Do people really read privacy notices on the Internet? Given all the importance that privacy laws, regulators, advocates and the press place on privacy notices, the question is a fair one. Two recent polls assessed consumer attitudes toward privacy notices on Internet sites.
One poll was designed by Mary Culnan, a professor of management at Bentley College in Massachusetts, and George Milne, an associate professor of marketing at the University of Massachusetts. Culnan is well known in privacy circles and is respected by all sides. The poll results are available at http://intra.som.u-mass.edu/georgemilne/research.htm.
The other poll was conducted by the Privacy Leadership Initiative, and the results can be found at www.understandingprivacy.org. The two polls are roughly comparable, so I will stick to the numbers from the Culnan-Milne poll just because they are more readily at hand.
The poll shows that many people are concerned about privacy. Only 17 percent say they never read online privacy notices. Another 33 percent rarely read them. That leaves exactly half the respondents, and they read notices sometimes (31 percent), frequently (13 percent) and always (5 percent).
The real question is why people read notices. After all, when I visit a Web site that doesn’t ask for personal information and has no way to discover who I am, I don’t really care what its privacy policy is. The poll shows that many people are just as pragmatic.
People are much more likely to read a notice when asked for personal information (73 percent agree or strongly agree) or when using a credit card to buy something (78 percent). If the Web site belongs to a familiar company or one that is trusted, the privacy notice is less likely to be read. Privacy seals also seem to engender more trust.
The poll also shows that people take action based on their perceptions about privacy. The most striking number in the poll is the 64 percent of respondents who said they decided not to use a Web site or not to purchase something from a site because of uncertainty about how personal information would be used. That is a large number of customers lost because of absent, incomplete or untrustworthy privacy notices.
Another finding is that current notices could be better. People think that notices are too long (68 percent) and use confusing legal language (53 percent). People also doubt the veracity of privacy notices. Less than half agree that notices are truthful (35 percent) or accurately reflect how information will really be used (29 percent).
Here is a little free advice from me. Don’t let your lawyers write privacy notices. Notices produced by lawyers are usually incomprehensible and convey a sense that the consumer bears all the risks and the Web site has no responsibility. Maybe your copywriters should play a role in writing friendlier privacy notices.
The poll suggests that enough people read and care about notices so that notices are important. Why would any company that works hard and spends money to attract potential customers to its Web site want to risk alienating customers over privacy? Unless your company doesn’t need more business, privacy is a relatively cheap way to keep some customers from walking off your Web site and onto a site with a better privacy policy.
I think privacy notices are important for another reason. If a company or Web site hasn’t prepared a notice, then it hasn’t thought through its policies for the use of personal information. A company without a policy may find uninstructed employees doing things with information that the company really didn’t intend.
When the failure to address privacy ends up as a front-page story or a lawsuit, it is lame for a company to say that it didn’t intend the result. A privacy policy is a way to tell employees what they can and cannot do. It is a way of establishing standards and enforcing accountability. A clear, credible, well-written policy helps send the right message to customers and employees.
So even if the polls had shown that people did not care about or take action because of privacy notices, I still would argue that notices are important. A privacy policy protects a company just as much as it protects the company’s customers. Personal information is a resource and a risk. A company that collects personal information without regard to the risks is asking for trouble.
I have a notice to offer as part of this column. Support for the Culnan-Milne poll came from a grant from a cy pres fund that was created by the lawsuit that arose several years ago over Metromail’s use of prisoners to process consumer information. I was an expert witness in the case, and I ended up serving on the committee that decided who would receive money from the fund. I had no other involvement with the poll.
The previous paragraph is a type of notice. It discloses a potential conflict. The disclaimer wasn’t very interesting, but it was something that I thought obliged to include. Just like privacy notices, sometimes people need to be told about something whether or not they care. Being honest and open can only serve to enhance credibility.
