January 17, 2022

Abstract

Our relationship with technology involves legal agreements that we either review or enter into when using a technology, namely privacy policies and terms of service or terms of use (“TOS/TOU”). We initiated this research to understand if providing a formal rating of the legal policies (privacy policies and TOS/TOUs) would be valuable to consumers (or “Me-s” in our parlance). From our early qualitative discussions, we noticed that people were unclear on whether these policies were legally binding contracts or not. Thus, a secondary objective emerged to quantitatively explore whether people knew who these policies protected (if anyone), and if the policies were perceived to be contracts with the provider of the digital technology (or “B”).

The purpose of a privacy policy is notification and disclosure, not protection.  Privacy policies are not designed to protect anyone, they’re designed to inform. The TOS/TOU, on the other hand, is an agreement relating to the use of the technology or service and is typically designed to protect the business. Do Me-s understand this?

We conducted ethnographic interviews with six participants living in the United States, during a two-week period from February to March 2021. We followed these interviews with a focus group session of five participants in July 2021 and an online survey of 566 individuals in August 2021. In these studies, we asked participants and survey respondents who they think the privacy policy and TOS/TOU protect and whether they perceived these policies to be enforceable contracts.

The following are the key findings from this research:

  • People don’t understand that the Terms of Service is a contract. 55% of survey participants did not understand that a TOS/TOU is a contract (based on only 45% saying it is one). This has significant legal implications. In particular, a key requirement for legally binding contracts is mutual assent, which means that both parties have a “meeting of the minds”1 and understand they’re entering into a contract. Our research makes clear that is not the case in Terms of Service agreements.2
  • Consumers are aware of the existence of legal policies on connected technologies. Focus group participants said that they know that legal policies exist for connected technologies and that they should read them, but that they largely ignore them in favor of getting to use the app or website as quickly as possible. The majority recognize cookie consent requests on websites and have some understanding that it relates to data privacy, but doesn’t necessarily connect them to a privacy policy. They are aware of TOS/TOU agreements when signing up for a service but often will accept the terms without reading them thoroughly.
  • People have a weak understanding of what the legal policies of digital technologies are or whom they protect. 66% of survey respondents say that privacy policies protect the business, while only 50% say they protect the consumer. The difference was starker for TOS/TOU, where 68% say they protect the business and only 35% say they protect the consumer. All interview participants say both documents are there largely to protect the digital technology company (the “B”) and to enforce “rules” around what a consumer can and cannot do with the technology.
  • None of the interview participants were aware of the existence of tools they can use to evaluate legal policies. They were aware of review sites that evaluate digital products from a consumer perspective, and some of the participants understood what a browser plugin was, and said they use them to block cookies, for example. They were not aware, specifically, of tools that help them understand privacy policies or TOU/TOS documents.
  • Half of the interview participants said that a score wouldn’t change their behavior. Even after we demonstrated rating tools such as TOS;DR and Privacy Badger, participants told us they did not expect to change their behavior, particularly if they were already using a particular digital service. Some said that seeing these ratings would potentially give them pause before using a new (to them) service.

As a result of this collection of research, the Me2B Alliance has decided not to pursue a formal legal policy audit service. Instead, we expect to evaluate and perhaps recommend existing services like Privacy Badger, TOS; DR, Mozilla’s “Privacy Not Included” program, and others.  We hope, however, that the findings in this research can help illuminate and eventually eliminate the pervasive asymmetry in Me2B relationships and be a concrete resource to lawyers supporting Me-s in legal cases relating to digital agreements. Please contact us at admin@internetsafetylabs.org if you’d like access to the quantitative data.

 

Open PDF

 

Footnotes:

  1. Mutual Assent. Legal Information Institute, Cornell Law School. Web. https://www.law.cornell.edu/wex/mutual_assent
  2. Note that the author of this report is not a lawyer. Additional legal research may be prudent.
  3. See “Flash Guide #2: What is the Me2B Respectful Tech Specification?”  https://internetsafetylabs.org/flash-guide-2-what-is-the-me2b-respectful-tech-specification/
  4. See “Flash Guide #8: Digital Me2B Commitments and Deals”, https://internetsafetylabs.org/flash-guide-8-digital-me2b-commitments-deals/
  5. See “Flash Guide #9: The 10 Attributes of Respectful Me2B Commitments”, https://internetsafetylabs.org/flash-guide-9-the-10-attributes-of-respectful-me2b-commitments/
  6. IEEE P7012 – Machine Readable Privacy Terms Working Group. Web. https://sagroups.ieee.org/7012/
  7. Privacy Badger. https://www.privacybadger.org
  8. Terms Of Service; Didn’t Read. https://www.tosdr.org
  9. McDonald, Aleesia M. and Tom Lowenthal. 2013. “Nano-Notice: Privacy Disclosure at a Mobile Scale.” Journal of Information Policy, Vol. 3 (2013), pp. 331-354 Penn State University Press. https://www.jstor.org/stable/10.5325/jinfopoli.3.2013.0331
  10. Matthew Kugler & Lior Strahilevitz, “Is Privacy policy Language Irrelevant to Consumers?,” 45 Journal of Legal Studies S69 (2016).
  11. Cisco. (2019). Consumer Privacy Survey. Cisco Cybersecurity Series 2019—Data Privacy. https://www.cisco.com/c/dam/global/en_uk/products/collateral/security/cybersecurity-series-2019-cps.pdf
  12. Privacy and Security. Federal Trade Commission. Web. https://www.ftc.gov/tips-advice/business-center/privacy-and-security
This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/4.0/