Do consumers actually care about big company data policies?

Updated: Feb 22

Additional Contributors: William Thomas, Cristene Gonzales-Wertz, Martin Kienzle


The perpetual eavesdropper

In 2019 USA Today wrote "Is Facebook listening to me? Why those ads appear after you talk about things"(1), an exploration of how coincidental the timing and accuracy of digital advertising really is. The writer describes a time when his editor was having an oral conversation about a product. Minutes later, an ad appeared for that very product on his editor's Facebook feed. We’ve heard similar stories many times. No urban myth, this digital serendipity begs the questions: Are consumers being "listened to" by our digital devices? Exactly how is our behavior monitored on- and offline?

The demand for data

Are the big social platforms monitoring us? The answer is an emphatic “Yes, but…”not in the ways most consumers suspect. According to USA Today, Facebook collects “content, communications and other information, ‘including photographs, videos, accounts, hashtags, and groups we are connected to.’”

Digital giants like Google, Amazon, and Facebook just want to get to know us better. They create continuous pipelines of information to identify and target audiences with increasing effectiveness. Combined with other data, like card transaction details, this creates rich individual profiles. This is probably no revelation to our readers. Yet, the capabilities of these and other companies to engineer an audience down to an individual set of eyeballs can be mind-boggling. Or creepy. In our example, Facebook’s algorithm started with the person’s location, matched it to a Facebook friend, and looked for patterns across age, interests, demographics, location, past behaviors, and predilections, before selling and presenting an ad from one of several companies targeting these attributes. Facebook could also have used information from text and photos posted to pages and timelines to further personalize the experience. So while there was no person nor device listening in on that conversation, Facebook did fuse a mountain of historical and behavioral information with contextual data in near real time. To the humans in the story, it felt like the ad was delivered based on a thought or a conversation.

  • At this point there is a receding difference between the idea of an “audience” and a “target market.”

  • “Creepy” may actually be a valuable analytical frame with this fast change. We should consider our shivers of apprehension, unpleasant unease bordering on fear— for an event, or from a creepy person. There may be danger. To be fair, there may be an exciting newness as well.

  • It's not enough to grab our attention. The elements are in place to shape what our attention wants, to influence our cravings. This closes a loop: the platforms have deeper insight into our attention because they are helping define it in ways that serve their interests.

Going Up: Demand for consumer data will continue to climb. The competition to sell more ads drives these companies to gather as much data as possible. In turn, more data contributes to a more thorough understanding of consumer behavior, improving the algorithms that assess, experiment, and predict what will influence us. Even seemingly innocuous activities, such as the length of time consumers have lived in their house, or the length of time they’ve lingered over a digital photo, contribute to a more precise profile and more predictive algorithms. Each platform gathers data to support the continuous improvement of two things. The first is the capability to grab ever more of our attention, in essence, to keep us coming back for longer, more intimate sessions. The second is the proficiency for converting this time and intimacy into selling more ads and increasing their effectiveness.

  • The idea of running experiments implies getting data needed to test specific hypotheses. This experiment, however, is “feed the AI all the data you can and see what pops out.”

Higher accuracy + more effective ads equal a lower cost of sale/conversion- no surprise there. It makes little sense to advertise tires to those who do not have a car, especially when a marketer can analyze car owners for model, length of ownership, miles driven, and even average speed. Targeted advertising decreases the cost per conversion. Data helps this targeting by defining the audience, allowing compelling content, and presenting specific offers that will be resonant. As a rule thumb, more data means higher conversion rates.


Data-driven content and advertising can provide a more relevant and engaging experience for the consumer. NAI or Network Advertising Initiative is a group of advertisers that collect data from consumers online visits and attempts to “predict what ads might be the most interesting to them.”(2) Data collected is anonymized and enables advertisers to place relevant content in the path of the digital consumer. If a person recently read an article on antiques, for example, she may start to see recommendations and ads about antiques on other sites. Content that targets interests based on consumer attributes or behavior presents more meaningful and engaging content.

