Users, Enterprises Pay for Poor Privacy Policies, Study Says

Research paper seeks to quantify loss of time spent reading confusing, overwritten privacy policies

Tim Wilson, Editor in Chief, Dark Reading, Contributor

October 7, 2008

4 Min Read

Poorly written and complicated privacy policies are driving users to make bad decisions online and could eventually threaten the practice of self-regulation of privacy on the Internet, according to a new research report.

In a paper about trends in privacy policies, Carnegie Mellon University researchers Aleecia McDonald and Lorrie Faith Cranor attempt to quantify the problems of current practices by measuring the time required to read and understand today's disparate, lengthy, and complex Website privacy rules.

"Privacy policies are hard to read, read infrequently, and do not support rational decision making," the paper says. Corporations and other site operators need to make it easier for users to recognize and understand the privacy risks associated with using a particular site -- or government may eventually intervene on the user's behalf, it states.

The researchers assert that, for most users, the time cost associated with reading and understanding privacy policies outweighs the benefit of keeping their data safe. As a result, users typically skip the privacy policy when they visit a new Website, sometimes endangering their own personal information.

To prove their point, the researchers attempt to measure the cost of reading privacy policies by calculating the time it takes to read them. "First, we used a list of the 75 most popular Websites and assumed an average reading rate of 250 words per minute to find an average reading time of 10 minutes per policy," the study says. The researchers also did a 93-person study to find out how long it would take to simply skim the policies, coming up with an average time of about six minutes per policy.

The paper then multiplies that time by the number of sites visited by the average user during the course of a year: between 119 and 2,220, according to Nielsen/NetRatings. Using this data, the researchers estimate that it would take users anywhere from 16 to 444 hours a year to read all of the privacy policies they visit, or between 6 and 215 hours a year to skim them.

Then the study multiplies that figure by the cost of the user's time -- about $4.50 an hour for leisure time (roughly one quarter of paid time at work), and $35.86 per hour for work time (twice the average hourly wage, a measure of salary plus overhead).

Using those figures, the study estimates that reading the full privacy policy of every site they visit would cost users anywhere from $71 to almost $7,000 per year, with a midpoint of about $3,000. Multiplied across all of the Internet users in the U.S., the study estimates that the nationwide cost of reading privacy policies is on the order of $365 billion per year.

While the numbers might seem contrived, the researchers use them to prove a point: Privacy policies are too long and complex to be of real value as a means of user education. And rather than read all those policies, many privacy-conscious users may simply opt not to participate in many Web-based commerce initiatives, including targeted online advertising.

"Given that Web users also place some value on their privacy on top of the time it takes to read policies, this suggests that under the current self-regulation framework, targeted online advertising may have negative social utility," the report states.

If Web-based services are to work under the current regulatory model, enterprises must find ways to make their privacy policies much easier to understand, the report suggests. For example, enterprises may want to lay out their policies in layers that provide incrementally more detail, the researchers suggest.

If users don't read the privacy policies of the sites they visit and subsequently feel that their privacy was violated, they will soon begin complaining to legislators that the system doesn't work, the paper suggests. And if that happens, legislators may soon want to change the current, self-regulated approach to Internet privacy.

"Some corporations take the view that their users should read privacy policies," the paper says. "And if they fail to do so, it is evidence of a lack of concern about privacy. Instead, we counter that Websites need to do a better job of conveying their practices in usable ways, which includes reducing the time it takes to read policies.

"If corporations cannot do so, regulation may be necessary to provide basic privacy protections," the researchers conclude.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Tim Wilson, Editor in Chief, Dark Reading


Tim Wilson is Editor in Chief and co-founder of Dark, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one of the top cyber security journalists in the US in voting among his peers, conducted by the SANS Institute. In 2011 he was named one of the 50 Most Powerful Voices in Security by SYS-CON Media.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights