Who reads privacy notices? And why do we have them?

Telling individuals what you will do with their personal data is fundamental to the operation of data protection laws. Individuals need that information to understand how their personal data is processed and to enforce their rights.

However, our recent study shows hardly anyone in the UK looks at privacy notices and, the few that do, do not bother to read them properly. We consider why regulators are still demanding ever-longer privacy notices and what should be done to provide meaningful privacy rights for individuals.

Key findings

We submitted freedom of information requests to nearly 20 UK public bodies to find out how many visitors to their websites looked at the privacy notice and how long they spent on that page.

The table here sets out the information provided by those public bodies. The key findings are:

• On average, only 1 in 200 website visitors (0.5%) looked at the privacy notice. (The figure for unique visitors is slightly higher at 0.8%).
• Of those that did look at the privacy notice, they only spent 48 seconds on that page on average. Assuming the whole of that time was spent intently reading the privacy notice at 200 words per minute, that would allow the visitor to read around 5% of the policy.

Within these figures are a wide range of variations. For example, nearly 2.8% of the visitors to the National Health Service website looked at the privacy notice, perhaps reflecting the importance of health information. (Though the highest figure was 3.7% for the British Council website). This compares to the Office for National Statistics where a miserly 0.01% of visitors bothered to look at the privacy notice.

This does mean a considerable number of visits to the privacy notices of at least some organisations. For example, over the 12-month measurement period, there were 1.2 million hits for the NHS notice and 0.28 million hits to the British Council notice (albeit only 657 hits on the ONS privacy notice).

The average dwell-time for those visits is, however, very short at 48 seconds. This figure is also subject to significant variations. The average time spent on the HMRC’s privacy notice was nearly three minutes which would allow the committed reader to get through 14% of the privacy notice. This compares with the Information Commissioner’s website where the dwell time was a mere 28 seconds, which would only allow the visitor to get through 0.3% of the privacy notice (though this is mainly a product of the length of the notice).

In practice, the actual time spent reading these notices will be much shorter. Most visitors will not have spent that whole time on that page reading the notice. Some may have simply left the browser tab open and unread in the background.

The privacy notices – Long and unreadable

Our review also looked at the underlying privacy notice. It found that:

• On average, the privacy notices were 7,400 words long.
• The average readability score (Flesch- Kincaid Score) for those notices was 13.

The word count is distorted by the immense NHS privacy notice (55,700 words) and the no less impressive privacy notice from the Information Commissioner (22,000 words). Removing these outliers reduces the average to a still lengthy 3,700 words.

To put the readability score of 13 in context, these notices were about as easy to read as Stephen Hawkings’, A Brief History of Time. One notable exception is the BBC’s privacy notice which achieved the best score of 7.6. This is roughly equivalent to the Harry Potter series, though the BBC’s notice has a less compelling narrative. (The readability score for this article is an impressive 9.7.)

The lack of engagement reflects wider experience

The data for our study come from a small sample and we do not know the exact means the relevant public authorities generated the statistics. The figures also only come from the UK public sector. They do not necessarily reflect the position of private companies or organisations in the EU.

Having said that, the figures are not a complete surprise and match the authors’ anecdotal experience. They are also consistent with legal easter eggs, court decisions and academic studies in relation to both privacy notices and online T&Cs. For example, the lack of appetite to actual read T&Cs is shown by:

• The Tax Policy Associates who amended a clause in their T&C’s in February 2024 to offer “a good bottle of wine to the first person to read this”. It took a full three months for someone to claim the Château de Sales 2013/14, Pomerol.
• Game Station who included a special edition of their T&C’s on April Fools’ Day in 2010. The terms gave Game Station a “non transferable option to claim, for now and for ever more, [the customer’s] immortal soul”. This was subject to an opt out mechanism. No one used it.

The English courts recognise this problem. In Parker-Grennan v Camelot [2024] EWCA Civ 185 the Court of Appeal said bringing T&C’s to consumers is “one big dilemma”.

It is difficult to do this “without testing [the consumer’s] patience so much that they decide to take their custom elsewhere…?”. Put differently, the Court asked itself “Is it ever going to be possible to overcome the fact of life that most people (dare I say it, even lawyers) will not bother to read the "small print"…?”. Its conclusion was that a trader “cannot force someone to read the terms and conditions if they cannot be troubled to do so. The trader only needs to take reasonable steps to bring the terms and conditions to their attention”, such as by providing a hyperlink to the terms.

These echo the findings of the first instance decision in Experian v Information Commissioner [2023] UKFTT 00132 on the transparency requirements under the UK GDPR. That concluded that transparency is “central to the GDPR” but that “research data … shows that actually most people do not care about what happens to their data”. On appeal, the Upper Tribunal confirmed that the “data subjects’ lack of engagement with the [privacy notice] does not indicate that it was inaccessible” and was instead because “most people did not access / read privacy policies” (Information Commissioner v Experian [2024] UKUT 105).

