The average internet users are now inundated with more information on privacy matters than ever before, elevating their understanding of how internet companies utilize user data for their gains. However, awareness alone isn’t sufficient, as users often refrain from undertaking actions that could push companies to adhere to privacy norms. Privacy advocacy and new regulation in many countries is helping users in understanding privacy issues. They are pushing businesses and service providers to comply with practices that safeguard users’ interests. However, regulators could further enhance their approach – they need to understand the psychological aspects of consent and build solutions that position more intentionality around sharing decisions. The peak of privacy would be, when users click ‘I agree’, they mean it and know what they are consenting to.
Factors influencing privacy consciousness
User consent isn’t indicative of acquiescence, as they often would prefer to share limited details, or keep other information anonymous. Unfortunately, when users are confronted with a binary option of using a service with full consent or rejecting it, they often choose the former. This lack of granularity poorly reflects the diverse set of preferences we know users to have
Thankfully, several tech behemoths like Apple and WhatsApp have started to move towards more openly recommending user autonomy. This shift could be occurring due to the business edge they wish to attain by communicating pro-privacy policies or due to genuine interest in promoting a more conducive data environment. Either way, it indicates how the environment has become more user-centric.
Additionally, the changes in the ecosystem can be attributed to the advocacy and intervening regulatory authorities in Europe and the US. The General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) strictly draw the lines around how businesses can operate when collecting data and the privacy guidelines they would have to follow.
These regulations have rightly created traction within the tech community, bringing a cultural shift within these organizations. GDPR has been instrumental in penalizing companies with fines for privacy non-compliance, which includes names like Google and Facebook among others. Google utilized user data for ad personalization, while Facebook granted third-party developers high levels of access to user data (most notably, Cambridge Analytica, which used that data for targeted political advertising). Both organizations had to pay hefty fines and undergo organizational changes, by bringing privacy consciousness into their daily operations.
During the pandemic, public and private entities that launched mobile apps to contact-trace people to counter the spread of COVID-19, faced intense scrutiny from civil society groups and European courts. They were not allowed to compromise user privacy and were instead recommended alternate means to detect its spread. Taking the privacy and legal aspects into cognizance, Apple and Google are now collaborating to execute contact tracing technologies that preserve user privacy.
India’s PDP bill and Consumer Behavior
To create an ecosystem of privacy compliance, companies and people need to understand the legal consequences of a privacy breach. However, India still lacks a regulatory framework, as its Data Protection Bill is 
still wedged in parliamentary consultation committees. Delays in passing a privacy law risks the misuse of user data. For instance, the government only recently scrapped a policy to sell data of vehicle owners to third party private companies, a policy practiced earlier as a public good initiative. Between 2014 and 2019, the government sold vehicular data from the ’Vahan’ database to 142 entities including banks, logistics companies, financial and, insurance companies, automobile companies etc. Moreover, the kind of procedures followed remains unclear and it isn’t established if consent was ever sought. Without a legal precedence, continuing with this policy would have been catastrophic for user privacy. A collective effort must therefore be made to emphasize the advantages of passing a privacy law and gaining customers’ trust.
With the rising consciousness among users about their privacy and global tech giants taking the lead to communicate user centric privacy actions, businesses could use privacy as a differentiator. A research initiative ‘IntAct’ between Kenya based Busara Center for Behavioral Economics and Ashoka University’s Centre for Social Behavior change (CSBC), is researching to understand how privacy metrics can help gain user confidence in a product or service.
In our first set of experiments, we sought to understand how organizations could better convey privacy standards to users. We tested a variety of labels, star ratings, and other simplified fact sheets, but found that few had a meaningful impact on user’s willingness to share data, or their overall comprehension of what they were sharing. However, we did find that by forcing a short “cool-down” period at the T&C page where the user is forced to engage with the privacy policy for a set time before he/she can click ‘I agree’, users were far more privacy conscious, and demonstrated better comprehension of the terms of the agreement.
While it may not be surprising that spending more time on the privacy policy leads to higher comprehension and more privacy conscious decision-making, we believe there may be a secondary (and arguably more important) psychological mechanism at work. With the added time to review the policy, the user is allowed to slow down and actively think on their sharing preferences, and the application of any data provided. This transition from automatic, reactive thinking towards a more deliberate state may allow them to better align their final decision with their true preferences, and ultimately create a more harmonious relationship between the user, the company, and their data.
Inducing higher (and even forced) users’ interaction with the privacy policy makes the job easier for users to decide whether they trust the firm with their information. The tech community is more prepared to embrace the privacy-conscious consumer, and a subsequent inclusion of these policies while passing a privacy law will be advantageous for businesses, citizens, and stakeholders alike.
