According to a new study by George Washington University Strategic Management and Public Policy Professor Dr. Kristen Martin, the invocation of formal privacy notifications actually decreases the amount of trust users have in a website.
What’s contained in those privacy policies does matter to consumers, but significantly less than what Martin labels “informal privacy norms,” which basically means not doing things that seem creepy or unethical like using information visitors provide to advertise to their friends or selling personal information to a third-party data aggregator.
“The results suggest that the mere introduction of formal privacy contracts decreases trust.”
Martin’s study has been accepted by the Journal of Legal Studies and is awaiting publication.
Over a four month period in early 2015, Martin conducted a pair of surveys measuring what factors were important to users in terms of online privacy. The questions were aimed at determining if the use of formal contracts, in the form of privacy agreements, were effective in boosting user trust, and if that level of effectiveness was greater than informal privacy norms.
The 1,600 respondents who participated in the study rated 6,400 different ways websites might use their data. Sometimes those actions violated widely held social norms about data usage and other times they didn’t; sometimes the actions violated the sites’ stated privacy policies, other times there were no formal policies in place to violate.
“The results suggest that the mere introduction of formal privacy contracts decreases trust,” Martin wrote. “In addition, respondents distrusted websites for violating informal privacy norms even when the scenario was said to conform to or was not mentioned in the formal privacy notice.”
“The mere inclusion of a statement about privacy notices—which systematically varied between conforming to, not being mentioned in, and violating the privacy notice—decreased the average trust rating of the vignettes,” she continued.
The reason that consumers tend to put little stock in formal privacy polices is, Martin posits, due to a fundamental information asymmetry between a website’s users and its operators. Privacy polices are typically buried deep within a website and are often full of dense legal or technical language. On top of that, it’s rarely clear what consequences a company would face for violating a policy its own managers came up with in the first place.
The survey respondents did penalize companies for violating their own privacy polices, but that effect was largely secondary.
“I would say that what their practices are in regards to user information is more important than writing a vague notice and making sure you conform to it,” Martin said in an email. “Right now, the U.S. places an emphasis on mere conformance to a notice without any regard to if a company sells the data or uses it in a way that users consider a violation of privacy.”
There have been a number of high-profile instances in which this phenomenon played out in the real world.
In 2014, researchers at Facebook published the results of a study in the Proceedings of the National Academy of Sciences where the company increased the frequency of positive or negative messages appearing in users’ news feeds to determine how the changes would affect the frequency with which those users posted content. After the study’s publication, Facebook was slammed by critics for conducting what was widely viewed as “emotional manipulation” on users without getting prior consent.
Ultimately, it matters less that Google‘s motto is “don’t be evil” than it does that people actually perceive Google aren’t doing things that seem evil.
Contact the Author: Aaron Sankin, [email protected]