The Uncomfortable Truth About Privacy Consent Banners

Advertise • The Podcast • Our Social Media

Summary

1. Privacy notices, intended to build trust, can actually undermine consumer trust and discourage purchases by highlighting data protection, making consumers feel more vulnerable.

2. Incorporating language that conveys care and respect for consumer privacy (benevolence cues) in privacy notices can mitigate negative impacts on purchase intent.

3. Privacy notices do not change the perceived value of a product but do affect willingness to purchase.

4. The study found no significant differences in reactions to privacy notices across age and gender.

5. For e-commerce platforms with limited customization, suggesting any form of consumer trust and care can be beneficial, even if specific privacy notice adjustments are not possible.

Top-Line Findings

What were those unintended consequences?

Yeah, so we set out trying to understand how consumers respond to privacy notices. And so as part of the research, we surveyed managers across different industries. And a large majority of these managers expected privacy notices to help customers feel more secure. But it turns out their intuition was flawed. So we conducted a series of six experiments involving nearly 20,000 people. And we compared consumers' interest in purchasing from a website or an app that either included or didn't include a privacy notice. And one of the things we found is that telling customers how their personal data is protected can undermine consumer trust and discourage them from making a purchase. So I like to compare it to going to an elementary school and seeing bulletproof glass and metal detectors. Their purpose is there to protect you, but instead of making you feel safe, they could make you feel more vulnerable.

It's interesting because that's counter to, I think, everything that is both instinctive as marketers and everything that's taught as well. You would think that the more we layer on sort of, "We'll take care of your data," the more secure people feel.

Yeah, and so certainly this does challenge that intuition, right? That telling consumers how their personal data will be protected is going to be good for business. And for most firms and privacy advocates, that's not great news. As researchers, my co-authors and I are definitely supportive of respecting consumers' privacy. And we want to encourage firms to be responsible and transparent in their data practices. So another thing we looked at after kind of initially discovering this is how could we provide actionable guidance to managers on how to effectively convey privacy information without hurting purchase interest. And so we tested how changes in the wording of a privacy notice affected consumers' willingness to purchase. And we found that consumers were less turned off by privacy notices that included what we call benevolence cues. So those would be statements like, "We care about protecting your privacy," or "We respect you and promise to treat you fairly," or "We're committed to the protection of your information." And the interesting thing is that although these statements don't offer any legal protection to consumers, they do seem to help build trust by conveying to consumers that companies have good intentions. And so adding these benevolence cues to a privacy notice can reduce or even reverse its negative effects on purchase interest.

“Collect” or “Protect”?

I think the example that you used in this study was that you changed the phrase "We collect your information" to "We protect your information." Did you study how people's purchase intent changed when you made substitutions like that?

Yes. So in fact, in one study, people were more likely to buy a product when a privacy notice had these benevolence cues than when a privacy notice did not include comforting language or when privacy information wasn't readily available at all during the checkout process.

The Experiments

One of your studies came from a test that you did on a financial services website, like a real site, one that's in the market. Can you walk us through what you tested and what you found?

There was surprisingly little previous research about how privacy notices affect consumers' purchase decisions. And as far as I know, we conducted the first published field experiment looking at this issue with actual customers.

The company we partnered with was Borrowell, which is a Canadian financial technology firm with over a million users. And to sign up for Borrowell's service, visitors have to complete a nine-step enrollment process that involves providing some sensitive personal information.They have to give things like their name, their address, birth date, phone number, income, financial goals, and access to a credit report.

And so each prospective customer who visited the site was randomly assigned to one of two conditions.

• In the control condition, only a hyperlink to Borrowell's privacy policy was provided on the first screen of the sign-up process.

• In the other condition, the link was preceded by an explanation of Borrowell's commitment to the protection of customers' personal information.

And as predicted, enrollment was significantly lower in the condition with the detailed description of privacy protections than in the control condition that included only a privacy policy link.

These results suggest that prominently displaying detailed privacy protections can drive consumers away, which could end up costing Borrowell hundreds of thousands of dollars per year in lost revenue.

We conducted this study over a seven-day period, and so if you extrapolate, that's kind of the estimate for what they could stand to lose.

The Effects of Seeing a Banner

One of the things I thought was interesting is that you found that while people might be less willing to buy something after seeing a privacy notice, their perception of the value of that product didn't actually change. Did that surprise you?

The thing that surprised me the most is that consumers are more likely to purchase from a company that makes no promises regarding the protection of consumer privacy than from one that is transparent in describing its data practices.

And the reason for that is that a privacy notice places legally enforceable limits on a firm's data practices.

It communicates safeguards, and it might be expected to promote confidence that one's personal data will not be misused.

But, you know, as I said, instead of making people feel more secure, we found that it does undermine trust and purchase interest.

And yeah, it doesn't change the value, but it does change the willingness that they have to pay for that product.

I was also surprised that something as seemingly trivial as including benevolence cues in the privacy notice, you know, these subtle changes that we make to the language, could counter the negative effects.

Yeah.

Gender or Age Differences

Were there any significant differences between generations or genders?

No. So we looked at age and gender as covariates, meaning, you know, we tried to see if there were differences across those variables, and we didn't find any.

What If You Can’t Control Your Site?

A lot of people who are listening to the podcast, people who manage e-commerce sites and so on, they don't have control, this level of granularity of control over whether there's a privacy box, what it says, you know, that sort of thing. So for those people, like I'm thinking people who use kind of like a preset theme in Shopify or something like that, for those people, is there any way to counter the loss in purchase intent?

