Is Privacy Policy Language Irrelevant to Consumers?

29 Pages Posted: 14 Sep 2016 Last revised: 30 Sep 2016

Date Written: September 9, 2016

Abstract

Consumers almost never read privacy policies, but if they did read such policies closely how would they interpret them? This article reports the results of two experiments in which census-weighted samples of more than a thousand Americans read short excerpts from Facebook, Yahoo, and Google’s privacy policies concerning the use of facial recognition software and automated content analysis on emails. The question of what consumers have consented to under these policies has been central in recent high-stakes class action lawsuits. Experimental subjects were randomly assigned to read language from either the current policies, which explicitly describe Facebook, Yahoo, and Google’s controversial practices, or language from policies that were adjudicated to be insufficient to notify consumers about the companies’ practices. Despite evidence that many experimental subjects read these privacy policy excerpts closely, subjects who saw the explicit policy language and those who saw the ambiguous/vague policy language did not differ in their assessment of whether their assent to that language would allow Facebook, Yahoo, and Google to engage in the practices at issue. More surprisingly still, even though consumers rated both Facebook’s use of facial recognition software and Google and Yahoo’s use of automated content analysis as highly intrusive, they generally regarded their assent to even vague privacy policy language as allowing the companies to engage in those practices. Also, only a little more than a third of the participants expressed a willingness to pay any money to avoid automated content analysis of their emails. A replication study that included strong measures of participant attention confirmed the results from the first experiment and suggests that those reading the policies more carefully were not more likely to draw distinctions between them.

Our study shows that courts and laypeople can understand the same privacy policy language quite differently. Taken together, these results provide important evidence for the propositions that (1) social norms and user experiences with technological applications, not privacy policies, will drive users’ understanding of the nature of their bargain with firms, that (2) this is the case even when users read those policies reasonably carefully, that (3) most users of email and social networking sites believe that Facebook, Yahoo, and Google are authorized to engage in controversial and invasive practices implicating user privacy, and that (4) there is presently little reason to expect the development of a robust market for premium privacy-protective email and social networking applications in the United States.

Keywords: Privacy, Privacy Policies, Privacy Paradox, Experimental, Contracts, Standard-Form Contracts, Empirical, Google, Gmail, Yahoo, Facebook, Email, Facial Recognition, Biometric, Wiretap, Electronic Communications, Law & Psychology

Suggested Citation

Strahilevitz, Lior and Kugler, Matthew B., Is Privacy Policy Language Irrelevant to Consumers? (September 9, 2016). 45 Journal of Legal Studies, Forthcoming; University of Chicago Coase-Sandor Institute for Law & Economics Research Paper No. 776; Northwestern Law & Econ Research Paper No. 16-19. Available at SSRN: https://ssrn.com/abstract=2838449

Lior Strahilevitz (Contact Author)

University of Chicago Law School ( email )

1111 E. 60th St.
Chicago, IL 60637
United States
773-834-8665 (Phone)
773-702-0730 (Fax)

Matthew B. Kugler

Northwestern University - Pritzker School of Law ( email )

375 E. Chicago Ave
Chicago, IL 60611
United States

Paper statistics

Downloads
206
Rank
118,679
Abstract Views
1,191