  • Is the claim that ads are interesting a euphemism for saying ads are likely to be effective? About 30% of Internet users use ad blockers. So much for much consumer interest in ads!

  • “Don’t make the mistake of thinking you’re Facebook’s customer, you’re not – you’re the product. Its customers are the advertisers.” - Bruce Schneier, Security Expert in 2010 (idea echoed by Zeynep Tufecki, Steve Wozniak, & Tim Cook as part of the iOS 8 release) This quotation is a reverberation of a concern about TV from 1973 by Carlota Fay Schoolman & Richard Serra in 1973, “Television Delivers People”

Sites and publications employ targeted ad revenue to fund free content. This benefit to consumers is often taken for granted. With ad revenue supporting operations, online visitors can get news, sports and just about any content from multiple perspectives without paying. Media outlets have long considered the trade-offs between subscriptions, ads, and sponsored content. In the digital realm, outlets like TheInformation focus on generating content that will attract subscribers. It’s significant to note that the founders of TheInformation made a decision to bootstrap the business from outset in order to shield editorial decisions from pressure to scale traffic, revenue, and profit.


These dynamics are rapidly extending beyond phones and laptops via connected homes, self-driving cars, digital medicine, and so forth. We foresee platform demand for personal data accelerating. This will serve ad sales and the creation of new services and experiences in our lives. The distance to the extremely personal experiences featured in “Minority Report” shrinks daily.

  • What are the economic dynamics of tracking? Search Engine DuckDuckGo doesn’t track users and is still profitable! A recent article suggests that high ad platform concentration leads to high ad costs. Less concentration market would lead to lower costs that could be passed on to consumers.

The clarion call for privacy regulations and corporate transparency


Most people are blissfully unaware or in denial of what and how data is collected, let alone how it’s used. More disturbing than this, however, is that fact that becoming aware doesn’t seem to help. We largely feel powerless - because we are. Designs for addiction and sociopolitical-work pressure to stay connected are all but impossible for the individual to resist. Since we can't (or choose not to) do it ourselves, there are calls for new laws and mandatory transparency of the methods used in collection. Adding fuel to this fire are the numerous high-profile data breaches. Since we can’t seem to resist data collection, perhaps our government and corporations will respond to our sensitivity towards the security of the data being collected.


Consumers drastically underestimate how much of their data is collected. According to Experian’s Global Identity & Fraud Report, “some estimates predict an excess of 79.5 zettabytes (or 79.5 billion terabytes) of [Digital Channels] generated data by 2025.”(3) Location services on phones, social media posts, web activity, credit/debit card transactions, etc. are a fraction of what some companies collect. Individual components may appear insignificant (“Who cares if I went to the gas station this morning?”) but the distance driven, the store visited, method of payment, who else was at the store each contribute to a more nuanced profile. Some of the collected data is unintentional but potentially harmful. For example, location data may reveal visits to a therapy clinic or an Alcoholics Anonymous meeting.

  • According to Pew Research, about half of Facebook users say they are not comfortable when the see how the platform categorizes them, and 27% maintain that the site’s classifications do not accurately represent them.

  • 79.5 billion terabytes translates to about 10 terabytes of information on every person on Earth.

  • Some data collection goes way beyond what many people consider acceptable. For instance, Amazon is being sued for recording children’s voices. A lawsuit seeking class-action status accuses Amazon of using its Alexa voice assistant to create “voiceprints for millions of children.”

Consumers think “bank vault” when security’s reality is more porous. Since volume data is voluminous and quite valuable, colocated data centers are heavily guarded against physical and digital threats. And yet, it’s still quite possible for a range of characters to gain access to it for nefarious purposes. According to Verizon’s 2020 Data Breach Investigations Report, 30% of breaches were a result of employees or contractors of the company that was compromised. The same report indicated that 58% of the breaches involved personal data, twice the percentage from 2019. (4) It’s a disturbing trend for the vaunted tech industry, all the more so because the potential consequences to a victim’s financial and personal security continue to grow. Our lives are becoming more digital, but the assurances are becoming less credible.

