Privacy policies online are illegible and ‘consent’ is broken. New ideas are needed

The last time you used an app, did you read its privacy policy before clicking ‘I Agree’? If not, don’t worry — such policies are not designed for easy reading. With reams of legal jargon, most are as difficult to read as the Harvard Law Review. A survey of 155 college students in Delhi found that even law students could understand only about half the clauses. Most policies are exclusively in English, which is clearly inadequate in a country where no more than 12 per cent are comfortable with the language. A human-centric study across India found that even people who couldn’t read or write, when made aware of what they were consenting to, cared deeply about it. They wanted a square chance to assess trade-offs, but felt they didn’t usually have such a choice.

Online “consent” is, therefore, a false choice for most Indians. However, consent is also the fulcrum of India’s fast-growing data ecosystem. The Data Protection Bill under consideration by Parliament lists consent as a legal ground for data processing. It also requires that consent be freely given, specific, informed, unambiguous and revocable — all legally-sound objectives, but difficult to achieve in practice. Last year, NITI Aayog sought public comments on the Data Empowerment and Protection Architecture (DEPA), a system that will connect an individual’s financial, health, telecom and other data so that it can be moved from one provider to another. DEPA intends to use consent to ensure that users remain in control of their data.

Through DEPA and other similar initiatives, India is poised to accelerate its innovation economy by using data to create innovative products. But consent is broken, and relying on it to enable responsible data sharing seems inadequate. Which is why we need new ideas to give users greater control over their digital destinies.

First, businesses need to become more responsible stewards of consumer trust. Not only is it the right thing to do, but is also good for business. The Centre for Social and Behaviour Change at Ashoka University recently ran behavioural experiments on data privacy with 5,547 Indians. It tested 20 innovative design ideas and found that making consumers read privacy policies by, for example, getting them to stay on the “privacy policy” page for a few minutes, led to increased trust in businesses and greater data sharing. This creates a “win-win” situation, where businesses receive more data and individuals understand better what they are consenting to. Showing users a norming message like “it takes less time to read this policy than brushing your teeth” also showed promise. Businesses can adopt such ideas to make users trust them more.

Second, regulatory bodies need to step in to guide customers. Consumers do not have the time or knowledge to go through privacy policies. It would also be unfair to expect them to. In other sectors, regulatory bodies step in to bridge this information gap. The food regulator’s food safety certifications and the Bureau of Energy Efficiency (BEE)’s rating guides have become part of our everyday lives. Similarly, a “privacy rating” for apps can help individuals make more informed choices about their data. Such “rule of thumbs” can help them cut through the jargon, trust businesses more and share more data. In Ashoka University’s experiments, users shared more data with apps that had a higher privacy rating.

Third, governments and industry associations can play an enabling role by running innovative awareness campaigns that leverage local contexts, and relatable narrative styles. In early 2020, BigFM ran a 10-episode radio show called Zindagi Mobile, where storyteller Neelesh Mishra weaved privacy-related messages into fictional stories of everyday Indians. This included messages like logging off from public computers, and not sharing phone numbers easily. The show reached 140 million Indians in five languages, achieving the number 1 slot in Mumbai, Kolkata and Bengaluru. An independent impact evaluation of the show found that it led to greater privacy-consciousness among listeners, and better online behaviour, such as checking the veracity of information before forwarding it.

Despite these promising innovations, the “burden of proof” on privacy should rest with providers rather than consumers. Businesses should act as fiduciaries of user data and act in the best interest of the user than simply maximising profits. Regulators can create a new class of intermediaries that warn consumers about dangerous practices, represent them, and seek recourse on their behalf. By educating and empowering every Indian, we will enable her to participate fully in India’s digital economy, and thereby create a meaningful digital life for every Indian. Only then will the true potential of Digital India be realised.

This article first appeared in the print edition on January 18, 2021, under the title “Before Clicking ‘I Agree’”. The writers work at Omidyar Network India, an investment firm