All in all, it was worth the sacrifice, as I enjoyed a pleasant (free) lunch with my friend while explaining Facebook's revisions.
Who reads them?
It seems I'm too late. Two privacy experts already figured it out. In the United States during 2008, reading privacy policies cost companies and individual users 781 billion dollars. My son, a business guru, said that figure is more than some states' GDP.
Dr. Aleecia M. McDonald and Dr. Lorrie Faith Cranor are the two who came up with the surprising figure. And their paper The Cost of Reading Privacy Policies uses a novel approach - diligent reading of privacy policies should be considered a cost:
"In this paper we explore a different way of looking at privacy transactions. What if online users actually followed the self-regulation vision? What would the cost be if all American Internet users took the time to read all of the privacy policies for every site they visit each year?"
Now I'd like to share some of the paper's results. The first slide graphs the privacy-policy word count of the 75 most popular websites:
"Economics literature suggests time should be valued as salary plus overhead, which is the value corporations lose. In the United States, overhead is estimated as twice the rate of take home pay.
Through revealed-presences and willingness-to-pay studies, studies estimate people value their leisure time at one quarter of their take home pay."
For March of 2008, the Bureau of Labor Statistics determined the average hourly wage to be 17.93 dollars. With that in mind, the researchers decided to use the following costs:
- At home: 4.48 dollars per hour
- At work: 35.86 dollars per hour
Next the two doctors determined how much time an individual - if diligent - would spend reading privacy policies in one year. Their results:
Finally, all the information was tossed into the hopper and here's what they came up with:
Now in 2012, I hear people talk about the benefits of privacy policies in terms of how the process of creating privacy policies helps companies think through their policies, how they create a legal minimum standard, and how they are useful for a very few, very dedicated people who read policies and highlight unusual practices in the press.
We were not the first authors to point out privacy policies are a huge burden on users. There is fantastic scholarship on how hard it is to read privacy policies written in legal jargon and technical jargon, and that users feel there is no point reading policies when they cannot make choices.
What was new in 2008 was that our findings suggest if you were able to cure those defects and write in plain English, that wouldn't help enough. We need a new plan. Since our work, there is solid progress on getting users more useful information by rethinking privacy notices altogether.
The Internet has changed over the past four years as well, with more third-party data gathering and more Americans online. If we were updating the study we would need to include the time to read policies from the approximately 120 third-parties that most Americans run across in a year, and multiply by more Americans online.
The second big change is a huge surge in mobile Internet use, often from cell phones. We could update with time estimates for how much longer it would take to read website policies on a tiny screen, but we cannot do a good job estimating the time to read privacy policies for mobile apps. That is because right now, the majority of mobile apps do not have privacy policies.
Thanks to work from the California Attorneys General that will change soon, and if we talk again in a few years it will be a different story again.Kassner: Now for the tough question. If you had the ability to fix the problems surrounding user privacy while online, what would you do? McDonald: That is an ambitious question! It is not as if there were an optimal level of privacy for all people, or if people want the same privacy in all contexts. It's so personal and particular. Let me give you a metric for how we know we are there, rather than an answer.
We can say we have "fixed" data privacy when users are able to make choices about how their data is collected and used, in ways that let them make tradeoffs and set the right level of privacy for them at that time. We will have some exceptions to picture: someone who had a car repossessed may not want a potential lender to know that, but for public policy reasons, they won't get to hide their mistakes on that one. But overall, privacy is fixed when people can make good choices for themselves.
Obviously we aren't spending 200 hours a year reading privacy policies. Does that mean we aren't being diligent or is it because privacy policies are so complex it's a waste of time to read them?
Thank you Dr. McDonald and Dr. Cranor for the thought-provoking research.
Information is my field...Writing is my passion...Coupling the two is my mission.