Can You Pay For Privacy? Consumer Expectations and the Behavior of Free and Paid Apps

40 Pages Posted: 19 Oct 2019 Last revised: 20 Jul 2020

See all articles by Kenneth A. Bamberger

Kenneth A. Bamberger

University of California, Berkeley - School of Law

Serge Egelman

International Computer Science Institute (ICSI); University of California, Berkeley - Department of Electrical Engineering & Computer Sciences (EECS)

Catherine Han

University of California, Berkeley, Students

Amit Elazari

University of California, Berkeley - School of Information

Irwin Reyes

University of California, Berkeley

Date Written: October 4, 2019

Abstract

“Paid” digital services have been touted as straightforward alternatives to the ostensibly “free” model, in which users actually face a high price in the form of personal data, with limited awareness of the real cost incurred and little ability to manage their privacy preferences. Yet, the actual privacy behavior of paid services, and consumer expectations about that behavior, remain largely unknown.

This Article addresses that gap. It presents empirical data both comparing the true cost of “paid” services as compared to their so-called “free” counterparts, and documenting consumer expectations about the relative behaviors of each.

We first present an empirical study that documents and compares the privacy behaviors of 5,877 Android apps that are offered both as free and paid versions. The sophisticated analysis tool we employed, AppCensus, allowed us to detect exactly which sensitive user data is accessed by each app and with whom it is shared. Our results show that paid apps often share the same implementation characteristics and resulting behaviors as their free counterparts. Thus, if users opt to pay for apps to avoid privacy costs, in many instances they do not receive the benefit of the bargain. Worse, we find that there are no obvious cues that consumers can use to determine when the paid version of a free app offers better privacy protections than its free counterpart.

We complement this data with a second study: we surveyed 1,000 Android mobile app users as to their perceptions of the privacy behaviors of paid and free app versions. Participants indicated that consumers are more likely to expect the paid version to engage in privacy-protective practices, to demonstrate transparency with regard to its data collection and sharing behaviors, and to offer more granular control over the collection of user data in that context.

Together, these studies identify ways in which the actual behavior of apps fails to comport with users’ expectations, and the way that representations of an app as “paid” or “ad-free” can mislead users. They also raise questions about the salience of those expectations for consumer choices.

In light of this combined research, we then explore three sets of ramifications for policy and practice.

First, our findings that paid services often conduct equally extensive levels of data collection and sale as free ones challenge understandings about how the “pay for privacy” model operates in practice, its promise as a privacy-protective alternative, and the legality of paid app behavior.

Second, our findings offer important insights for legal approaches to privacy protection, undermining the legitimacy of legal regimes relying on fictive “notice” and “consent” that do not reflect user understandings as bases for the collection, sale, and processing of information. They fortify demands for a privacy law that focuses on vindicating actual consumer expectations and prohibiting practices that exploit them, and strengthen the argument for ex ante regulation of exploitative data practices where consumers are offered no opportunity for meaningful choice or consent.

Third, our work provides technical tools for offering transparency about app behaviors, empowering consumers and regulators, law enforcement, consumer protections organizations, and private parties seeking to remedy undesirable or illegal privacy behavior in the most dominant example of a free vs. paid market—mobile apps—where there turns out to be no real privacy-protective option.

Keywords: privacy, consumer expectations, pay for privacy, data flows, dynamic analysis, mobile apps, free, paid, consent, policy, empirical

JEL Classification: C83, K12, K20, K42

Suggested Citation

Bamberger, Kenneth A. and Egelman, Serge and Han, Catherine and Elazari, Amit and Reyes, Irwin, Can You Pay For Privacy? Consumer Expectations and the Behavior of Free and Paid Apps (October 4, 2019). 35 Berkeley Technology Law Journal 327 (2020), Available at SSRN: https://ssrn.com/abstract=3464667

Kenneth A. Bamberger (Contact Author)

University of California, Berkeley - School of Law ( email )

Boalt Hall NA446
Berkeley, CA 94720-7200
United States
(510) 643-6218 (Phone)

HOME PAGE: http://www.law.berkeley.edu/faculty/profiles/facultyProfile.php?facID=5701

Serge Egelman

International Computer Science Institute (ICSI) ( email )

Berkeley, CA
United States

University of California, Berkeley - Department of Electrical Engineering & Computer Sciences (EECS) ( email )

Berkeley, CA 94720-1712
United States

Catherine Han

University of California, Berkeley, Students ( email )

525 F. Haas School of Business
Berkeley, CA
United States

Amit Elazari

University of California, Berkeley - School of Information ( email )

102 South Hall
Berkeley, CA 94720-4600
United States

HOME PAGE: http://www.amitelazari.com

Irwin Reyes

University of California, Berkeley ( email )

310 Barrows Hall
Berkeley, CA 94720
United States

Here is the Coronavirus
related research on SSRN

Paper statistics

Downloads
374
Abstract Views
2,061
rank
86,635
PlumX Metrics