Are consumers willing to sacrifice their privacy for convenience?
In Europe, the first data protection legislations appeared in the late 70s and the French Data Protection act entered into application in 1978. During the next 40 years, technologies have evolved dramatically, and so have privacy-related issues. As put by the French Data Protection Authority - the CNIL - the organization has already lived through three lives: In 1978, only the government had data bases and computers. Hence, the objective back then was to protect people against government computers. The 90s marked the beginning of the internet, during which tech companies and e-commerce emerged. Consumers then needed to be protected against private companies. Nowadays, the CNIL says that in addition it also needs to protect consumers against themselves, because consumers seem to be giving away their personal data everywhere.
But the situation is not all that simple. There seems to exist a “privacy paradox”.
In China, a survey (2018) by China Consumer Association showed that over 80% respondents said they had their data leaked, and received unsolicited sales pitches and advertisements. A report (2018) showed that 91 percent of Chinese mobile apps over – collected user data (location, contact lists, phone numbers).
According to the 2018 annual survey results from the Global Privacy Enforcement Network (GPEN), 33% of respondents reported “Low trust & confidence” for “Mobile, broadband, utility providers”, and an even more striking 60% “Low trust & confidence” for “Social messaging platforms”.
However, in reality, individuals seem to act in ways contradictory to the high Level of concern that they express verbally: While consumers claim to not trust social media, they do give away their personal data to social media. They do not read privacy policies, get annoyed by constant pop-ups that ask for consent, and some even go as far as to install tools so that they do not receive privacy notices. And while consumers say that they are afraid of data leaks, they use simple account passwords and some never even change passwords from site to site.
Before we blame consumers for their paradoxical behavior, though, we need to first ask ourselves a question: do consumers actually have a choice? Look at the connected world that we are in today: people are forced to give away their privacy in order to install apps, use free Wi-Fi, use websites, rent shared bicycles, etc. People cannot just stop using the internet: they need Google to make searches, social media to communicate, and various other apps to perform all kinds of functions in their daily lives. However, people are different from what they were some decades ago - now they resent giving away their personal data.
So perhaps, it is not a privacy paradox that we are talking about, but rather a disconnect between what companies are doing and the expectations of the individuals. It is not that people are ready to give up their privacy for convenience, but in many cases they have no other option. And the fact that there exists a lack of understanding and trust between consumers and companies can be a risk for companies. We are in an international and competitive digital world today, and the lack of trust could make it difficult for companies to retain customers in the future.
Then what can we do to solve this problem?
First, there needs to be regulation, because without rules that set limits, there are no limits. Those limits should be clear and need to be complied with.
Therefore the principles which form the basis of all Data Protection regulation systems should be applied, notably the following:
Fair collection of personal data for specified, explicit and legitimate purposes, using only personal data that is necessary for the purposes, providing individuals with practical mechanisms to opt-out from receiving unsolicited marketing, no unlimited retention of personal data, etc.
However, we also need to make sure that regulation does not overdo it, because if the rules are too complicated then companies are not in a position to follow them strictly. For example, practice shows that the GDPR can be too complex for some companies, and if companies cannot obey the rules, then no trust is being built.
Second, we should establish transparency and the right kind of communication with consumers. Inter alia this requires privacy notices to be user-friendly so that consumers can get a clear picture of what will be done with their personal data. At Bird & Bird, we do not only have a legal approach, we have a hands-on approach, and we take care that information provided to individuals should be also easy to access, clear and understandable, i.e. adapted to the public concerned. We explain to companies that this means showing consumers the information at the right place, during the right moment, with the right content, and using the right words.
Co-Head of International Data Protection Practice and the partner of Bird & Bird – Paris