  • Yahoo - 3B users. Verizon shaved $350MM USD off the price to Yahoo when they discovered a breach during due diligence, including most of the personally identifiable information (PII) Yahoo collected from users.

  • Target - 110M customers. The CIO and CEO both resigned over this $162MM USD breach of credit and debit card numbers, and other PII. The hack was traced to a hole left by an HVAC vendor.

  • eBay –145M users. All of eBay’s users’ names, dates of birth, addresses, and encrypted passwords were exposed when hackers gained access.

  • Uber – 57 million Uber users and 600,000 drivers. A year late in acknowledging the hack, they also paid hackers to delete data and keep it quiet. The CISO was fired and $20B USD in value evaporated overnight.

  • Equifax – 143M users. Equifax found an “application vulnerability” presenting an identity thief’s paradise— from social security numbers, birth dates, addresses, and some drivers’ license numbers.

TMI: How much is too much? At some point the ability to convert massive amounts of data into audience and personal profiles feels “creepy.” The story of retailer Target learning of a girl’s pregnancy before her father has been widely circulated.(5) But the potential for “creepiness” now an everyday event. For example, if a visitor to a website who is looking for directions to a store is automatically presented with a satellite view of their own house, this may feel too intimate, too fast. Wondering how much the store knows about where she lives and how they use this information, the visitor begins to feel uneasy. Dispelling unease in the short term may as simple as showing how and why the site and its principals know this. Asking permission to use the visitor’s location or convincing her to type her address to set her home location provides a feeling of control. Having the manners to ask permission and asking for people to opt in are important to experience in the moment. Yet it’s not obvious what she may be trading away. Opting in is a nicety, but it’s not control over the data, how it will be used, and how it will be managed today and into the future. For that control, consumers will have to do the work. But before we get to that…


…a word about COVID-19. In 2020 and moving forward, personal privacy will need to find a new balance with public good and potentially governmental/regulatory access. Contact tracing is more effective the more information we provide over our health, location, and associations. We can expect a new normal, but what that is will depend on the trustworthiness of tech, big pharma, and government. Watch this space for updates as biological survival butts into digital debates.


Enter Regulation. And the courts. “…rules relating to the protection of natural persons with regard to the processing of personal data and … the free movement of personal data.” That’s what Europe’s 2018 General Data Protection Regulation (GDPR) promised.(6) The California Consumer Privacy Act (CCPA), also 2018, enables state residents to see “all the information a company has saved on them, as well as a full list of all the third parties that data is shared with. In addition, the California law allows consumers to sue if privacy guidelines are violated, even if there is no breach.”(7) Both laws enable individual access the mounds of personal information that companies aggregate. Looking ahead, the CCPA is generally considered to be a blueprint for the rest of the US - if not to the letter then with the bulk of its provisions. It also promises to be a boon to a cohort of young lawyers who will create reputations and personal wealth by enabling their clients to determine what all this really means in court.


Grass keeps growing: The data collection landscape won’t change for most us and it may not matter much. Compelling data concerns, security risks and privacy issues are unlikely to change consumer behavior. It’s just one more thing on life's long to-do list. Unease and legal remedies introduce friction into the shopping and buying experiences. Companies have spent billions to optimize for convenience, speed, and relevance. We like it, or at least have become used to it. Laws and transparency require action. Consider anti-smoking campaigns: “Save money,” “Live longer,” “Avoid cancer.” These benefits depend entirely on the smoker giving up cigarettes voluntarily. A similar addiction to the immediacy of capability and benefits will keep the data flowing. And the collectors employing a "dark pattern" of techniques to make it difficult to reflect and to change data collection.

  • Is data collection just an arms race paid for with consumer privacy and increased product costs? Perhaps advertising is a zero-sum game. It does not put more money into consumers’ pockets. It does shift spending between advertisers. The cost is added to products and services advertised.

