We all see them: those annoying pop-up boxes that appear on our screens, asking us to consent to the website’s privacy and digital cookie policies.
You probably don’t read them, but instead rush the messages out by clicking “yes, I accept” without a second thought.
In fact, tackling the jargon seems so rare that free wine isn’t claimed for months, buried deep in the details.
It emerged last week that Tax Policy Associates, a think tank, had since February hidden a clause in their website privacy policy offering a bottle of “good wine” to the first person to notice it.
But it wasn’t until this month that someone came forward to claim the prize, highlighting how little we all deal with the legal red tape that has increasingly come to define our digital lives.
“We know that no one reads this, because we said in February that we would send a bottle of good wine to the first person who contacted us, and it was in May that we received an answer,” said the non-profit. The organisation’s updated privacy policy is now set out.
The think-tank’s founder, Dan Neidle, says the experiment involving a £30 bottle of Château de Sales Pomerol in 2014 was a personal “childish protest” against regulations requiring all businesses to have a privacy policy where “it doesn’t read he is no one” .
Our ongoing experiment with whether anyone reads the website T&C continues. We put this in our terms back in February. Just received a claim. pic.twitter.com/N7k3weTuA9
— Dan Neidle (@DanNeidle) May 9, 2024
“I had an email out of the blue from a guy called Arthur. He was writing a privacy policy for his own website, so he was researching others. That’s how he got it,” says Neidle, adding that Arthur was “alcohol intolerant” and therefore unable to enjoy his reward.
“It shows that nobody normally reads this stuff. A normal person has no reason in the world to do that.”
Bureaucracy burden
All businesses that process and store customer information such as names and email addresses must provide an online privacy policy as part of their obligations under the General Data Protection Regulation (GDPR) 2018, according to the Information Commissioner’s Office.
Those who fail to comply expect large fines and reputational damage.
But complying with the directives is often a burdensome task for small and medium-sized enterprises (SMEs) and charities, costing them energy and resources that could be allocated elsewhere.
As the complexity has increased, so has the amount of time such companies spend making sure they comply with regulations, up 46 percent in the past year alone, according to new research from data and analytics firm Dun & Bradstreet .
Meanwhile, in a 2021 study by the Federation of Small Businesses (FSB), two out of five of its members described data protection as the “most serious regulation” to tackle.
These regulations create a “disproportionate effect” for companies that “have fewer resources to spend on compliance than their larger peers”, says Tina McKenzie, policy chair at the FSB.
Neidle points out that even small community coffee shops, for example, must have privacy policies to comply with the GDPR, adding that costs incurred mean “money… [is] wasting it”.
He claims the solution is to simplify – by going back to standard privacy conditions that apply “by default to typical small businesses that don’t handle client data”.
These should not require cookie policies and help businesses save money and “save consumers from annoying clicking”, he says.
McKenzie, for her part, acknowledges that data protection laws are a “crucial” part of 21st century life.
However, their “complex” and “sensitive” nature means that small businesses often require greater support and understanding from regulatory bodies not only to ensure compliance but also to “manage the financial and time costs involved reduce”, she says.
Regulators should be “proportionate” in enforcing these rules, says McKenzie, focusing on “education and support first and foremost”.
“Required text fields, which very few people read, undermine the consumer protection we all want in place. It also costs small businesses time and money that they can’t afford,” she says.
Essentially, demanding requirements can pull entrepreneurs away from important priorities such as increasing profits, growing their businesses and generating jobs for their local communities.
“Starting a business isn’t just about doing the fun stuff – there’s a lot of obedience that can’t be ignored – but it all adds up to the long hours and the feeling of being in the world when you’re ask for construction. traction and momentum,” says Gareth Jones, CEO of small business and co-working experts Town Square Spaces Ltd.
Hours of reading time
From a consumer perspective, there is little desire to sift through thousands of words of policy, no matter what it costs businesses to produce them.
Not only are they incredibly complicated, they’re also getting longer all the time.
A 2021 study by De Montfort University found that the average length of privacy policies increased from over 1,000 words in 2000 to over 4,000 words in 2021.
Dr Isabel Wagner, an associate professor of computer science who conducted the research, found that their average word count increased after the European Union implemented GDPR in 2018 and, again in 2020, when California adopted its own privacy policy.
“As a researcher who works on privacy, I agree with privacy policies but I don’t read them,” she told the New Scientist in 2022, admitting that her study of about 50,000 texts was motivated by recognizing her own habits.
University education requires an understanding of common policies”, said Wagner, and it takes at least an hour to read.
If you stopped all of them and digested them, it would really be a part-time job.
A study of the most popular websites in 19 different countries by NordVPN in October last year revealed that the average privacy policy was 6,461 words long.
In the UK, it would take nearly 11 hours to read every word of every policy on each of the 20 most visited websites, the study found, based on assumptions that people read around 238 words per per minute on average.
And over the course of a month, the average Briton would put up something like 53 hours of reading time if they used every privacy policy in full on every website they visited – almost 20 times more than the average working week across the country.
Calls for a ‘rethink’
Its apparent absence has fueled the narrative that policymakers need to make adjustments.
McKenzie, of the FSB, says there is a need to “rethink the way the system works” so that the legislation is “easier to navigate for everyone”.
This should be done in a way that preserves “the adequacy of the data we need to keep business flowing between the UK and other international jurisdictions with their own rules”, she says.
Jordan Phillips, founder of food delivery start-up Tin Can Kitchen, agrees that existing data protection regulations can confuse consumers and small businesses alike, arguing that a new approach is needed. He says the wording of the regulations is “wordy” and should be “condensed” to make them easier to understand.
“This should certainly be the case for small businesses that don’t have the money or resources of big businesses,” he says. “How this translates to real-world situations remains to be seen.”
Austin Walters, director of website design firm Triplesnap Technologies, suggests regulators take a tiered approach that simplifies requirements for small businesses that don’t handle highly sensitive data. Meanwhile, companies with more personal or sensitive information about their customers would have to continue to follow “stricter controls”.
“Simplifying legal jargon and making policies more accessible could increase consumer confidence and understanding without compromising data security, improving user interaction with these important documents,” he says.
Others argue that companies themselves also have a role to play.
Andrew Wilson-Bushell, associate at law firm Simkins LLP, says businesses should ensure they are only providing customers with the information they need to engage.
But, long-winded and unloved as they are, privacy policies ultimately serve an important purpose, he admits.
“A business is required to understand the use of personal data when writing the privacy policy, and to set that out in a reasonably understandable way. That can often feel like an overkill – until a serious data breach happens.”
Neidle, for his part, is skeptical about the demands placed on SMEs by GDPR.
That’s despite a historic uptick in the small print of the think tank behind the wine stunt.
“In the last 72 hours 1,000 people have read our privacy policy, but in the whole month of April, nobody looked at it,” says Neidle, citing web traffic data.
“It’s crazy to me that my local coffee shop has to deal with the same rules as Facebook,” he says.
“Why can’t there be a simplified version of the rules for small businesses and non-profits?”