30 days to read privacy policies: consent fatigue will make GDPR ineffective

It is said that the average American is subject to some 1500 privacy policies on a yearly basis which represent dozens of working days worth of reading. I did a little bit of research to find out where this come from and found out that the figure of 75 days worth of reading  often cited in the press is erroneous. I did the math and found 30.5 days.
Find out more in this article about “consent fatigue”, the potential inefficiency of GDPR and the math behind privacy policies.

2514 words in a medium privacy policy and exposition to 1462 policies per year

The study by McDonald and Cranor (2008) is pretty old but it is nonetheless a good starting point to see how the situation has evolved.
The study examined privacy policies from 75 major US websites. The first part of the paper focuses on evaluating reading time in function of words; the second part looks into how many websites are visited on a monthly basis. The authors found that

“on average Internet users visit 52 different sites exclusively at work, 105 different sites exclusively at home, and 14 sites at both work and home.”

Doing the math on an annual basis is more complicated that anticipated as in 2008 there were no statistics available on how many websites are visited on an annual basis. The authors evaluated (see table below) that the average user visited 1462 websites per year.

The authors conclude that an average person needs 244 hours per year to read privacy policies, which represents slightly more than 30 working days.

Although this research was published 10 years ago, its results are still referred to. But usages have changed a lot in the last 10 years (especially with mobile use which was still in its infancy back in 2008 when the research was published). An update is much needed, even more after GDPR will come into force this week, to see whether the situation is improving or degrading.

In conclusion: can privacy be regulated?

In the past years the concept of “consent fatigue” has emerged (see See pereira, benessia and curvelo, 2013) that explains why users are not reading privacy policies anymore and, as a consequence, why regulations like GDPR will remain ineffective. Indeed, if users accepts policies without reading them, regulation will remain ineffective as abusive policies may still be accepted because of consent fatigue. The only solution hence is to educate users to raise awareness and limit abusive behaviors.

Image : shutterstock

By Pierre-Nicolas Schwab Pierre-Nicolas est Docteur en Marketing et dirige l'agence d'études de marché IntoTheMinds. Ses domaines de prédilection sont le BigData l'e-commerce, le commerce de proximité, l'HoReCa et la logistique. Il est également chercheur en marketing à l'Université Libre de Bruxelles et sert de coach et formateur à plusieurs organisations et institutions publiques. Il peut être contacté par email, Linkedin ou par téléphone (+32 486 42 79 42)