Data privacy: it’s complicated

There are two major challenges with online data, and maintaining control of personal data. 

One is that many people may struggle to understand how their data is used online, when it is out of their immediate sight. A second is the sheer scale of effort required to attempt to be in full control of personal data. 

We live in an online, cloud-based era. But most people in the UK who are active online – those in their late 20s and older, that is the majority of the population – will have first been exposed to data storage in the form of local, physical storage such as memory cards, external drives, floppy disks and diskettes. This was the first, and in many cases enduring association they will have made with data being stored digitally. In this context, data privacy is relatively simple: if the physical data storage is in your possession, then no one else can access it. This is similar to how most would perceive a paper form or a filing cabinet being kept private. 

And there is still plenty of digital data that is stored locally: smartphones, tablets and PCs on sale today all include, and are differentiated by, the volume of local storage they offer. 

Forms and filing cabinets have migrated online and become seemingly invisible and intangible. Many people who are active online in the UK would likely understand that a copy of their data may be replicated online, much like a photocopier creates a single paper facsimile of a document. 

But they may struggle to understand how the content of these individual facsimiles can be readily disassembled and then joined together online: how the e-commerce pages that they browse on multiple sites, from different machines and at varying times can be associated with the videos they watch, the products they buy, the places they have visited, or the contacts in their phone. 

The difficulty in understanding how and what data is collected when using online services is reflected in the level of understanding of which data people believe they share.

Fifty-eight per cent acknowledged sharing their email address with at least one organisation online; 56 per cent noted sharing their name; a quarter said they shared their browsing history (see Figure 4). In almost all cases, these percentages most likely under-report the true extent of sharing: it is more likely that, unbeknownst or at least unacknowledged, these percentages are closer to 100 percent for those who are online. 

Figure 4: Type of information shared online with organizations

Q. As far of you are aware, which, if any of the following types of information do you already share with at least one organisation online?

The rise in awareness is encouraging, but the apparent lack of understanding of what data are implicitly shared when using some sites may be concerning. Among those who state that they do not share their phone number, 62 per cent use WhatsApp. Almost two-thirds of those who state they do not share their name online state that they are on Facebook. 

Over a third of people said they shared their telephone number with at least one organisation online. Yet many apps and websites ask for this data, and some require it. WhatsApp, one of the most popular instant messaging apps, is based on mobile phone numbers as the primary, fundamental user ID.³

There is a similar pattern with those sharing names. Facebook, the most popular social network, is based on individuals’ names. 

Only a fifth of respondents report that they share photos online, but 29 per cent report that they upload or share photos via social networks or instant messaging. This number is likely to be considerably lower than the actual number. 

This lack of awareness could have significant implications in relation to the exercise of GDPR data protection rights. For example, individuals would be unlikely to request that a company erase their personal data (widely known as the ‘right to be forgotten’), if they were unaware that data had been collected in the first place.  

There is the potential for awareness to improve under the GDPR, given that, in situations where organisations need to get consent to collect personal data, the bar has been raised to make this consent more explicit.

The ways in which personal data may be used are written in the terms and conditions that typically have to be accepted prior to use. However, most people admit to accepting terms and conditions without reading them. Just over half (52 per cent) ‘always’ or ‘almost always’ skip reading them; only 8 per cent always read them (see Figure 5). And we believe that users are over-reporting reading terms and conditions: the actual number who always or almost always skip is likely higher.

Terms and conditions exist so users are theoretically aware of the implications of their actions, particularly with regard to sharing of data. In the last year, stories about data privacy have reached a new peak, potentially prompting people to be more cautious. Yet, attitudes towards reading terms and conditions have barely shifted year on year.⁴

Figure 5. Frequency of accepting terms and conditions without reading them (2017 vs. 18)

Q. Thinking about when you do any of the following things on your mobile phone: Installing/downloading mobile apps, Registering to WiFi hotspots, Installing software updates, Signing up with retailers or to online services; How often, if at all, do you accept terms and conditions without reading them?

Each application downloaded may be accompanied by a set of terms and conditions. Each website browsed on may now include a set of terms and conditions in the form of information about how data collected may be used, and with whom it may be shared. It may take a proficient reader several minutes to read through each set of terms and conditions; someone not familiar with the specific lexicon relating to online data may need to research the terminology used prior to being able to accept terms. 

Or, that user could just accept the terms and conditions without reading them. And this is the nub of the second challenge of data privacy. Most users will lack the time, inclination or the degree of literacy (including knowledge of legal terms) required to comprehend fully what is happening with the data they are submitting online.

Data privacy is a complicated topic. Every individual may have a different definition of what privacy is. A few guard their online footprint very carefully, and leave little digital trace. Others, most likely the majority, share, with limited or no constraints. 

News stories about data privacy spike occasionally, such as happened with the GDPR in May this year. At these moments, the perception – among those who read these articles – may be that we are approaching an inflection point in the public’s relationship with personal data. But the general public may simply shrug, and carry on. 

In the year to mid-2018, coverage of data privacy reached all-time highs, and a comprehensive new regulation was introduced. Over this period, the number of people searching on ‘data privacy’, and ‘GDPR’ surged. But both search terms were easily beaten by the search interest on ‘Love Island’, which had four times the relative search interest as GDPR. 

The number of digital entities UK citizens interact with online as well as the range of data shared will both likely continue widening. It may be unrealistic to rely on the general public to comprehend the full set of consequences of their online activity; government intervention may be required. A healthy online economy may well require more onus on regulators and companies to work together to create an online environment that works for everyone.