Why Does Privacy Have to be so Hard for Consumers to Understand?
I was spending time with my parents the other day, and my mom asked me about work.
“It’s going well, just the usual – reviewing privacy notices, working with clients to build privacy programs. All straightforward work,” I replied, thinking nothing much of it.
My mom paused and said, “Honestly, I don’t even know how you do it. I mean, I can’t even make it past the first sentence of a privacy policy before I just give up and click agree! There is just too much to keep track of, and I don’t even understand half of what they are saying in those policies. And it is not like I have a choice – if I don’t click agree, I don’t get to use the website.”
I was a little taken aback – I thought my mom, who usually asked about my job and knew I worked in privacy, would be more privacy aware.
After chatting with her some more, I realized that it wasn’t that she was bored by the concept of privacy; she genuinely wanted to know what was happening to all the information she provided. She was just overwhelmed and didn’t know where to start.
I thought about our conversation, and wondered: do most consumers, like my mom, feel this way?
The Consumer’s Privacy Conundrum
Privacy risks and rights seem to have been lost on the very people laws like the CCPA and GDPR were designed to protect. Many of my own friends don’t know that they have the right to ask to have their account deleted, let alone where to go to exercise that right. Our own friends and family members have little understanding as to what personal data is. They unwittingly share more data than they need to with businesses without understanding what they have given in exchange for a 10% off coupon.
Historical Context of Privacy
The concept of privacy is not new. As far back as 1890, Samuel Warren and Louis Brandeis argued the importance of privacy as a right. They conceptualized controlling one’s personal information as the “right to be let alone.” The Supreme Court further codified privacy as a fundamental right in 1965, arguing that privacy is protected from governmental intrusion in the “penumbra” of the First Amendment.
Current Consumer Perception
According to data from the Pew Research Center, 78% of Americans trust themselves to make the right decisions about their own personal information, underscoring a widespread desire for the “right to be let alone.” Yet three-fourths of Americans believe they have little to no control over what companies or the government do with their data.
Business Responsibilities: Upholding Privacy Standards in Today’s Marketplace
With the influx of more state consumer privacy laws, consumers are increasingly aware that their privacy is important, and that their information is valuable to businesses. Thus, consumers will continue to want to know more about what organizations are doing with their personal data, especially with the increasing use of AI technologies.
So why is it so difficult for us to clearly explain to consumers:
- what data we ask them to provide;
- what we will use it for;
- and why it matters?
The Consumer’s Privacy Conundrum
While there is value in the personal data businesses collect from consumers, which allows them to fulfill customer orders for goods and services, while delivering growth and revenue to owners and shareholders, they also have a responsibility to take the time to communicate this to consumers in a way that my mother and children can understand. The bottom line is important, but businesses must also understand they have an obligation to be transparent with consumers – after all, the data they are profiting from is consumer data.
To be fair, operationalizing privacy rights, protecting personal and sensitive data, and ensuring accuracy and reliability is very complex. Most people do not need to know the inner workings of an organization’s privacy program. Much of the language around consumer privacy is also technical and volatile. For instance, terms like “data subject,” “DSRs,” and “sensitive personal information” are used by privacy professionals regularly, often forgetting they can be very confusing for a consumer who just wants to buy concert tickets online.
A Practical Approach for Privacy Professionals: Step into the Consumer’s Shoes
Privacy professionals are typically well trained and thoughtful, and as such, should step back occasionally to gain a broader perspective. For instance: How many of us have submitted a DSR request for our own data? Or put ourselves in the shoes of our parents or siblings when reviewing the website privacy notices we have drafted? And what about the health of our own company’s privacy notices? When drafted were they box-checking exercises, or thorough investigations of internal privacy operations followed by clear and concise, understandable, public facing privacy notices and webforms on our websites?
For example, I recently came across a comment that before you start processing personal data, consider if you would be comfortable sitting down and telling your mom what you are doing with her data without feeling ashamed or embarrassed. If we regularly asked this question before we collect personal data for any particular use, perhaps we would be able to better empathize with consumers and incorporate privacy by design as a default practice.
As privacy professionals, we have spent many hours reading, reviewing, and drafting privacy notices. These notices are windows into our organization’s internal privacy operations. Privacy notices are often the only opportunity we must inform consumers clearly and thoroughly about what is going on behind the curtain with their personal data.
- what data we ask them to provide;
- what we will use it for;
- and why it matters?
Conclusion
So, if you’re revising, writing or reviewing a privacy notice for your company, take the time needed to properly consider the audience, and what messages you are conveying to consumers. At the end of the day, “data subjects” from whom we collect personal data are people; they are our family members, friends, and colleagues. As such, we should make our best efforts to be transparent, sincere, and respectful about what we do with their valuable personal data, and how they can exercise their rights.
