Series
Blogs
Series
Blogs
Telling individuals what you will do with their personal data is fundamental to the operation of data protection laws. Individuals need that information to understand how their personal data is processed and to enforce their rights.
However, our recent study shows hardly anyone in the UK looks at privacy notices and, the few that do, do not bother to read them properly. We consider why regulators are still demanding ever-longer privacy notices and what should be done to provide meaningful privacy rights for individuals.
We submitted freedom of information requests to nearly 20 UK public bodies to find out how many visitors to their websites looked at the privacy notice and how long they spent on that page.
The table here sets out the information provided by those public bodies. The key findings are:
Within these figures are a wide range of variations. For example, nearly 2.8% of the visitors to the National Health Service website looked at the privacy notice, perhaps reflecting the importance of health information. (Though the highest figure was 3.7% for the British Council website). This compares to the Office for National Statistics where a miserly 0.01% of visitors bothered to look at the privacy notice.
This does mean a considerable number of visits to the privacy notices of at least some organisations. For example, over the 12-month measurement period, there were 1.2 million hits for the NHS notice and 0.28 million hits to the British Council notice (albeit only 657 hits on the ONS privacy notice).
The average dwell-time for those visits is, however, very short at 48 seconds. This figure is also subject to significant variations. The average time spent on the HMRC’s privacy notice was nearly three minutes which would allow the committed reader to get through 14% of the privacy notice. This compares with the Information Commissioner’s website where the dwell time was a mere 28 seconds, which would only allow the visitor to get through 0.3% of the privacy notice (though this is mainly a product of the length of the notice).
In practice, the actual time spent reading these notices will be much shorter. Most visitors will not have spent that whole time on that page reading the notice. Some may have simply left the browser tab open and unread in the background.
Our review also looked at the underlying privacy notice. It found that:
The word count is distorted by the immense NHS privacy notice (55,700 words) and the no less impressive privacy notice from the Information Commissioner (22,000 words). Removing these outliers reduces the average to a still lengthy 3,700 words.
To put the readability score of 13 in context, these notices were about as easy to read as Stephen Hawkings’, A Brief History of Time. One notable exception is the BBC’s privacy notice which achieved the best score of 7.6. This is roughly equivalent to the Harry Potter series, though the BBC’s notice has a less compelling narrative. (The readability score for this article is an impressive 9.7.)
The lack of engagement reflects wider experience
The data for our study come from a small sample and we do not know the exact means the relevant public authorities generated the statistics. The figures also only come from the UK public sector. They do not necessarily reflect the position of private companies or organisations in the EU.
Having said that, the figures are not a complete surprise and match the authors’ anecdotal experience. They are also consistent with legal easter eggs, court decisions and academic studies in relation to both privacy notices and online T&Cs. For example, the lack of appetite to actual read T&Cs is shown by:
The English courts recognise this problem. In Parker-Grennan v Camelot [2024] EWCA Civ 185 the Court of Appeal said bringing T&C’s to consumers is “one big dilemma”.
It is difficult to do this “without testing [the consumer’s] patience so much that they decide to take their custom elsewhere…?”. Put differently, the Court asked itself “Is it ever going to be possible to overcome the fact of life that most people (dare I say it, even lawyers) will not bother to read the "small print"…?”. Its conclusion was that a trader “cannot force someone to read the terms and conditions if they cannot be troubled to do so. The trader only needs to take reasonable steps to bring the terms and conditions to their attention”, such as by providing a hyperlink to the terms.
These echo the findings of the first instance decision in Experian v Information Commissioner [2023] UKFTT 00132 on the transparency requirements under the UK GDPR. That concluded that transparency is “central to the GDPR” but that “research data … shows that actually most people do not care about what happens to their data”. On appeal, the Upper Tribunal confirmed that the “data subjects’ lack of engagement with the [privacy notice] does not indicate that it was inaccessible” and was instead because “most people did not access / read privacy policies” (Information Commissioner v Experian [2024] UKUT 105).
