Notice, consent, privacy: Why we need to do better
Users can barely access, or comprehend, privacy policies. Consent has to be made more meaningful
EVEN IF A ‘MODEL CONSUMER’ WERE TO ABSORB EVERY TERM, IT WOULD NOT CHANGE THE FACT THAT THE USER STILL LACKS ANY REAL BARGAINING POWER VIS-ÀVIS THE PROVIDER. THE OPTIONS ARE TO EITHER ACCEPT THE TERMS OR NOT USE THE SERVICE
Most people do not read privacy policies. Those who have tried would testify that these documents can be pretty hard to understand. Running into several pages that are filled with legal jargon and unexplained phrases, the main purpose seems to be to protect the company from legal liability rather than genuinely informing the consumer. We discuss this in a recent paper co-authored with Rishab Bailey, Faiza Rahman and Renuka Sane at the National Institute of Public Finance and Policy.
We conducted a quiz to test how well urban, English-speaking, college students understand the policies of five popular tech companies — Flipkart, Google, Paytm, Uber and WhatsApp. The short answer? Not very well. The students scored an average of 5.3 out of 10, faring the worst in areas where the policy terms were unclear or required the reader to make their own inferences.
The right to informational privacy implies that, at the very least, every individual should be able to determine who can use her personal information and for what purpose. Moreover, these interactions must take place in an ecosystem that recognises the power and information asymmetry between the parties, and has sufficient safeguards to protect the individual’s interests.
One way in which most data protection frameworks, including the one currently under consideration in India, try to achieve this is by resorting to the “notice and consent” regime. This framework regards individuals as pragmatic actors, who are capable of weighing the pros and cons of the options available to them and pursuing their best interests. Entities that seek to collect and use personal data are therefore tasked with the duty to provide adequate and meaningful “notice” to users. Armed with this information, users can then choose to grant their “informed consent”, which becomes the basis for processing of their data.
Each time a person clicks the “I agree” button, she has presumably conducted a reasoned trade-off between her desired level of privacy and the value being derived from the service in question. This would assume that each Uber user understands that the policy is worded broadly enough to allow the
company to track her location at all times. Similarly, all Gmail users are comfortable with their emails being scanned for producing targeted advertisements.
In reality, however, a user’s interaction with privacy policies faces many stumbling blocks. The first, and most basic, is the barrier of accessibility. Almost none of the privacy policies are available in languages other than English. Of the companies we studied, only Google provided its privacy policy in multiple Indian languages. This is clearly not optimum in a country where only a fraction of the population is able to read and understand English.
Second, the construction of sentences and phrases in most policies is of a level that requires advanced comprehension skills. Using the Flesch-Kincaid readability score, we found that all of the selected policies had scores ranging from 16 to 41, which correspond with graduate-level reading skills. To put this in perspective, only about 8.2% of India’s above 15 population has an education level of graduate and above.
The third concern arises from the sheer volume of the transactions that take place in the digital economy and the big data analytics emerging from that. As per App Annie’s State of the Mobile Report, an average Indian smartphone user has about 70 apps on her phone. Spending even half an hour reading each policy would translate to about 35 hours of reading time. Add to this all the other daily interactions involving the processing of one’s personal data, and the impracticality of expecting a user to go through all the policies becomes evident.
Finally, even if a “model consumer” were to read and absorb every term, it would not change the fact that the user still lacks any real bargaining power vis-à-vis the provider. In markets with a handful of dominant players, the only options are to either accept the terms set out by the provider or not use the service at all.
The culmination of these factors has led many to argue that “consent” can no longer serve as a legitimate basis for the processing of personal data. Yet, for many others, the idea of consent is so deeply rooted in individual autonomy and liberty that doing away with it would require a fundamental rethink of how we understand the right to privacy. The middle-path perhaps lies in building a robust set of data protection principles and accountability mechanisms, which would apply irrespective of whether the user’s consent has been obtained. To some extent, the draft Personal Data Protection Bill also tries to achieve this, even though it retains a central role for consent.
At the same time, we need privacy policies to be better drafted and designed, keeping in mind the differential needs of different categories of Indian users.
Consent in the digital world will never be perfect but we cannot stop trying to make it as meaningful as possible.