One Reason No One Reads Privacy Policies and How Changing the Incentives Might Make Privacy Policies More Readable

by Jeff Sovern

At the Privacy Law Scholars Conference at GWU, hosted jointly by GWU and Berkeley Law Schools, on June 12 and 13, I served as a discussion leader for a session titled "Death to Privacy Policies" about how few people read privacy policies, why that is, and what could be done about that. In that capacity, I presented a short talk, about three minutes. But of course I would have liked to talk longer about the subject, so I'm posting here what I would have said if I'd had, say, five minutes (plus I'm tossing in a few cites). Privacy policies are only a subset of the many documents consumers don't read, such as contracts with cell phone providers, credit card issuers and the like, and much of what I say here is just as applicable to such documents.

One reason privacy polices may fail to attract attention is that those providing them typically have little incentive to attract attention to them and little incentive to make them clear.For example, many financial institutions sell their customer lists; if bank customers notice the privacy policies that banks send them and ask the banks not to sell their information, the banks lose money.So the banks have an incentive to construct their privacy policies in such a way as to minimize the attention they draw.Here, for example, is an excerpt from a scintillating privacy policy from Cap One:

We may share the information described on Page 1 under “information we may collect” with companies in the Capital One family or with business partners such as financial service providers (including credit bureaus, mortgage bankers, securities broker-dealers and insurance agents); nonfinancial companies (including retailers, online and offline advertisers, membership list vendors, direct marketers, airlines and publishers); companies that perform marketing services on our behalf, or other financial institutions with which we have joint marketing agreements; and others, such as non-profit organizations and third parties that you direct us to share information about you.

And, not surprisingly, what data is publicly available suggest that few consumers have opted out.See Testimony of John C. Dugan, Partner at Covington and Burling on behalf of the Financial Services Coordinating Council, Before the U.S. Sen. Com. On Banking, Housing and Urban Affairs, Sept. 19, 2002 (“opt-out rates have generally been low, and in nearly all cases under 10 percent.”); W.A. Lee, Opt-Out Notices Give No One A Thrill, 166 American Banker Issue 131, at 1 (July 10, 2001) (“5% opt-out rate . . . has been circulating as the unofficial industry figure . . . .”); ACB Survey (60% of financial institutions report that less than one percent of customers opted out).We know that companies sometimes respond to the incentive to create forms consumers won’t read because in Ting v. AT &T, 319 F.3d 1126 (9th Cir.), cert denied, 540 U.S. 811 (2003), AT&T conducted extensive market research to discover what it could write that would cause consumers to ignore its customer service agreement—and then it went with the form that would cause consumers to throw its letter out.