94% of Australians do not read all privacy policies that apply to them – and that's rational behaviour
Australians are agreeing to privacy policies they are not comfortable with and would like companies only to collect data that is essential for the delivery of their service. That's according to new, nation-wide research on consumer attitudes to privacy policies released by the Consumer Policy Research Centre (CPRC) today.
These findings are particularly important since the government's announcement last week that it plans to implement "open banking" (which gives consumers better access to and control over their banking data) as the first stage of the proposed "consumer data right" from July 2019.
Consumer advocates argue that existing privacy regulation in Australia needs to be strengthened before this new regime is implemented. In many cases, they say, consumers are not truly providing their "informed consent" to current uses of their personal information.
While some blame consumers for failing to read privacy policies, I argue that not reading is often rational behaviour under the current consent model. We need improved standards for consent under our Privacy Act as a first step in improving data protection.
Australians are not reading privacy policies
Under the Privacy Act, in many cases, the collection, use or disclosure of personal information is justified by the individual's consent. This is consistent with the "notice and choice" model for privacy regulation: we receive notice of the proposed treatment of our information and we have a choice about whether to accept.
But according to the CPRC Report, most Australians (94%) do not read all privacy policies that apply to them. While some suggest this is because we don't care about our privacy, there are four good reasons why people who do care about their privacy don't read all privacy policies.
We don't have enough time
There are many privacy policies that apply to each of us and most are lengthy. But could we read them all if we cared enough?
According to international research, it would take the average person 244 hours per year (six working weeks) to read all privacy policies that apply to them, not including the time it would take to check websites for changes to these policies. This would be an impossible task for most working adults.
Under our current law, if you don't have time to read the thousands of words in the policy, your consent can be implied by your continued use of the website which provides a link to that policy.
We can't understand them
According to the CPRC, one of the reasons users typically do not read policies is that they are difficult to comprehend.
Very often these policies lead with feel-good assurances "We care about your privacy", and leave more concerning matters to be discovered later in vague, open-ended terms, such as: "…we may collect your personal information for research, marketing, for efficiency purposes…"
We generally have no ability to negotiate about how much of our data the company will collect, and how it will use and disclose it.
According to the CPRC Report, most Australians want companies only to collect data that is essential for the delivery of their service (91%) and want options to opt out of data collection (95%).
However, our law allows companies to group into one consent various types and uses of our data. Some are essential to providing the service, such as your name and address for delivery, and some are not, such as disclosing your details to "business partners" for marketing research.
These terms are often presented in standard form, on a take-it-or-leave-it basis. You either consent to everything or refrain from using the service.
We can't avoid the service altogether
According to the CPRC, over two thirds of Australians say they have agreed to privacy terms with which they are not comfortable, most often because it is the only way to access the product or service in question.
In a 2017 report, the Productivity Commission expressed the view that: "… even in sectors where there are dominant firms, such as social media, consumers can choose whether or not to use the class of product or service at all, without adversely affecting their quality of life."
However, in many cases, we cannot simply walk away if we don't like the privacy terms.
Schools, for example, may decide what apps parents must use to communicate about their children. Many jobs require people to have Facebook or other social media accounts. Lack of transparency and competition in privacy terms also means there is often little to choose between rival providers.
We need higher standards for consent
There is frequently no real notice and no real choice in how our personal data is used by companies.
The EU General Data Protection Regulation (GDPR), which comes into effect on 25 May 2018, provides one model for improved consent. Under the GDPR, consent: "… should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement."
The Privacy Act should be amended along these lines to set higher standards for consent, including that consent should be:
- explicit and require action on the part of the customer – consent should not be implied by the mere use of a website or service and there should be no pre-ticked boxes. Privacy should be the default;
- unbundled – individuals should be able to choose to consent only to the collection and use of data essential to the delivery of the service, with separate choices of whether to consent to additional collections and uses;
- revocable – the individual should have the option to withdraw their consent in respect of future uses of their personal data at any time.
While further improvements are needed, upgrading our standards for consent would be an important first step.