Anything that you can do to build consumer trust and to let them know that you care about them, that you're committed to, you know, not only competently protecting their privacy, but also that you have their best interest in mind and at heart.

I think any kind of cues that you can give along those lines should be effective.

But, you know, you're sometimes limited by the platform in terms of the extent that you can use to, you know, communicate these cues.

What If You Have Full Control of Your Site?

Well, let's go the other way. If someone has full control over their site and they can choose whether a privacy notice appears or doesn't appear, is it you're finding that they should just not show one?

No, I would say that the finding is if you incorporate benevolence cues into your privacy policy, we found that in some cases it can actually be beneficial.

So it can actually increase purchase intent beyond what it would be in the absence of any privacy communication.

The downside or the thing you want to avoid is having a privacy notice that does not include benevolence cues.

And as part of the research, one of the things that we did is we looked at a random sample of privacy notices of companies listed on the NASDAQ Stock Exchange, and we found that benevolence cues were in fact quite rare.

So one of the things that I hope that our research will prompt more companies to do is to include language in their privacy notices that communicates caring and fosters consumer trust so that consumers are more willing to provide that information and do business with the companies, but the companies are not discouraged from being transparent in what they're doing with the customers' personal data.

The “Perfect” Privacy Banner

If you were VP of policy or VP of privacy or whatever for an e-commerce company and the CEO said, "You've got a day. Design for me the perfect privacy apparatus as it is forward facing to the consumer." What does it look like? Is it a box? Is it a pop-up? How big is it? Tell me the words to use.

Yeah, that's the million dollar question, right?

If it is, or more.

I think that there's obviously no solution that fits all different situations, and I think some of that's going to be dictated by the situation and the context.

But I think the key results from our research are do things that build consumer trust.

And so in addition to conveying that you will protect their information, make sure that you're communicating how much you care about their privacy and how much you care about them.

But I think from other privacy research that I'm familiar with that other people have conducted, I think there are a lot of best practices out there in terms of being very concise, trying to avoid jargon that people aren't going to understand.

But to be very open and transparent about what you're doing and explaining to them why you're collecting this data, how it will be used, and what the benefits are to them of your collecting this information.

So if you're collecting a particular piece of information, explaining that this might allow you to customize the product or the experience to their needs, that can be a way to help.

What Surprised the Researcher the Most

What surprised you the most about your findings?

Well, like I said earlier, I think one of the biggest surprises was just the fact that people would be so willing to give up their personal data without any promise that it will be protected.

When I first started doing this research, I looked at some of the most popular apps on the App Store.

And this was before there was regulation that required them to have privacy policies.

And some of the most popular apps for finance or for fitness, where you're entering personal health information or medical conditions or things like that, or you're entering financial data, there were no privacy policies on those apps.

And I thought that was shocking, frankly.

And then the other thing that I think is surprising, like I said earlier, is that I think just changing the language slightly can reduce these negative effects that we've observed of bringing privacy information to the forefront of people's minds.

Author’s Motivations

What made you want to study this?

I think part of it was noticing this about the apps. I've done some other privacy research. So I have a couple of recently published papers where we look at the implications of the pandemic for privacy.

One effect of the pandemic is that there's been this large pool of personal data that's been generated that was not previously available. And that's partly due to increased collecting and sharing of consumer information by governments and businesses. But it's also partly due to an increase in online activities and voluntary self-disclosure by people who are isolated.

And we identify some opportunities, challenges, and open questions that this poses for both consumers and marketers.

In another paper, we look at the need to consider both individuals' motivation to protect their personal information, but also their knowledge of how to do so.

A lot of the research in privacy looks either at motivation or at knowledge, but not at both. And, in fact, many consumers are fairly privacy illiterate. They're not able to accurately predict how they will respond to privacy threats. And so in order to do that, we need to consider not only their motivation, but also their familiarity with privacy-related issues.

So to answer your question, you know, privacy has been something that I've been interested in for a while now. I'm working on it from several different angles, and that's kind of what got me thinking about privacy notices.

As I said, I'm an advocate of transparency in privacy practices. I think it's ethical for companies to disclose how they are going to be using consumers' personal information.

And as a consumer, I want my personal information to be protected.

And I think there's a lot of benefits that I can get by providing it, but I want to make sure that I know how they're going to be using it, how they will be protecting it.

And so, you know, I think privacy notices are important.

And I think that, you know, as our research shows, they can be very influential in influencing consumer purchases.

How the Author’s “Consumer Hat” Has Changed

I'm curious, given that your research sort of focuses around privacy and the web and e-commerce and so on, has your research or your experience in this changed the way that you move through the web as a consumer?

You know, it has a little bit, but I'm like everyone else, I think, where I often don't read privacy notices all the way through, especially if they're long and full of technical jargon.

But I have become more aware of it, I think. I've been particularly more aware of their absence. And I think that's the thing that a lot of people, you know, they're just when they're shopping, they're not always thinking about privacy.

And so that's the thing that kind of started us off on doing this research is that the absence of a privacy notice doesn't usually send up red flags to consumers, but it should, because what that means is they're making no promises.

They could be collecting any data from you and making no promises about how it will be protected or used. And so I think privacy notices are there to protect us.

just want to make sure that companies have a way of communicating that in a way that won't hurt their business, because otherwise they're essentially given an incentive not to convey that information, which I think hurts consumers overall.

¹ Some links in this newsletter may provide affiliate revenue to us.