We all see them: those annoying pop-up windows that appear on our screens asking us to consent to websites’ privacy and digital cookie policies.
You probably don’t read them, but frantically rush the messages away by clicking “Yes, I agree” without thinking.
It seems that actually dealing with the jargon is so rare that free wine goes unclaimed for months, hidden deep in the details.
Last week it emerged that think tank Tax Policy Associates had been hiding a clause in their website privacy policy since February offering a free bottle of ‘fine wine’ to the first person who noticed it.
But it wasn’t until this month that someone came forward to claim the prize, highlighting how little we care about the piles of legal red tape that is increasingly shaping our digital lives.
“We know no one is reading this because we added in February that we would send a bottle of good wine to the first person who contacted us, and it wasn’t until May that we received a response,” reads one sentence in the non- profit organization. the organization’s updated privacy policy is now outlined.
The think tank’s founder, Dan Neidle, says the experiment with a £30 bottle of 2014 Château de Sales Pomerol was a personal, ‘childish protest’ against regulations requiring all companies to have a privacy policy if ‘no one reads it’ . .
Our ongoing experiment into whether anyone reads the website’s terms and conditions continues. We recorded this in our terms and conditions in February. Just claimed. pic.twitter.com/N7k3weTuA9
— Dan Neidle (@DanNeidle) May 9, 2024
‘I got an email out of the blue from a guy called Arthur. He was writing a privacy policy for his own website, and also researching others. That’s how he found out,” says Neidle, adding that Arthur unfortunately turned out to be “intolerant to alcohol” and so couldn’t enjoy his reward.
“It shows that no one normally reads this kind of stuff. A normal person doesn’t have the slightest reason for that.”
Difficult bureaucracy
All companies that process and store customer information such as names and email addresses must establish an online privacy policy as part of their obligations under the General Data Protection Regulation (GDPR) 2018, according to the Information Commissioner’s Office.
Anyone who does not comply risks high fines and reputational damage.
But complying with the guidelines is often a difficult task for small and medium-sized businesses (SMEs) and charities, costing them energy and resources that could be spent elsewhere.
As complexity has increased, so has the time such companies spend complying with regulations. This has increased by 46 percent in the past year alone, according to new research from data and analysis agency Dun & Bradstreet.
Meanwhile, a 2021 survey from the Federation of Small Businesses (FSB) found that two in five members described data protection as the “most burdensome regulation” to grapple with.
These regulations create a “disproportionate impact” on companies that “can devote fewer resources to compliance than their larger counterparts,” said Tina McKenzie, policy chair at the FSB.
Neidle points out that even small, communal coffee shops, for example, must have a privacy policy to comply with GDPR, adding that this comes at a cost that is “money… [is] be wasted”.
He argues that the answer is simplification – by returning to standard privacy terms that “apply by default to typical small businesses that do not handle customer data”.
These would not require a cookie policy and would help companies save money and “save consumers from annoying clicks,” he says.
For her part, McKenzie recognizes that data protection law is an “essential” part of life in the 21st century.
However, their “complex” and “sensitive” nature means that small businesses often need greater support and understanding from regulators, not only to ensure compliance but also to “reduce the financial and time costs of doing so”, she says.
Regulators must be “proportionate” in enforcing these rules, McKenzie adds, and focus primarily on “education and support”.
“Having piles of text that is required by law and that in practice very few people actually read undermines the consumer protections that we all want. It also costs small businesses time and money they cannot afford,” she says.
In fact, strict requirements can distract entrepreneurs from important priorities, such as increasing profits, growing their businesses and generating jobs for their local communities.
“Starting a business isn’t just about doing the fun stuff – there’s a lot of compliance that can’t be ignored – but this all adds to the long hours and the feeling that you’re taking on the world when you try to make a business to build traction and momentum,” says Gareth Jones, CEO of small business and coworking experts Town Square Spaces Ltd.
Hours of reading time
On the consumer side, there is little incentive to sift through tens of thousands of policy words, regardless of what it costs companies to produce them.
Not only are they extremely complex, they are also getting longer.
A 2021 study from De Montfort University found that the average privacy policy length increased from more than 1,000 words in 2000 to more than 4,000 words in 2021.
Dr. Isabel Wagner, an associate professor of computer science who conducted the study, found that their average word count increased after the European Union implemented GDPR in 2018 and, again in 2020, when California adopted its own privacy policy.
“As a researcher working on privacy, I find myself agreeing to the privacy policy but not reading it,” she told New Scientist in 2022, admitting that her examination of some 50,000 texts was prompted by a recognition of her own habits.
Typical policies “require university education to understand it,” Wagner said, and take at least an hour to read.
If you were to stop and process them all, it would essentially amount to a part-time job.
A survey by NordVPN last October of the most popular websites in 19 different countries found that the average privacy policy was 6,461 words long.
In Britain, reading every word of every policy on each of the 20 most visited websites would take almost 11 hours, the study found, based on the assumption that people read about 238 words per minute on average.
And over the course of a month, the average Briton would rack up around 53 hours of reading time if they fully read every privacy policy on every website they visited – almost 20 hours more than the average working week across the country.
Calls for a ‘rethink’
The apparent absurdity of the situation has led to calls for policymakers to make adjustments.
The FSB’s McKenzie says there is a need to “rethink the way the system works” so that the legislation is “easier to navigate for everyone”.
This must be done in a way that maintains the “adequacy of the data we need to keep business flowing between Britain and other international jurisdictions with their own rules,” she says.
Jordan Phillips, founder of food delivery startup Tin Can Kitchen, agrees that existing data protection regulations can be confusing for both consumers and small businesses, arguing that a new approach is needed. He says the wording of the regulations is “extensive” and needs to be “shortened” to make them easier to understand.
“In my opinion, this should certainly be the case for small businesses that don’t have the money or resources of large corporations,” he says. “How this translates into real-world cases remains to be seen.”
Austin Walters, director of website design firm Triplesnap Technologies, recommends that regulators adopt a tiered approach that simplifies requirements for smaller companies that don’t handle highly sensitive data. Meanwhile, companies that hold more personal or sensitive information about their customers should continue to face “stricter controls.”
“Simplifying legal jargon and making policies more accessible can increase consumer trust and understanding without compromising data security, ultimately improving user interactions with these important documents,” he says.
Others argue that companies can also play a role themselves.
Andrew Wilson-Bushell, associate at law firm Simkins LLP, says companies need to ensure they only provide customers with the information they really need.
But as long-lasting and unloved as it is, the privacy policy ultimately serves an important purpose, he acknowledges.
“Writing a privacy policy requires that a company understand the use of personal data and map it out in a relatively understandable way. That may often feel like an exaggeration, until a serious data breach occurs.”
For his part, Neidle remains extremely skeptical about the requirements that the GDPR places on SMEs.
That’s despite a historic surge in engagement with his think tank’s fine print as a result of the wine stunt.
“A thousand people read our privacy policy in the last 72 hours, but no one looked at it in all of April,” Neidle said, referring to web traffic data.
“It just seems crazy to me that my local coffee shop has to deal with the same rules as Facebook,” he adds.
“Why can’t there be a simplified version of the rules for small businesses and nonprofits?”