No one reads online privacy policies

If you feel some sense of embarrassment to admit it, you shouldn’t. You’re not alone. Some of the greatest minds in America sign contracts without reading them. Chief Justice John Roberts doesn’t bother with them. Judge Posner signed a home loan without reading anything.

This may strike a chord with some internet users. After all, even if we wanted to read them all, who has the time? In 2012, Alexis Madrigil estimated that 53.8 billion hours would be required for every Internet user in the United States to read every privacy policy on every website they visit. It’s a safe bet that this number has only grown since then. Just reading Amazon’s ToS out loud would take an entire workday (nine hours, to be exact).

There have also been some recent efforts to visually demonstrate the excess of pages that would need to be sifted through. Last spring, Joanna Stern at the Wall Street Journal pointed out that she could cover the length of a football field using the printed privacy policies of the apps, services, and operating systems she most regularly uses.

Regardless of the effort required, the onus is on the users to know what they agree to. However, even if someone had all the time (76 work days by Madrigil’s count), energy, and attention span to read every word of every privacy policy we encounter, there’s one more problem: most of us wouldn’t even understand what we are reading.

There is some growing concern about whether or not tech companies can sustain this status quo. The New York Times, for example, published what may feel like a stinging critique. In an editorial titled “How Silicon Valley Puts the ‘Con’ in Consent,” it strikes at the heart of the current data privacy debates: the legal fiction of consent. “If no one reads the terms and conditions,” it asks, “how can they continue to be the legal backbone of the internet?”

What’s really at the center of most of the recent kerfuffles isn’t that companies are abusing user data. Instead, people are shocked, confused, and sometimes outraged to discover what they’ve agreed to. After all, Mark Zuckerberg and Jeff Bezos aren’t exactly available to answer the average person’s questions about what their privacy policies are.

For example, a survey of Facebook users in the fall of 2018, as privacy-related stories were breaking daily, indicated that two-thirds of respondents were logged on at least as much as they were in 2017. Moreover, Facebook continues to add daily active users and monthly active users in the US and Canada have also continued to increase over the past two years.

So, why aren’t people more concerned?

James Cooper, now the current Deputy Director for Economic Analysis at the Federal Trade Commission, weighed in on this in 2016:

[I]t seems reasonable to ask that if consumers are so concerned with the data they share, why don’t they seek out more information? We tend to collect a lot of information when wrong decisions can have serious and lasting consequences (e.g., spouses or houses). On the other hand, we don’t put much thought into choosing a new toothbrush. We are rationally ignorant about myriad choices we make in life because the benefits from learning more are just too small in terms of avoided harm. The evidence is mounting that the data sharing involved in everyday digital life may fall into this bin. It’s time to consider the possibility that consumers are unlikely to read and act on privacy policies no matter how simple they become because consumers view the potential privacy harms as just too small to justify the effort.

Lior Strahilevitz and Matthew Kugler, from the University of Chicago and Northwestern University respectively, put this concept in context. By looking at Facebook’s use of facial recognition software and Google’s text analysis of its users’ emails, they show that two-thirds of users were unwilling to pay anything to avoid the practice. It’s not that consumers don’t care that they traded some of their information for free email and an easy way to stay in contact with old friends. Instead, they simply value those services at greater levels than the information they trade for the platforms they use.

Consider this, in Strahilevitz and Kugler’s work even the third of consumers who were willing to pay to avoid those practices by Google and Facebook were only willing to pay four cents a day — that’s only $15 a year.

This is why understanding rational ignorance on the part of consumers so important. Just like looking for a new toothbrush, or Judge Posner getting a loan, if individuals view the value of the information less than the cost of acquiring it, they won’t go searching for that information. This doesn’t necessarily indicate a market failure in data privacy, as I previously outlined. It just means that consumers value the services tech companies provide more than they value keeping some information private. After all, if the average consumer only values their privacy at $.04 a day in some instances, even a quick glance at the ToS is likely already more costly than it’s worth.

Moreover, instead of presumed preferences, consumer actions should basis for the privacy protections that The New York Times editorial board calls for. While people claim to care very deeply about their privacy, their actions tell a different story. If we built national policy around our stated (rather than our revealed) preferences, we could inflict significant costs on society with little benefit.

This is not to say that everyone doesn’t care deeply about their privacy. DuckDuckGo exists for a reason. And when people feel unsatisfied with how a particular platform protects their privacy, they leave. For example, Google searches over the past year for “how to delete facebook account” seem to track the recent scandals. However, it is worth noting that, throughout the year, it remained a relatively unpopular search.