A Day in the Life of (Your) Data
Today we participated in the launch of Consumer Policy Research Centre’s, A Day in the Life of Data. This report spotlights key aspects of the information economy, from how it works through to the level of discomfort Australian consumers feel when they learn more about current practices.
Specifically, we supported the CPRC in conducting exploratory research. We designed a prototype that simulated a ‘current state’ purchasing experience. We conducted outcome-focused usability research sessions and paired them with contextual inquiry.
Let’s touch on the approach quickly.
A landscape of user research methods
A variety of user research methods exist to help researchers ask and answer research questions with appropriate confidence intervals. This diagram, inspired by Christian Rohrer’s 2014 work for NNG Group, showcases 20 popular user research methods. It visualises them using a three dimensional framework that covers:
- Attitudinal vs Behavioural
- Qualitative vs Quantitative, and
- Context of use
Questions answered
Based on project constraints, along with the research questions we asked and the answers we aimed to discover, we focused largely on qualitative research across the attitudinal dimension. We added a specific, simulated situational context to each research session to help develop a ‘proxy’ understanding for the behaviours people exhibit when signing up to products and services and engaging with a variety of agreements, like Terms and Conditions and Privacy Notices.
This helped us develop a foundational understanding of how people feel about existing agreements. It also helped us to begin deepening our understanding of how people actually behave when faced with such agreements.
What did we discover?
Our research revealed six key insights that followed a sequential narrative. This sequential narrative aligns to existing academic and commercial research.
1. Consumers have limited choice
At the beginning of the prototype, a choice: Continue or read updated legal terms. All participants continued, with immediate action to remove the barriers to their outcome. None of the participants took time to read the legal agreements. On average, the participants took no more than two seconds to either select “Yes, I Accept” or close the notice.
The average time for a participant to go through the entire experience was two minutes. This was an experience enabled by four primary parties. Each had their own agreements. For a person to read all four agreement they’d have to invest almost three hours of time.
We asked participants to read the primary parties privacy notice. They asked to stop (on average) at the four minute mark. The notice they read should have taken 19 minutes.
Participant one revealed that, whilst she knew “there is very little choice in purchasing things online”, she felt she had to do it. Participant five noted “all companies have it”. If she wanted a product, she needed to agree to the company’s privacy policy (notice). She explained, “I do have a choice, but to get the deal I don’t have a choice”.
2. Disempowerment leads to apathy
Participant’s described the privacy policies (notices) and practices as “standard” in dismissive tones. Their comments and expressions indicated apathetic behaviour. This is frequently observed in situations where people have a limited choice.
The lead researcher asked participant one about her obligations outlined in the privacy policy. She first crossed her legs and arms. She then answered, “it is something that is just casual… I guess it’s a bit annoying”. The aloof language of ‘something“ and “a bit annoying” was followed with her perspective of the current data ecosystem, where she stated “but this is how the world is moving…. people “need things”. So I think if it makes my life easier, why not?”.
Participant three shared a similar perspective. She was asked how she felt about (potentially) hundreds of organisations having access to data about her. She went on to explain that her data ”is just out there”. Even if she went to brick-and-mortar shops ”they are already collecting data on me. That’s just the way shopping works these days.”
The inescapability of passive data collection has led to the disempowerment of consumers. Many have become apathetic towards these activities. Participant six exemplified this position, stating “I feel like it’s standard. You read it everywhere. So yeah… okay. Let me just purchase what I came here for.”
3. Apathy leads to indifference
All participants expressed a dismissive position towards current practices. This leads individuals to remove current data practices from critical judgement. Participant two repeated, “you don’t know what you don’t know”. This view of practices as something “you don’t know” is combined with an indifference to the situation. She went on to state, “in order to move forward with the world and tech, they need lab rats”, smiling with open body language. This indifference of getting used as a “lab rat” may point to a history of limited choice, disempowerment and apathy.
Patterns of behaviour were similar across all participants. Participant three expressed a lack of concern for her “details” getting used. She stated “I am not too bothered to tell you the truth” as she laughed, swinging her chair away from the screen. Participant six also laughed and shrugged as she went on to state, “I mean, what are you gonna do? Not leave the house?”. She went on to dismiss explanations of current practices with, “yeah”, “fine”, “whatever” and “cool”.
When making some final comments at the end of the session, participant one said, “I brush it off I guess. It just needs to be done… Well it doesn’t need to be, but everyone wants things to be as convenient as possible.”
4. Consumers sympathise with companies
Participant’s displayed sympathy for data collection and processing activities. This sympathy was expressed in the context of justifying the rationale for their own behaviour.
Participant one excused PayPal’s practices. They are a “massive company that does so many different things”, and need to do “a lot of paperwork” to make their services “available for the consumer”. Participant three also defended PayPal, stating how they have a “very good security system… [they] just need it [data]”. Furthering this perspective, participant six stated “protecting the company is protecting me”. Participant two stated that the company needs “all my personal information” to complete the transaction.
The participants also put the responsibility on themselves. Participant five stated the company, “fulfilled their duties” and it is her “own fault” they do what they do. Another said she doesn’t “want to blame other people…at the end of the day, the company needs to do this to cover for what may happen”.
