Consumers worry about privacy online but have been ready – at least so far – to give up some of their personal information in exchange for convenience. Communicate explores this paradox.

We are often told that an increasing number of people are concerned about online privacy, afraid that their data would be used improperly or, worse, fall in the hands of bad actors. Yet, we have all been willing to avert our eye and give private information away for years, for so much as free pizza. In other words, for a mysterious reason, we’ve been selling ourselves short.

This is the phenomenon that researchers Susan Athey, from the Graduate School of Business at Stanford University, along with Catherine Tucker and Christian Catalini, both from the MIT Sloan School of Management, have studied in a 2017 paper, “The Digital Privacy Paradox: Small Money, Small Costs, Small Talk.”

This study came up with three astounding findings: firstly, “Whereas people say they care about privacy, they are willing to relinquish private data quite easily when incentivized to do so” – in that case, free pizza indeed. Secondly, “small frictions in navigation costs surrounding privacy choices can have large effects in terms of technology adoption, even in the presence of transparent information about the privacy consequences of those choices.” And thirdly, “After being randomly exposed to irrelevant, but reassuring information about a tangential technology, students were less likely to avoid surveillance in their use of the technology.” In short, when offered even trivial incentives or faced with minimal complications, people make privacy-decreasing decisions regardless of their stated preferences.

Worse, the Kaspersky Lab Global Privacy Report 2018 indicated that only 41% of the people it surveyed were worried about their online privacy, despite reports about multiple breaches, while a 2018 global study by the Global Alliance of Data-Driven Marketing Associations (GDMA) and the UK DMA found 77% of people in ten nations (including the US, the UK, Spain, France, Germany, and the Netherlands) were either “pragmatic or unconcerned about sharing their data.” Significantly, and perhaps more worrisome, the GDMA study showed that the younger the users, the less “data concerned” they were. And, going even a step further, a 2019 report by mobile data analytics firm Blis in the US showed that 57% of respondents felt their information was worth a minimum of $10 only.

Some explanation is linked to the acceptance that, apparently, this is the price to pay when you go online – which we do a lot. Kapersky found that more than half of consumers (56%) believed keeping information completely private on the Internet is impossible, and maybe they’re right. A 2017 study by free software provider Ghostery revealed that 79% of all websites globally tracked their users’ movements online, even when these users were browsing elsewhere, and that 15% of all page loads were monitored by ten or more trackers. The situation is no better on mobile, with another 2017 study, by the University of Massachusetts, showing that over 70% of apps report personal data to third-party tracking companies.

Regardless of the root cause, things were get- ting out of hand and came to head in 2018 with an astounding series of data breaches, topped by the Cambridge Analytica scandal and the US Congress suing Facebook. Soon enough, this all led to a predictable, yet inexorable reaction.

ENTER PRIVACY LAWS

On May 25, 2018, the European Union started enforcing the General Data Protection Regulation (GDPR), a binding set of rules aiming to give control to individuals over their personal data and to harmonize the regulatory environment for international business in the EU. At its core, seven principles are meant to guide the handling of people’s data:

• lawfulness, fairness and transparency;

• purpose limitation (the data is collected for specified, explicit, and legitimate purposes);

• data minimization (organizations can’t overreach with the type of data they collect about people); • accuracy (inaccurate personal data should be erased or rectified without delay);

• storage limitation (the data collected is kept in a form that permits identification of data subjects for no longer than is necessary);
• integrity and confidentiality (security: appropriate information security protections must be put in place);

• and accountability (the organization will be responsible for and be able to demonstrate compliance with the principles).

Failure to comply with the principles leaves organizations open to substantial fines.

The introduction of GDPR was expected to upend the digital world in Europe and beyond, impacting the many organizations around the world that do business in the EU, have customers from the EU, or have services accessible from the EU.

Still, GDPR has been lauded as a progressive approach to how people’s personal data should be handled and very much inspired the Califor- nia Consumer Protection Act (CCPA), that was passed a month later – but only became effective in January 2020. Similarly, the CCPA delineates its intentions as a way to provide California residents with the right to:

• know what personal data is being collected about them;
• know whether their personal data is sold or disclosed and to whom;
• say no to the sale of personal data;
• access their personal data;
• request a business to delete any personal information about a consumer;
• not be discriminated against for exercising their privacy rights.

As Marc Rotenberg, President of public interest research institution Electronic Privacy Center (EPIC), told Venturebeat in 2019, “The real privacy paradox is that transparency is required for effective privacy protection. That is why real privacy laws, such as the General Data Protection Regulation (GDPR), impose transparency obligations on companies and establish access rights for those whose personal information can be collected.” A number of businesses shared this view and consider these legislations as an opportunity that will benefit both customers and themselves.

These legislations were considered breakthroughs in the battle for online privacy. The big question, of course, is: Did they change anything?

HUMAN NATURE

DPR didn’t make much of a difference for businesses, Gladys Kong, CEO of mobile data company UberMedia, wrote in Forbes in 2019: “The vast majority of consumers have consented to publishers using their data, and brand and third-party data brokers are still collecting, crunching and monetizing a sizable amount of Internet user data.”

The programmatic industry, in particular, was expected to be hard-hit by the new laws – and in the immediate wake of the GDPR introduction, it was, with ad exchanges seeing European ad demand volumes plummet between 25% and 40%. Yet, the situation soon stabilized when a vast majority of publisher traffic became filtered via consent management platforms. According to eMarketer, brands in Europe have since regularly increased their programmatic spending.

As Kong explained in her Forbes piece, “Turns out consumers are more concerned about privacy in theory than they are in practice. GDPR’s effect on online data collection has been minimal. […] Research continues to show that the vast majority of consumers are comfortable exchanging personal data for increased usability or free access to a service, just as long as the agreement is clearly communicated.”

In effect, Kong was already proven right by a 2018 Quantcast report showing that 90% of people who visited its EU domains gave their consent for use of their personal data under GDPR rules, and 92% of these 90% (i.e. 81% of the total) said yes to everything. This a point that technology expert Dr. Stephanie Hare, also made in The Guardian last November: online users can’t seem to be bothered to check consent details. She wrote, “Most websites nudge us into clicking ‘I consent’ by making it harder for us not to. Those that do not offer an ‘I do not consent’ option force us to navigate a complicated menu of privacy settings, all of which offer the veneer of privacy. They know that no one has the time nor the inclination to do this for every website, and they are betting that most of us will choose convenience over data protection.”

Andrew Buckman, COO of ad tech vendor Sublime, went even further, telling Digiday in May 2019: “Everyone is violating the rules. None of these companies are adhering to what regulators say. Everyone has taken the easiest way out — to just show something to consumers, and consumers aren’t too bothered by it.”

*Sigh*