  • Big data collectors tried to water down and delay GDPR and CCPA. Advertising groups tried to delay enforcement of the CCPA. Fines as high EURO 50M have been handed out for attempts to circumvent GDPR. After the Irish Data Protection Commission ordered the stop of data transfers to the US to comply with an EU court decision, Facebook is appealing the decision.

  • The resistance to privacy legislation is part of the process and will be with us for a long time.

  • The Nest ToS, privacy policy, and EULA add up to about 20,000 words that require a law degree to comprehend.

  • The great majority of these statements don’t give consumers a choice. It’s take it or leave it.

Corporate transparency makes information available. Does it allow a change in data collection and usage? Many companies respond to growing concerns and reputation risk over privacy by offering insight into how data is collected and used, an approach that also satisfies existing laws and regulations. However, offering this information and relying on consumers to take action are two different things. Accessing privacy settings is rarely straightforward. Links are typically buried in a submenu or at the bottom of the page in small print. Only those who are diligent and active succeed in managing their preferences.


The types of data, collection methods and usage patterns are overwhelming. Amazon’s privacy policy requires six pages to print out, excluding any information contained in links to their partners. One of these links, “Interest-Based Ads policy”, is quite important and will eventually lead to the NAI site.(8) The policy is clear, thoughtfully explained, and presumably complies with existing laws and regulations. However, the volume of information makes it unlikely that consumers will take the time to read the policy and/or exercise their options. And often one link leads to another link that leads to another link. The Internet architecture in which services build on each other makes it difficult to chase all of the details down. All it takes is one acquisition of an app for the picture to change.

  • NAI searches for advertising cookies that target consumers based on information collected (such as attributes and behaviors) and allows users to opt out.

  • In practice the opacity of the risk obscures their scope. Threats reach far beyond the inconvenience of advertising and the creepiness of uncanny intimacy. They can affect many aspects of our lives. Often, they are based on an accumulation of data from different sources and cannot be traced to a particular service. Consumers may never find out that they’ve been offered a higher premium for their life insurance, or that how their social media posts affected their loan rates. The more data that’s out there about people, the more inscrutable algorithms will impact their lives.

  • Perhaps it’s the data collectors that pose the risk. After all, advertising is only one use of the data. Once data has reached the big data swamp, it will be used for all kinds of purposes without traceability. Without accountability.

Ain’t nobody got time for that: Digital benefits are clear. The threats are unclear. Digital users are accustomed to seeing pop up windows outlining the terms and conditions of use. They do not appear to care. According to Business Insider and Deloitte (2017), “91% of people consent to legal terms and service conditions without reading them. For younger people, ages 18-34 the rate is even higher with 97% agreeing to conditions before reading.”(9) It is easy to understand why a “laissez-faré” attitude exists within digital. The terms and conditions are usually presented as an interruption to the experience. Most require long scrolling of difficult-to-understand legal language culminating in an all-or-nothing choice: Agree and Continue or Disagree and Stop.


Business Week continues, “consumers are willing to accept that the worst most companies will do is sell their name and email to a third party that wants to advertise to them.” The perception is that the threat does not outweigh the benefit of continuing. Add to this that the likelihood of having to accept terms and conditions for each new site, and the process is too tedious and confusing to invest effort in the privacy of data.


Summary


Consumer behavior and attributes that target people or audiences with personalized content have increased the probability of a conversion, of a rapid, profitable sales of some kind. In support of this, the amount of data collected from digital activity is unimaginably large – like distance between planets kinds of large. In many cases this has clear benefits to both the consumer and the advertiser. However, this can be perceived as “creepy” when this data is used to socially engineer an experience that crosses privacy and intimacy boundaries. Add this to the numerous high-profile data breaches, and it equals governments placing new laws on the books designed to give the consumer more control of the data collected by digital modes.


However, this construct places the onus largely on the consumer to protect their own privacy. This “protection” is far from simple. It requires navigating through pages of legal terms and conditions, understanding the benefits and risks, and agreeing to them. Over 90% of digital users waive their rights by not reading the terms and conditions prior to engaging with these sites because they don’t perceive a threat. Consumers downplay the risk as “that the worst most companies will do is sell their name and email to a third party that wants to advertise to them.”