Wider academic studies also suggest very limited consumer appetite for this information. For example, the “research data” referred to in the Experian judgment is a study in which users were shown a privacy notice and terms of services as part of the sign-up process for a fictitious new social media service. The users spent 73 seconds reading the privacy notice and 51 seconds on the terms and conditions (whereas reading them properly would take around 30 and 15 minutes respectively).^[1]

Privacy “books”

The key problem is the length and complexity of privacy notices. The notices we looked at were, on average, 7,400 words long.

This is consistent with a recent study by NordVPN that suggests the average length of the privacy notices in the US was 6,900 words. Given the average user visits around 96 websites a month, those users would need to devote 50 hours a month to properly read those notices.^[2]

We also looked at the privacy notices of some of the larger technology companies.^[3] Their privacy notices were, on average, 27,000 words long and had a Flesch- Kincaid Score of 12. To put that in context, Stephen Hawkings’ A Brief History of Time has a similar readability score and runs to 57,695 words.

These are no longer privacy “notices” but instead privacy “books”.

Compliance theatre

Why is this happening? One reason is that privacy notices are now an important actor in the privacy “compliance theatre”. The UK GDPR is based on a set of general principles, but the Information Commissioner is expected to apply those principles specific harms, such as underage use of social media services, overly targeted advertising or online disinformation.

It is not always straightforward to map those specific harms onto the general principles of the UK GDPR. Some of this might come from a technical failure to establish a legal basis or similar, but increasingly in the UK (and elsewhere) this is dealt with a transparency failing. In other words, a sanction is applied not because that harm is specifically addressed in the UK GDPR but on the basis that the relevant processing is not adequately or clearly described in the controller’s privacy notice.

This has led to UK and EU data protection authorities issuing a series of fines (partly) based on an alleged failure to comply with Article 13, UK GDPR. For example by not including: (a) a full list of clearly articulated categories, and named recipients, of personal data shared with third parties; (b) specific jurisdictions, either within or beyond the EEA, to which personal data would be transferred; or (c) a full description of exactly what information is retained, why, and for how long.

Failure to provide this information is said to prevent consumers “making informed decisions about whether to provide personal data to” the controllers. It is, however, hard to reconcile that with the practical realities of consumer behaviour. Regardless of the content of that privacy notice, it is highly unlikely this level of detail would ever be read by anyone. The idea that this extra information would influence consumer decision making is fanciful.

What does this mean in practice?

In practical terms, the approach of regulators just incentivises controllers to produce longer and longer, and more and more complex, privacy notices. This is not because of any genuine consumer demand for greater detail as to the exact processing operations conducted but instead as a defensive measure should there be any enforcement action.

The only plausible benefit is that some privacy notices now also operate as a form of “externalised RoPA” (record of processing activities). While consumers have little interest in their contents, privacy activists do follow the privacy notices of large technology companies carefully and there have been numerous cases in which changes (or proposed changes) have triggered complaints and regulatory investigations. If this is now the true purpose of these notices, it is a long way removed from their origins in Articles 13 and 14 of the UK GDPR, and is a phenomenon that has very limited application to the vast majority of businesses in the UK.

The way forward

These figures demonstrate the challenges raised by the GDPR. How can you encourage people to actually read your meticulously researched and carefully-crafted privacy notice?

The data shows visitors spend, on average, 48 seconds reviewing these privacy notices. That gives you a “budget” of around 200 words to get the key messages across (at average reading speed). However, the privacy notices we reviewed currently average over 7,400 words.

So how do you square the circle?

• Key facts – Even if your policy is clear and really well written, not every individual you deal with will want to read all of it. Structure the policy so they can immediately access the key facts and actions. Try to assess what those individuals will want from the policy. Do they want to object to direct marketing? Do they want to contact your data protection officer? Make this information more prominent and use other techniques such as jump links or concertinas, so people can find the information they want, fast.
• Make it fun! – Few people will read a dry-as-dust recitation of processing conditions, retention periods and the like drafted in dense tables of legalese. Write the policy in simple English in a way that is useful and helpful. Use practical examples and links to tools to allow individuals to exercise their rights. Try and make the policy not just informative, but also entertaining. (Note: this is challenging)
• Videos – Don’t just use text. Think about other ways to deliver the information to individuals such as recording a video, showing an animation or even creating a game
• User testing – Check what actually works in practice. Consider carrying out user testing on your policy to find out if people find it useful. Can they find the information they want and, most of all, can understand what it says? User testing is also a good way to justify some of the more difficult decisions about what to include in your policy
• Get the data – Once you go live, get the data. How many customers are visiting the policy and which bits are they interacting with? Can you run some split A/B tests to drive up your figures?

For regulators, this should trigger a period for reflection. The current “compliance theatre” is simply creating longer and longer privacy notices, that are less and less useful for data subjects.

 

The table here contains the data supporting our study.

 

A longer version of this article addressing developments in both the UK and the EU will appear in Volume 5, Issue 4 (2024) of the Global Privacy Law Review.

^[1] The Biggest Lie on the Internet: Ignoring the Privacy Policies and Terms of Service Policies of Social Networking Services Information, Communication & Society, pp. 1-20, 2018. Obar & Oeldorf-Hirsch.

^[2] Nine hours to read the privacy policies of the 20 most visited websites in the US, NordVPN, 23 October 2023.

^[3] Alphabet, Amazon, Apple, Meta and Microsoft.