Where it all began
1994
1998
2018
2021
2023
Data Protection Act
UK
CCPA
Cookies
GDPR
DPDPA
Only 6 years ago
India still thinking!
California Consumer Privacy Act
Digital Personal Data Protection Act
General Data Protection Regulation
1983 - official birth of internet
1993 - www. available to public
In 2018, the General Data Protection Regulation (GDPR) broke ground as the most forward-thinking and extensive legal provision for the protection of personal data and its ongoing security.
It has set new global standards for how organizations handle personal data and give individuals control over their personal data.
It introduced the distinct concepts of consent, right to data erasure, data potability, data minimization, etc.
Shift in power from companies to individuals
Global ripple effect
Personal data as a fundamental right
Revolution Brought by GDPR
Only 6 years ago
What happens when we don’t read these documents?
Intellectual property and content rights
Potential for unexpected Costs
Cookie usage and tracking
Changes to policies and terms
Privacy risks and data misuse
Data breaches and unauthorized third-party access.
Privacy paradox
Unknowingly agreeing to extensive data sharing
Lack of understanding of data protection measures
Unintentional consent to unfavorable terms
Secondary Research
The Biggest Lie on the Internet:
Ignoring the Privacy Policies and Terms of Service Policies of Social Networking Services [2018]
n = 543
74% of participants skipped reading privacy policies and terms of service when signing up for a fictitious social network.
Most users spent less than a minute on policies that should take 15-30 minutes to read.
98% of participants overlooked critical "gotcha" clauses like data sharing with the NSA or a child assignment clause.
'Clickwrap' options encourage users to bypass policies quickly without reading.
Lengthy and complex policies lead users to skip them due to perceived overload.
Privacy Paradox
Information, Communication & Society, pp. 1-20, 2018.
TPRC 44: The 44th Research Conference on Communication, Information and Internet Policy, 2016.
37 Pages Posted: 2 Apr 2016 Last revised: 9 Sep 2022
York University; Quello Center - Michigan State University
University of Connecticut
From the comparison of the two papers,
several insights emerge about how user attitudes and behaviors toward privacy policies have evolved over the years
User Engagement with Privacy Policies
Comprehension of Privacy Policies
Motivators and Blockers
2018: 74% of participants skipped reading privacy policies and terms of service when signing up for a fictitious social network.
2021: 77% of participants attempted to read privacy policies at least once, but most did not fully read them. Only 23.4% fully read a policy, and 22.5% never attempted to read one.
2018 : 98% of participants overlooked critical clauses.
2021 : 55% did not fully comprehend the content of privacy policies, indicating a persistent gap in understanding over time.
The same barriers—length, complexity, legal jargon—continue to deter users from fully reading and understanding these documents.
[2018-2021]
Primary Research
How aware are users of Terms of service and Privacy policy documents?
Do users read these documents? If so, how thoroughly?
How well do users understand the content of these documents?
What challenges do users face when interacting with Terms of service and Privacy policy documents?
Understanding User Awareness
Assessing Engagement
Identifying Pain Points
Evaluating Comprehension
Intent of the interaction with users
n = 21
Average Age: 24 years.
Gender: 11 female, and 10 male.
58% of have a bachelor's degree, 42% have a master's degree.
12 are students, 9 were employed.
How often participants read the ToS and PP documents
The majority of users are aware that Terms of Service and Privacy Policy documents exist and are part of the app signup process. However, awareness does not necessarily translate into active engagement or thorough reading. They often do not engage with them unless prompted by a specific concern or issue related to privacy.
Awareness of documents
Length
Complex language
Lack of transparency
User fatigue
Identifying pain points
Insights
“they just look like an endless texture on the screen”
"Even if I tried, it’s like reading another language”
Evaluating comprehension
Poor Understanding: On a scale of 1 to 5, most participants rate their understanding of these documents as Poor (42.9%) or Average (33.3%).
Superficial Engagement: Participants rarely read the documents in their entirety, often just skimming headlines or focusing on parts that seem relevant to them.
Assessing engagement
Frequency of Reading: Many participants admit that they rarely read the full document.
Time Spent: A majority of participants spend less than 1 minute or 1-5 minutes on these documents, indicating they do not thoroughly read them.
Selective Focus: Those who read the documents tend to focus on specific sections such as data collection, third party exchange, data usage, change in privacy policies, and permissions requested.
“they just look like an endless texture on the screen”
If you do not read Terms of Service and Privacy Policy , why not?
Length
Complexity
Time taking
Perceived irrelevance
The documents are often too long, making them unappealing to read.
Many participants find the language used too complicated to understand.
A significant number of participants feel the, document take time to comprehend and they don't have enough time to go through the documents.
Some participants feel that these documents are not crucial to them or that they have no choice but to agree in order to use the service.
If you do read these documents,
what sections do you focus on the most?
Data collection and use
Payment terms
Access - Permissions
Data Retention
Third-Party Sharing
Opt-Out/Control Options
Time spent reading ToS and PP documents
"Even if I tried, it’s like reading another language”
Understanding of ToS and PP documents
How aware are you of how applications use your personal data?
Do you know what types of personal data is typically collected?
How concerned are you about applications collecting your personal data?
No
Not Sure
Yes
33.3%
33.3%
33.3%
Very concerned
Moderately concerned
Slightly concerned
Not Slightly concerned
Extremely concerned
38.1%
28.6%
19%
14.3%
Slightly Aware
Moderately Aware
Very Aware
Extremely Aware
Not Aware
47.6%
38.1%
9.5%
Sean Loose/Illustration for The Washington Post
Privacy policy
Cookies
Terms of service
Outlines the rules and guidelines that users must agree to in order to use a website or app.
This document helps limit legal liability while maintaining control over the platform.
Cookies are small text files that websites send to a user's browser to help personalize their online experience
Legal documents
These three are the the most common legal agreements
It discloses how a website collects, processes, stores, shares, and protects user data.
It also explains why the website needs that information from users.
More importantly, it informs users on how they can protect their personal
information by themselves and the control that users can exercise over that data.
“Written by Lawyers for Lawyers, they
were never created as a consumer tool”
Legal documents are designed to protect companies, not to inform users.
This emphasizes the disconnect between the document creators and users.
Such practices are not compatible with the GDPR’s concept of transparency, which the European Data Protection Board emphasizes as
“user-centric rather than legalistic” in its guidelines on transparency.
Jen King, the director of consumer privacy at the Center for Internet and Society
Privacy visualizations utilize graphical representations like icons and labels to simplify the communication of privacy terms, making them more accessible and understandable for users.
Privacy policy coding and standardization efforts focus on categorizing and presenting policies in consistent, structured formats, enabling users to easily understand data practices across services.
These projects aim to enhance user engagement with privacy terms through transparency and awareness initiatives.
a. Privacy Visualizations and Icons
b. Coding and Standardization
c. Usability and Awareness Projects
Related Works
Structure of these legal documents currently
Long text with headers
With side panel / cascading text
With summaries
With visuals/ videos
Long text with more links
Who are we designing for?
Pain points
We are focusing on people who are already aware about these legal documents and
want a better experience and comprehension when interacting with them.
Complex Language: Legal jargon dominates, making them inaccessible.
Lack of Transparency: Key details about data usage and control are buried in lengthy clauses.
User Fatigue: Users often give up trying to read them entirely.
meaningful consent
agency >>> usability
Choice / control
Copyright 2024 by Anumeha Patoria