Can You Pay For Privacy? Consumer Expectations and the Behavior of Free and Paid Apps

“Paid” digital services have been touted as straightforward alternatives to the ostensibly “free” model, in which users actually face a high price in the form of personal data, with limited awareness of the real cost incurred and little ability to manage their privacy preferences. Yet, the actual privacy behavior of paid services, and consumer expectations about that behavior, remain largely unknown.

This Article addresses that gap. It presents empirical data both comparing the true cost of “paid” services as compared to their so-called “free” counterparts, and documenting consumer expectations about the relative behaviors of each.

We first present an empirical study that documents and compares the privacy behaviors of 5,877 Android apps that are offered both as free and paid versions. The sophisticated analysis tool we employed, AppCensus, allowed us to detect exactly which sensitive user data is accessed by each app and with whom it is shared. Our results show that paid apps often share the same implementation characteristics and resulting behaviors as their free counterparts. Thus, if users opt to pay for apps to avoid privacy costs, in many instances they do not receive the benefit of the bargain. Worse, we find that there are no obvious cues that consumers can use to determine when the paid version of a free app offers better privacy protections than its free counterpart.

We complement this data with a second study: we surveyed 1,000 Android mobile app users as to their perceptions of the privacy behaviors of paid and free app versions. Participants indicated that consumers are more likely to expect the paid version to engage in privacy-protective practices, to demonstrate transparency with regard to its data collection and sharing behaviors, and to offer more granular control over the collection of user data in that context.

Together, these studies identify ways in which the actual behavior of apps fails to comport with users’ expectations, and the way that representations of an app as “paid” or “ad-free” can mislead users. They also raise questions about the salience of those expectations for consumer choices.

In light of this combined research, we then explore three sets of ramifications for policy and practice.

First, our findings that paid services often conduct equally extensive levels of data collection and sale as free ones challenge understandings about how the “pay for privacy” model operates in practice, its promise as a privacy-protective alternative, and the legality of paid app behavior.

Second, our findings offer important insights for legal approaches to privacy protection, undermining the legitimacy of legal regimes relying on fictive “notice” and “consent” that do not reflect user understandings as bases for the collection, sale, and processing of information. They fortify demands for a privacy law that focuses on vindicating actual consumer expectations and prohibiting practices that exploit them, and strengthen the argument for ex ante regulation of exploitative data practices where consumers are offered no opportunity for meaningful choice or consent.

Third, our work provides technical tools for offering transparency about app behaviors, empowering consumers and regulators, law enforcement, consumer protections organizations, and private parties seeking to remedy undesirable or illegal privacy behavior in the most dominant example of a free vs. paid market—mobile apps—where there turns out to be no real privacy-protective option.

Keywords: privacy, consumer expectations, pay for privacy, data flows, dynamic analysis, mobile apps, free, paid, consent, policy, empirical

JEL Classification: C83, K12, K20, K42

Suggested Citation: Suggested Citation

Bamberger, Kenneth A. and Egelman, Serge and Egelman, Serge and Han, Catherine and Elazari, Amit and Reyes, Irwin, Can You Pay For Privacy? Consumer Expectations and the Behavior of Free and Paid Apps (October 4, 2019). 35 Berkeley Technology Law Journal 327 (2020), Available at SSRN: https://ssrn.com/abstract=3464667