Wider academic studies also suggest very limited consumer appetite for this information. For example, the “research data” referred to in the Experian judgment is a study in which users were shown a privacy notice and terms of services as part of the sign-up process for a fictitious new social media service. The users spent 73 seconds reading the privacy notice and 51 seconds on the terms and conditions (whereas reading them properly would take around 30 and 15 minutes respectively).[1]
The key problem is the length and complexity of privacy notices. The notices we looked at were, on average, 7,400 words long.
This is consistent with a recent study by NordVPN that suggests the average length of the privacy notices in the US was 6,900 words. Given the average user visits around 96 websites a month, those users would need to devote 50 hours a month to properly read those notices.[2]
We also looked at the privacy notices of some of the larger technology companies.[3] Their privacy notices were, on average, 27,000 words long and had a Flesch- Kincaid Score of 12. To put that in context, Stephen Hawkings’ A Brief History of Time has a similar readability score and runs to 57,695 words.
These are no longer privacy “notices” but instead privacy “books”.
Why is this happening? One reason is that privacy notices are now an important actor in the privacy “compliance theatre”. The UK GDPR is based on a set of general principles, but the Information Commissioner is expected to apply those principles specific harms, such as underage use of social media services, overly targeted advertising or online disinformation.
It is not always straightforward to map those specific harms onto the general principles of the UK GDPR. Some of this might come from a technical failure to establish a legal basis or similar, but increasingly in the UK (and elsewhere) this is dealt with a transparency failing. In other words, a sanction is applied not because that harm is specifically addressed in the UK GDPR but on the basis that the relevant processing is not adequately or clearly described in the controller’s privacy notice.
This has led to UK and EU data protection authorities issuing a series of fines (partly) based on an alleged failure to comply with Article 13, UK GDPR. For example by not including: (a) a full list of clearly articulated categories, and named recipients, of personal data shared with third parties; (b) specific jurisdictions, either within or beyond the EEA, to which personal data would be transferred; or (c) a full description of exactly what information is retained, why, and for how long.
Failure to provide this information is said to prevent consumers “making informed decisions about whether to provide personal data to” the controllers. It is, however, hard to reconcile that with the practical realities of consumer behaviour. Regardless of the content of that privacy notice, it is highly unlikely this level of detail would ever be read by anyone. The idea that this extra information would influence consumer decision making is fanciful.
In practical terms, the approach of regulators just incentivises controllers to produce longer and longer, and more and more complex, privacy notices. This is not because of any genuine consumer demand for greater detail as to the exact processing operations conducted but instead as a defensive measure should there be any enforcement action.
The only plausible benefit is that some privacy notices now also operate as a form of “externalised RoPA” (record of processing activities). While consumers have little interest in their contents, privacy activists do follow the privacy notices of large technology companies carefully and there have been numerous cases in which changes (or proposed changes) have triggered complaints and regulatory investigations. If this is now the true purpose of these notices, it is a long way removed from their origins in Articles 13 and 14 of the UK GDPR, and is a phenomenon that has very limited application to the vast majority of businesses in the UK.
These figures demonstrate the challenges raised by the GDPR. How can you encourage people to actually read your meticulously researched and carefully-crafted privacy notice?
The data shows visitors spend, on average, 48 seconds reviewing these privacy notices. That gives you a “budget” of around 200 words to get the key messages across (at average reading speed). However, the privacy notices we reviewed currently average over 7,400 words.
So how do you square the circle?
For regulators, this should trigger a period for reflection. The current “compliance theatre” is simply creating longer and longer privacy notices, that are less and less useful for data subjects.
The table here contains the data supporting our study.
A longer version of this article addressing developments in both the UK and the EU will appear in Volume 5, Issue 4 (2024) of the Global Privacy Law Review.
[1] The Biggest Lie on the Internet: Ignoring the Privacy Policies and Terms of Service Policies of Social Networking Services Information, Communication & Society, pp. 1-20, 2018. Obar & Oeldorf-Hirsch.
[2] Nine hours to read the privacy policies of the 20 most visited websites in the US, NordVPN, 23 October 2023.
[3] Alphabet, Amazon, Apple, Meta and Microsoft.
26 September 2024
Up next