Data privacy: where do people draw the line?

Bobby Duffy blogs for the Royal Statistics Society on how the public feel about how companies handle their data. 

Data privacy: where do people draw the line?

Superlatives abound in discussions of data privacy. Various think tanksconsultants and trade groups have told us that the latent demand for privacy has never been greater, that privacy is the next key consumer rights issue, and that our personal data itself is more valuable than gold or oil. 

Here at Ipsos MORI, our surveys also tell us the greatest sin a company can commit in the eyes of the public is losing their personal data, followed by selling that data, even if it’s anonymised – much worse than exploiting foreign workers or even charging more than competitors.

It all feels like a very modern problem, particularly with increasing media coverage of government surveillance and individual issues, such as care.data. But of course it’s far from a new concern, and closely related discussions on threats to privacy go back decades, at least since modern databases were developed.

Our new 20 country study released at an event with King’s College London this year adds more international depth to this picture. It confirms some of what we knew, and in particular that there is no one public opinion on data privacy – in three separate ways. 

First, there is just a variety of levels of concern across different people. Indeed there is remarkable consistency on the differences across time and different developed countries: we tend to find 10% are 'privacy unconcerned', 60% are pragmatists, where concern depends on the circumstances, and 30% are 'privacy fundamentalists'.

But, second, this gives a false sense of certainty in opinion. In practice, it’s not just the pragmatists who change their views depending on the circumstances – experiments show that large proportions of the two groups at either end of the spectrum can be shifted, depending on what they are offered or how they are reassured.

And, third, stated concern about data privacy and how people actually act are barely nodding acquaintances. We can see the massive disconnect between what people say and how we know they act in this new survey. For example, nearly half of people across the 20 countries say they are willing to pay for increased levels of privacy for their data. But at same time, in the same survey, only a quarter of the same people say they have taken basic steps to increase the privacy settings on their browser. In Britain this means that three quarters of those who say they would pay for additional privacy haven’t changed a simple setting on their computer.

We also asked the softest question imaginable on whether people read terms and conditions or user agreements on websites - giving people the best chance possible to come clean and admit they don’t always read them. But still a third of people insisted they do always read them. The evidence suggests otherwise: server-side surveys show that barely 1% do. And this is no surprise, when some service agreements are over 30,000 words, longer than Hamlet

There are many examples of people being tested on how much attention they pay to what they’re signing up to – and failing. The best of these is probably Gamestation’s famous clause which they included in their terms on April 1 2010 and which gave the computer game retailer the 'non-transferable option to claim now and forever more your immortal soul'. 88% of people signed up.

The international aspect to our new study also highlights the different stages the public are at around the world, and gives some clues to likely futures. In particular, people in more developed markets are more focused on privacy, at least in stated attitudes – and less likely to want to give it up for greater personalisation. This seems to be mostly a function of exposure to personalised services and recommendations, which people often find more irritating than helpful. People in the West are also more focused on anonymity: promising this does little to opinion in countries like Brazil, India and China, but it shifts views in the West. 

It also shows the real problems that certain industries have in the UK. It’s maybe not surprising that we’re less trusting of banks with our data than other countries – that probably reflects our generally dim view of them right now. But social media and media companies are developing real issues – in Britain both are barely more trusted with our data than foreign governments, as the chart below shows.

Hierarchy in types of organisation

And it’s clear from this and previous work that revelations about the scale of security service surveillance does set some of the tone – but it’s not as direct an effect on opinion of data privacy as we might expect from the significant media coverage. More important are the everyday interactions where people are surprised by how their online activities can be linked so that recommendations follow them around the web. Indeed it’s that sense of connection across spheres that unsettles people the most – the world and our data may be linked in ways that we couldn’t imagine a few years ago, but that worries people who like to keep different aspects of their lives separate.

And this provides a hint of the tricky future ahead. In particular, more exposure to and understanding of what can be done with our data doesn’t make us any more comfortable – in fact, for many of us it increases our concern. 

It’s absolutely right that trust is vital, and that transparency is key to that – this and other studies make that clear. But we shouldn’t kid ourselves that one will automatically lead to the other. Knowledge is so low that the implications of greater transparency are unpredictable – and many will get more worried about what they find out.

Similarly, while there is great concern, there is still little action by most individuals to protect their privacy. There are therefore weak incentives for private companies and governments to be more open. Being a first mover, highlighting concerns that people don’t really have at the front of their mind and encouraging them to restrict access to their valuable data, is a dubious advantage. 

The care.data case provides just the latest example of where we’ve got the conversation wrong with the public on the use of our data – but it won’t be the last. Understanding where the public draw the boundaries around their privacy is one of challenges of our time – not least because public themselves don’t really know where the line is.

The article was published in www.statslife.org.uk

More insights about Public Sector