Too much and too irrelevant: What do users really want to know about privacy?

35

By Nico Ebert (ZHAW)

cross-posted from WINsights blog

Each of us is confronted with countless privacy notices every day and agrees to the practices described. Most likely we do not even notice this because the privacy information is hidden in long and cumbersome privacy policies. In order to inform users more specifically with more relevant information about privacy, it is first necessary to understand which information is relevant to users at all. Marketing traditionally asks users about their needs, so why not ask users about their needs for privacy information?

Researchers have recently suggested that a specific usage context should be considered to make privacy notices more relevant to users. Therefore, we asked users regarding their needs in very specific contexts. We conducted an explorative online survey of privacy concerns and privacy information preferences with 642 participants in Switzerland for two different contexts. The contexts are loyalty cards (e.g. Cumulus, Supercard or Ikea) and fitness tracking (e.g. Fitbit, Garmin, Apple Health).

First of all, privacy concerns were measured using a standardized scale (Concerns for Information Privacy) that distinguishes between concerns regarding unauthorized secondary use (e.g. data is provided to third parties without knowledge), improper access (e.g. a hacker gets access to the data), errors (e.g. processing errors) and collection (e.g. too much personal data is collected). In the figure below a concern level of four indicates a neutral position, while a lower score points to no concerns and a higher score points to higher concerns. This survey results indicate that people are most concerned regarding secondary use and improper access while error and collection seem to raise less concerns. The results vary only slightly between the loyalty cards vs. fitness tracking.

We also asked participants regarding the concrete information preferences that they have. To do so we used the information categories as proposed by the EU General Data Protection Regulation (GDPR). The figure below illustrates the preferences for different kind of information for the fitness tracking context for both users of fitness tracking and no-users. Participants had to agree if the considered a specific category of information as relevant. The measurement scale ranges from 1 (strongly disagree) to 5 (strongly agree) with 3 being neutral. In the figure the X axis starts with a level of 3 to better visualize the small differences. In addition to the bars the 95% confidence intervals are indicated at the end of each bar. Only when these do not overlap the findings are of statistical significance. As one can see the differences are very small. However, participants seem to consider information on their rights or categories of collected information more relevant than information on automated decisions or the data privacy contact persons.

As a next step towards more relevant privacy information it makes sense to consider concrete company examples. Most likely it will be easier for people to express the preferences when confronted with very concrete examples. For example, a retailer could take its existing privacy policy and ask consumers what they consider relevant and what they don’t. The company could then emphasize its communication on the more relevant parts.

This research was sponsored by the Hasler Foundation.

Full paper: Nico Ebert, Kurt Ackermann, Peter Heinrich: Does Context in Privacy Communication Really Matter? – A Survey on Consumer Concerns and Preferences, ACM Conference on Human Computer Interaction CHI 2020 (Honourable Mention Award, available at dl.acm.org)