a reason to have consumers notice the privacy policy rather than to obscure it. We have some information about how companies behave in those circumstances. For a time in the nineties, the FCC took the position that phone companies seeking to use phone-calling patterns for marketing purposes must first obtain the consumer’s permission—an opt-in system. Phone companies wanted to use that information, so the company then known as Bell Atlantic responded not by hiding their privacy policies, but by calling subscribers and sending them colorful mailings printed in plain English. In other words, an opt-in system offers the possibility of switching the incentives faced by companies so that instead of wanting customers to overlook the privacy policy, they want consumers to notice it and give permission.
But opt-in systems aren’t perfect either. It can be expensive to get the consumer’s attention. U.S. West reported that when it attempted to obtain permission from its customers to use their calling patterns, reaching a live respondent with the authority to grant consent required 4.8 dialing attempts. Every positive response cost $20.66. Direct mail elicited a response rate of less than 11% for residential customers while the cost per positive response was $29.32 plus any incentives offered. Letter from Kathryn Marie Krause, U.S. West Senior Attorney to William F. Caton, Acting Secretary, FCC, dated Sept. 9, 1997; see also Michael E. Staten & Fred H. Cate, The Adverse Impact of Opt-In Privacy Rules on Consumers: A Case Study of Retail Credit (2002).
But changing the incentives offers one significant advantage over the current system. If we can change the incentives so that companies want consumers to read their privacy policies, whether through opt-ins or another method, we don’t have to come up with a way to write the privacy policies. The companies will do it.
Some of this draws on my article, Opting In, Opting Out, or No Options At All: The Fight for Control of Personal Information, 74 Wash. L. Rev. 1033 (1999).
We don’t know if consumers are willing to pay for that extra notice. And there’s also a question about whether it really matters: some evidence suggests consumers go with whatever the default is on issues like privacy. See Fred Cate, Principles for Protecting Privacy, 22 Cato Journal No. 1 at 33, 41 (2002) (study found that when online service providers sent emails to randomly selected customers, half of which said ithe nformation would be used unless the customer opted out and half said the information would not be used unless the customer opted in, the responses were nearly identical, with less than 5% in each case opting out or in and rest not responding). Another problem is that
opt-ins can be manipulated on the web to the point that they look very much like an opt out. Probably most readers of this Blog have seen those boxes on e-commerce web sites that already have a check in them, indicating that you’re agreeing to something you might not want.
Comments