No one can have privacy and be an effective digital citizen

By Terry White, Executive Consultant at Netsurit.

Johannesburg, 22 May 2020

The average privacy statement or policy is 5 300 words long. The average adult reads complex documents at 200 words per minute. This means that it takes us about 27 minutes to read one privacy policy. We visit about 90 Web sites per month. Do the math. 

If we were diligently reading all the privacy statements – you know, the ones that say that the Web site can use your information for marketing purposes, or that they can sell your information to others – we would be taking about four working days a month just to ensure that our browsing was private.

That’s not all, though. To be an effective digital citizen, you need to use oligarchic or monopolistic platforms – Google, Facebook, Twitter, Microsoft, Apple, WhatsApp, LinkedIn. There are only one or two platforms available to run your computer, search the Internet, communicate with others, collaborate – be a digital citizen in other words. This means that even if you do read their privacy statements and object to how they want to use your data, you don’t actually have a choice.

The Microsoft privacy statement is 6 500 words long. This is longer than average, but like other policies on the net, it has quite a few “Read More” buttons, which makes the statement longer – its fully expanded policy and use statement is over 30 000 words.

Facebook doesn’t actually have a privacy policy. It has e a data policy, in which the word “privacy” appears twice – both times to link users to their privacy settings.

And almost all privacy policies allow the company to sell or give your data to someone else, but you are not privy to the recipient company’s privacy policy (if it has  one.)

Finally, it should be noted the average clickwrap agreement (one where the user clicks to agree to terms and conditions) is often more than twice the length of a physical contract – one which will be physically signed by the contracting parties. (Clickwrap agreements are so-called because once a user clicks, he or she is contractually wrapped up.) Physical contracts must be kept short, or the user would not read and sign them – the average employment contract is about 1 000 words only. A clickwrap agreement may be as long as needed as it is essentially “weightless”, and a cynic would suggest that the longer the contract, the less likely it is that it will be read. A cynic would further suggest that the longer the contract, the more likely it is that it has adverse implications for users.

Clickwrap agreements have legal standing and have been upheld in court as the user is seen to have provided “manifest assent” by clicking on the “I agree to the terms and conditions” button (Feldman v Google Inc, 2007). On the other hand, browsewrap agreements (where agreement is assumed if the user continues to browse the Web site) are often overturned.

One condition for a clickwrap agreement to be legal is that it must be easily understood by the user. While suppliers go out of their way to make their agreements understandable, it is their length that fails users.

To be fair, every company has to protect themselves from contravening the regulations – and these regulations are long and comprehensive. GDPR is 53 300 words long (four hours reading), and POPI is a trifling 35 000 words (only three hours reading). So it’s quite miraculous that company and Web site privacy policies are so short really.

All of this creates something of a vicious cycle: Regulations must be as complete as possible to protect users, and contracts must be lengthy to comply with all the regulations and protect the suppliers. Users don’t - or more to the point can’t - read all the contracts, and even if they could, they need to use the service anyway and are consequently at risk.

So here’s the bottom line: To be an effective digital citizen, you need to put your privacy at risk, or even forsake it altogether.

Share

Editorial contacts