  • The terms and conditions are prohibitively long

  • The “legalese” is too broad and difficult to understand

  • Ambiguous text shows “this site uses cookies – Accept?” or is buried within a formidable block of text within a pop-up

  • Consumers do not effectively understand the scope of how data is used by advertisers nor their respective rights

Recommendations: What’s the Answer?


While well-intentioned laws and market-driven transparency are a step in the right direction, access and delivery of this information is fundamentally flawed. In the end, advertisers do little to simplify and streamline that would lead to better consumer engagement with their privacy risks. An argument can be made that advertisers use this format intentionally to dissuade consumers from reading and exercising their rights. Regardless, if the goal is for consumers to understand and effectively manage how their data is collected and used, we must do better. But how?


Simplify! – Advertisers need to reduce their current broad, monolithic terms and conditions into a digestible format. To be clear, consumers need access to all the privacy information, but certain components have a greater impact than others. The effect on a consumer is less when their purchase history is being provided to improve site performance than when their data is provided to another advertiser who will use it to market their own products. The most consequential information should be available without hunting through pages of copy.


Write it for an 8 year old! – Legal terms and conditions do not have to written in such a way that only attorneys understand. Use common language and examples. Consider including a “What this means to you” section so that consumers are effectively informed about how their information will be used.


Privacy terms and conditions are buried in greater legal copy that may require multiple pages to scroll through and locate.

Let Me Decide! – Scrolling to the bottom and clicking the “accept” (Terms and Conditions) button is the fastest way to continue to the site. It’s no coincidence that this experience design choice is also an efficient way to waive privacy rights. This experience is incompatible with the goal of effectively managing consumer privacy. Consumers and advertisers both share responsibility here. Consumers neither want to be burdened with reading lengthy copy nor delayed when engaging with a website. To satisfy this immediacy, advertisers created the shortest compliant route to their content i.e. “This site uses cookies – Accept?” As a result, consumers quickly agree to all the advertisers’ terms and conditions – including waiving their personal privacy rights - with the click of a single button. This is less simplification than obfuscation.


This example shows that the Information about consumer privacy is located about halfway down these terms and conditions - see the red square. (Document is eight 8.5”x11” pages to print)


An alternative would be to enable consumers to opt out of personal information sharing through appropriate opt-outs on the terms and conditions. This streamlined method of transparency and available actions address some of these privacy issues.


Consider this: Rather than being presented with Terms and Conditions and a universal “accept” button, a small window opens that presents those policies that are likely the biggest source of anxiety about personal information. It provides links to the specific policies and an opt-out option. Lastly, it offers access to the Terms and Conditions and the full privacy policy.


Governments and companies have taken meaningful steps toward transparency but until this aligns with the demands and behavior of the user, consumers will trade their privacy rights for expediency at their peril. Consequently, new digital privacy laws and corporate transparency will not greatly affect consumers’ actions regarding data collection and usage.


Citations

  1. Graham, Jefferson, “Is Facebook listening to me? Why those ads appear after you talk about things,” USA Today. June 27, 2019 “ Web Link

  2. NAI National Advertising Initiative “Understanding Online Advertising” Web Link

  3. Experian’s Global Identity & Fraud Report: “Exploring the links between recognition, convenience, trust and fraud risk” January 2018: Web Link

  4. Verizon “2020 Data Breach Investigations Report – Executive Summary” Web Link

  5. Hill, Kashmir. “How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did” Forbes. February 16, 2012 Web Link

  6. General Data Protection Regulation Web Link

  7. Korolov, Maria. “California Consumer Privacy Act (CCPA): What you need to know to be compliantCSO/IDG Communications. July 7, 2020: Web Link

  8. Amazon Privacy Policy, January 1, 2020 Web Link

  9. Cakebread, Caroline. “You’re not alone, no one reads terms of service agreements” Business Insider. November 15, 2017 Web Link