Does anyone read privacy notices? The facts

Privacy notices are one of the great unresolved paradoxes of data protection law. On the one hand, telling people how you are going to use their information is a fundamental requirement of data protection law. On the other, very few people read privacy notices.

Worse, privacy notices have historically been used to undermine privacy. People have been asked to “consent” to those notices and thus agree to their information being used in ways they are not really aware of, nor have had any real choice over.

This will all change with the General Data Protection Regulation. It will, rightly, stop consent from being abused. However, it will also require privacy notices to be much longer and much more detailed. If people don’t read short privacy notices, are they really likely to read long ones?

The data – Do people look at privacy policies?

We thought it would be useful to carry out a quantitative assessment of this problem. We made freedom of information requests to a range of public bodies in the UK to find out how often people review their website privacy notices. The responses are set out below.

This table sets out the number of users and the number of hits on the privacy policies of the public bodies set out below. The figures are mostly for 2017.

Public authority	Total		Privacy Policy
	Hits	Visitors	Hits (%)	Visitors
The British Library	67,523,696	15,510,135	0.002% (1,235)	0.007% (1,057)
Financial Ombudsman Service	19,556,087	7,005,109	0.005% (995)	0.011% (794)
NHS England	20,309,376	15,276,306	0.022% (4,512)	0.026% (4,002)
Channel 4	470,526,614	74,038,644	0.008% (35,769)	0.040% (29,605)
University of Manchester	47,139,504	8,039,592	0.009% (4,038)	0.040% (3,280)
Natural History Museum	9,229,333	6,857,365	0.056% (5,126)	0.068% (4,696)
Financial Conduct Authority	26,073,232	5,191,631	0.024% (6,326)	0.105% (5,476)
Information Commissioner	8,533,286	4,617, 543	Not available	0.454% (20,984)
British Council	Not available	2,600,000	Not available	0.962% (25,000)
Bank of England	20,477,196	5,532,706	0.023% (4,803)	Not available

The data supports the view that few people read privacy policies. For example, 74 million people visited Channel 4’s website last year but only one in every 2,500 bothered to look at the privacy notice. Worse is the British Library, where only one in 14,000 looked at their privacy policy.

However, other public bodies have done better. The Information Commissioner managed to spark much greater interest with one in 200 visitors looking at her privacy policy. The British Council comes off best with nearly one in a hundred taking the time to visit the privacy notice.

The data – But do people actually read them?

It is one thing to visit a page with a privacy policy, but another to actually read that policy.

We also asked public authorities how long visitors spend looking at their privacy policies and compared it to the length of the privacy policy. The results are set out below. Estimated reading times are based on an average reading speed of 300 wpm.

 

Public authority	Length of Privacy Notice (words)	Est. reading time (s)	Actual length of visit (s)
Financial Ombudsman Service	154	31	36
Natural History Museum	216	43	43
NHS England	797	159	61
Bank of England	1,291	258	71
The British Library	3,420	684	76
University of Manchester	1,576	315	79
Financial Conduct Authority	524	105	85
Information Commissioner	4,598	920	162
British Council	251	70	192
Channel 4	3,915	783	n/a

 

Again, the data tends to support the view that few people read privacy policies, or at least few people read long privacy notices.

The British Library has a really helpful description of how it uses personal information, but it would take the average reader nearly ten minutes to read it properly and most visitors spend little over a minute. Similarly, the Bank of England’s policy would take over four minutes to read but, in practice, visitors spend only slightly more than a minute looking at it.

 

Does readability make a difference?

The data shows a range of outcomes. We wanted to know if the readability of the policy had an effect on these figures.

We therefore calculated the Flesch–Kincaid grade levels for each privacy policy. The results were generally good. For example, the British Library’s policy got a grade score of 8.4 (readable by a ten-year-old). However, some were more most complex, with the British Council’s notice getting a grade score of 15 (readable by a college student). (If you are wondering, the grade score for this article is 9.2!).

However, we didn’t find this significantly affected either the number of hits on the privacy policy nor the time spent reading it.

 

How does this change under the General Data Protection Regulation?

These figures demonstrate the challenges raised by the GDPR. How can you encourage people to actually read your carefully-crafted privacy notice?

The data shows visitors spend, on average, 90 seconds reviewing these privacy policies. That gives you a “budget” of 450 words (at average reading speed). However, the privacy polices we reviewed currently average over 1,600 words. Based on our experience of drafting and reviewing GDPR-compliant privacy notices, we expect most new privacy policies will weigh in at between 4,000-5,000 words. 

So how do you square the circle? We have set out some suggestions below based on our work in this area over the last year:

• Make it fun! – Few people will read a dry-as-dust recitation of processing conditions, retention periods and the like drafted in dense legalese. Write the policy in simple English in a way that is useful and helpful. Use practical examples and links to tools to allow individuals to exercise their rights. Try and make the policy not just informative, but also entertaining (note: this is challenging)

• Videos – Don’t just use text. Think about other ways to deliver the information to individuals such as recording a video, showing an animation or even creating a game 

• Very few people will want to read the whole thing – Even if your policy is clear and really well written (and entertaining), not every individual you deal with will want to read all of it. Structure the policy so they can rapidly access the information they want. This means trying to assess what those individuals will want from the policy. Do they want to object to direct marketing? Do they want to contact your data protection officer? Make this information more prominent and use other technics such as jump links or concertinas, so people can find the information they want, fast

• User testing – Check what actually works in practice. Consider carrying out user testing on you policy to find out if people find it useful. Can they find the information they want and, most of all, can understand what it says? User testing is also a good way to justify some of the more difficult decisions about what to include in your policy 

• Get the data – Once you go live, get the data. How many customers are visiting the policy and which bits are they interacting with? Can you try alternatives and drive up your figures?

As much as anything, you need to fight the temptation to just treat this as a tick box exercise and create a policy that no one will look at or read. The events of the last weeks have shown that the General Data Protection Regulation is changing expectations, just as much as it is changing the law. Engagement with your customers is no longer an option.