With privacy breaches on the rise, there is a growing clamour for regulators to step in with a ratings-like system for apps and enhance the way privacy policies are presented to the user.
A report titled “Behavioural experiments in data privacy” by Omidyar Network and Centre for Social and Behaviour Change (CSBC), Ashoka University, highlights issues relating to behavioural aspects between the consumer and the technology provider, and how they impact data privacy.
Complex legal jargon
The issues assume significance considering that India is set to come up with the Personal Data Protection Law. “Users would like to protect themselves but falter at the decision making point, lured in by the instant gratification of access to services or apps,” said Shilpa Kumar, Partner, Omidyar Network. Also, in countries like India, which are not English-speaking by default, the terms and conditions are drafted in a complicated manner and in a language that is not native to many millions. India has around 600 million internet users and another 700 million are expected to adopt the internet, going forward.
Data Protection Law will be finalised soon, says Ravi Shankar Prasad
“Privacy statements are several pages long and full of complex legal jargon that prevents users from reading and understanding the policy. This intent-action gap, along with myopia or present bias exhibited by users, is a challenge,” said Pooja Haldea, Senior Advisor, from Ashoka University.
It is here that the authors advocate that a ratings-like system that is overseen by the regulators would come in handy. “So, ratings could be given on the amount of information that the app collects or what information will be used and how, and on the transparency of the privacy policy,” said Kumar.
Users, on their part, prefer instant access to an app as the harm from unmindful data sharing is in the future and is not tangible at present.
No easy fixes
It is hard for users to make decisions in their best interest. Their privacy-related behaviour is subject to biases that are hard to overcome, like the high cognitive load they experience while going through the long and jargon-filled privacy policy statement, the report said. For instance, improving comprehension or handing greater control to users seems to have limited impact on driving privacy-conscious behaviours.
“Users can be nudged, but there aren’t any easy fixes,” said Kumar.
“We found that some of our interventions impacted trust of the users and thus their data sharing while others moved the needle on time spent or understanding of the policy,” said Haldea. In some cases, data sharing reduced when privacy concerns were made salient. In its current form, comprehension of standard privacy policy is low, the report said.
Even when results showed a significant increase in time spent on the privacy policy page, it was not accompanied by an increase in comprehension of the policy terms. In India, users’ comprehension is surprisingly resilient to soft nudges; this is seen across multiple interventions, stated Kumar. Also, businesses need a regulatory push to adopt better privacy practices.
Further, data sharing can be increased by increasing trust, which is lacking at present, said Kumar. Haldea added that data sharing can be reduced by making privacy concerns salient, the easiest way is to show ‘how data is being used’.