Three Common Privacy Misconceptions That Companies Love
A significant number of Americans hold significant misconceptions about their privacy, according to opinion research 鈥 misconceptions that privacy-invading companies love. That鈥檚 according to research on American understandings of privacy carried out over the past couple decades by the Annenberg School for Communication at the University of Pennsylvania, lead by Prof. Joseph Turow, whom I recently heard give a summarizing these studies.
Misconception #1: "We care about your privacy!"
One misconception is that when a web site has a 鈥減rivacy policy,鈥 that actually means the site has a policy to protect your privacy. Annenberg presented respondents with the false statement that 鈥淲hen a web site has a privacy policy, it means the site will not share my information with other websites or companies without my permission.鈥 In 2018, nearly 60 percent of Americans either said they believed this was true, or that they did not know. In the percentage of those surveyed giving incorrect answers was as high as 78 percent.
Unfortunately, nothing could be further from the truth. Most 鈥減rivacy鈥 polices start by declaring, 鈥淲e care about your privacy!鈥 and then go on to say, in extremely long and complicated legal language, that you have no privacy. Lawyers write these policies to minimize the presence of any actual concrete promises that might limit what a company does. Because the United States doesn鈥檛 yet have a baseline privacy law, the only thing protecting our privacy in most commercial contexts is a prohibition on 鈥渁cts or practices that are unfair or deceptive.鈥 That prohibition was in 1914 鈥 just slightly before the advent of today鈥檚 online advertising surveillance systems. What that means is that (outside of a few narrow areas that are regulated such as credit reporting) a company can do whatever it wants with your personal information. The only thing it generally cannot do under federal law is say it鈥檚 going to do one thing and then do another, which would count as 鈥渦nfair or deceptive,鈥 and leave a company vulnerable to enforcement by the Federal Trade Commission.
Turow says that 鈥渕arketers know鈥 about this misconception and benefit from the confusion and the misplaced consumer trust it creates. Turow suggests that 鈥減rivacy policy鈥 is 鈥渁 deceptive term鈥 and that 鈥渢he FTC should require a change in the label.鈥 鈥淗ow We Use Your Data鈥 would be more accurate.
Misconception #2: What is unfair is also illegal.
A second misconception that many Americans hold is that the law protects them more than it does. For example, in 2015, 62 percent of Americans didn鈥檛 know that it is completely legal for an online store to 鈥渃harge different prices to different people at the same time of day鈥; in 2012, 76 percent did not know that 鈥渙nline marketers are allowed to share information about diseases you or your family members have鈥; and in 2018, 46 percent did not know that an 鈥渋nternet provider has a legal right to sell information to marketers about the websites you visit.鈥 (We think they actually 诲辞苍鈥檛 have such a right under the Communications Act, which states that 鈥渆very telecommunications carrier has a duty to protect the confidentiality鈥 of personal information 鈥 but an attempt to craft detailed rules enforcing that law was killed by Congress and President Trump in 2017, and there鈥檚 no sign that such a right will be enforced by the federal government anytime soon.)
What鈥檚 going on here, Turow believes, is that people have fairly well-defined feelings about what kinds of behavior are fair and what are not 鈥 and they tend to think that things that are unfair are also illegal. They think, as he puts it, that the government has our backs much more than it actually does.
Annenberg鈥檚 polling confirms other in that people are deeply uncomfortable with the state of their privacy online. Two-thirds (66 percent) of adults, for example, told surveyors that they do not want advertisements 鈥渢ailored to their interests,鈥 and 91 percent disagreed with the statement that 鈥渋f companies give me a discount, it is a fair exchange for them to collect information about me without my knowing.鈥 Asked whether 鈥淚t鈥檚 okay if a store where I shop uses information it has about me to create a picture of me that improves the services they provide for me,鈥 55 percent disagreed.
These findings, Turow concludes, 鈥渞efute marketers鈥 insistence that Americans find increased personalized surveillance and targeting for commercial purposes acceptable.鈥
So why do people give up so much information? The problem is that they feel helpless. The surveys found that 58 percent of Americans agreed with the statement, 鈥淚 want to have control over what marketers can learn about me online鈥 鈥 but at the same time 63 percent also agreed, 鈥淚鈥檝e come to accept that I have little control over what marketers can learn about me online.鈥 Although marketers like to portray Americans as cheerfully accepting a tradeoff between their privacy and the benefits they gain, that鈥檚 what鈥檚 happening. As Turow told me, 鈥淭he bottom line for us is resignation. It鈥檚 not as if people want to give up their privacy, but in order to get through life they feel they have to, and they 诲辞苍鈥檛 feel like they have the ability to change things.鈥
Misconception #3: We've lost the privacy battle.
This, I would argue, is the third misconception: that the battle is lost and there鈥檚 nothing people can do about protecting their privacy. It鈥檚 true that there are good reasons why people feel that way 鈥 there鈥檚 only so much that an individual can do to protect their privacy, especially if they鈥檙e short on technical expertise or willingness to tolerate inconveniences in order to fight surveillance. It鈥檚 true that our privacy depends to a large extent not on individual decisions but on collective decisions we make as a nation about the policies we want to set. It鈥檚 also true that the companies that profit from surveillance are wealthy and politically powerful.
Nevertheless, the clouds are gathering for a major reckoning. The European Union has enacted a comprehensive privacy law called the General Data Protection Regulation (GDPR) that is forcing even many U.S.-centered businesses to improve their privacy practices. California, where one in eight Americans live, has also enacted a broad privacy law called the California Consumer Privacy Act (CCPA). And as these laws weaken the will of companies to oppose privacy protections, scandals such as the Cambridge Analytica fiasco have strengthened the desire of politicians across the political spectrum to support such rules. The result: For the first time in many years, members of both parties are reportedly working to draft and enact comprehensive privacy legislation.
There are major ahead, but, as I have argued, in the end people need 鈥 and always demand 鈥 privacy. Privacy-invading companies love it that people feel helpless, but now is the time for people to trade resignation for anger and activism, and voice that demand to ensure that any new privacy laws are strong and meaningful. The status quo is not stable, and the battle is just getting underway.