5. Learning leads to dismay, then proactiveness
During a session debrief the researchers explained the current data sharing ecosystem in detail. The body language of the participants indicated clear discomfort. 5 of the 6 participants crossed their legs or arms, with participant five slouching to coil into herself. Other participants were sitting straight up on their chair. Researchers observed various gestures of discomfort. Ranging from looking away from the interviewer, to hands around the neck and clenching of fists. Participants eventually became more engaged. They began asking questions about the things they could do to protect their privacy.
Participant three asked about the safety of sited. She wanted to understand the meaning of the content in the privacy policy (notice). At each mention of data collection practices, her body language recoiled. This body language was more open post-debriefing. In fact, she noticed the sticker on the laptop used during the research session. “I will put a sticker on my camera now”.
Explanations of third party sharing evoked enthusiasm from participant four. She proceeded to share how she had bought an item from Google, then began seeing ads for similar products on Facebook. Her dismay was clear as she explained how “no one else knows this, not even my friends” in a high-pitched voice. Crossing her arms to say “but somehow Facebook knows”. She readdressed Gmail’s intervention during the experience. Describing how she felt good about them giving her confirmation, “but now I am thinking how many companies have my information?”.
6. Legal agreements need re-thinking
The participants all agreed legal agreements need to be re-thought. Basic suggestions were readability and length.
Participant one asserted how “a condensed version should be available”. While dismissing this initiative and stating “it wouldn’t happen”. Another stated “for the simple person, this will be complete Mumbo Jumbo… a condensed version should be available”. Participant three questioned, “I don’t know why it needs to be so long”. Participant four, described the policy as being “in words that we cannot even think in. It doesn’t even make sense in relevance to the product”, stating that the policy needs to be in “simple” words.
Apprehension towards legal agreements was most clear in participant five. She’d scoffed at the researchers’ suggestion to read the privacy policy (notice). Saying “well you need to have a masters degree to understand this”. She said “they write it purposely so that normal people cannot understand it”. Further, people should be able to “skim through” a policy that highlights what “you need to know as a customer”.
What does this mean?
Organisations are doing a poor job of supporting their customers in making informed, active choices. In some cases, signing up for a bank account is an activity that takes a few minutes. Yet stuck in the middle of all this is 33,000 words reading at a Grade 16 reading level. You need to read them, but you don’t. It’s too hard. We can all empathise.
The form factor is broken. Organisations must do more to inform, empower and enable their customers.
Thing is, this is far greater than terms and conditions. It’s greater than service design. It’s about incentives structures. It’s about the architecture (client:server) of the web, which isn’t conducive to a privacy enhancing, humanity centric information economy. It’s the opposite. It enables and supports information monopolies.
This is about the future we want to actively design.
We’re highlighting this because participants were presented with some basic details about the scope (number of potential organbisations with access to information about them) of data sharing. We’re talking tens, hundreds and potentially even thousands of organisations. For the purpose of this research, we kept the estimate rather ‘light’. Even though the estimate was light, participants felt deeply uncomfortable.
We can highlight key aspects of this by articulating an additional challenge: ‘data leakage’. This exposes the entire ecosystem — including individual internet users — to significant risks. This isn’t a mistake, it’s how “programmatic” and “real time bidding (RTB)” advertising has, and currently works.
See (video) how RTB works here. Further explanation here.
See (video) how data leakage occurs in (online) behavioural advertising here.
Ad exchanges run an auction to determine which ad (version etc.) will be shown to the visitor of a given website. Exchanges share the data they process about a website’s visitors with several hundred prospective advertisers. This enables them decide (based on specific criteria) whether or not they’ll place a bid to capture the visitors attention.
Source: fixad.tech
In fact, research from New Economics Foundation’s estimates that ad exchanges broadcast intimate profiles about an average UK internet user 164 times per day. This is not a prerequisite of effective advertising. It’s arguable there are direct alternatives to this model. The entire ecosystem of Personal Information Management Services and alternatives to web infrastructure (i.e SAFE Network) support this alternative view.
In words that have been written before, “the online advertising system was not built for data protection”. We’d argue more strongly. The current web was not built for data protection.
There’s early precedent being set in the EU, specifically by the CNIL. The Vectuary case is an example of this. Vectuary, relying on the IAB’s Consent Framework, ended up storing personal data on 67.6 million people when it did not have a lawful basis to do so.
A series of complaints have also been filed that evidence the extent of data leakage. See a specific example of a filing here.
It’s likely this story has only just begun. Much progress is yet to be made.
Our perspective
Greater Than X was founded on the belief that the organisations closest to their customers would deliver the greatest value, meaning and engagement. This requires organisations to earn access to their customers. It requires organisations to earn their customers data trust (and be verifiably worthy of it). This trust will directly impact customer outcomes and bottom line business value.
Our work is consistently showcasing that organisations can evolve, albeit iteratively and incrementally. It’s showcasing more informed and empowered customer bases. It’s showcasing greater data trust and value.
This great work from the CPRC further highlights the systemic challenges our society faces today. It builds upon similar research conducted over the past decade. It has currency.
We can no longer ignore the evidence.
Talk to us if you’re ready to take the first (or second) step.
