UNDERSTANDING THE TERMS AND CONDITIONS: THE REALITIES OF PRIVACY IN TODAY’S DIGITAL ECONOMY
Published on December 11, 2020
The average person spends an average of a little under 7 hours surfing the web, whether it’s on their mobiles or by way of their personal computers. With smartphone penetration reaching record highs even across emerging markets across the globe, perhaps it should come as no surprise that an over-saturated mobile app ecosystem has fuelled increasingly cluttered screens with an average of 35 apps installed on a smartphone. This is by no means a small number given that users spend around 2 hours and 11 minutes per day using mobile apps.
As technologies have evolved and matured over time, the digital economy has grown, functioning as a valuable foundation for modern commerce. This reliance has only grown in the past year amid the ongoing coronavirus pandemic with many consumers leveraging digital tools for the first time. That being said, when technology becomes so intrinsic to our everyday lives, it almost becomes second nature. For one, when it comes to browsing the web or utilising the apps on your phone, when’s the last time you actually took the time to read the Terms and Conditions? Have you ever actually considered what you’re providing consent to before looking at a web page or entering an app?
The fact is, what we don’t realise is that trackers are actually hidden in the apps we use everyday and contain a trove of exceptionally revealing data points about who we are, what we like, and what sites and apps we’re engaging with the most. As part of the mobile app economy, much of this data goes to companies across the globe for marketing or advertising purposes. Similarly, the data collected from the websites we visit are used to provide more personalised ads to us. While the use of our data may not necessarily be harmful, the knowledge that information about us — often information that we may not even know our apps possess — is being passed around by unknown companies can be unnerving, especially once we realise the scale of the data being collected and utilised.
Navigating the ins-and-outs of data collection: The who, the what, and the how
That’s right, you’ve probably guessed it! Most of us would simply click “I accept” without doing a proper read-through of all the terms and conditions, never fully realising what or how much of our personal information we may be signing away with that one tick.
So exactly what data is it that we have given the app the permission to collect (and sell)? Well for one, our personally identifiable information (PII) which includes our names, usernames and passwords, email addresses, and phone numbers. Simultaneously, information on our app usage and consumption habits, as well as our preferences are all logged. In a report released by India-based data privacy consultancy Arrka entitled, “State of data privacy of Indian mobile apps & websites: and how they compare with the rest of the world”, it was found that 71 percent of Android apps have access to your exact location and 50 percent can even access your contact list.
Crazy, right? Would you have given access to that if you knew?
With the large swathes of data stored on our phones through our app usage or website browsing, our mobile phones can perhaps be considered the holy grail for advertisers when it comes to serving up the most relevant and personalised ads back to us.
How can this be possible?
Let’s look at the example of a ride-sharing app. In order to book a ride, you will need to enable location services, which in turn sends your location data back to the app for your pick-up location. While this may seem harmless enough, what most users don’t realise is that in turning on location services on their phones, their location data may then be transmitted back to other companies that the unknowing user may never be aware of.
What we just described above is typically made possible by software development kits (SDKs) which the companies that receive your data provided to app developers for free, in exchange for the data that is then collected from an app user. In addition, these companies may also get a cut of the ad profit that the app may serve to you.
Do you really know what your devices are doing?
Now that we’ve understood what and how data is being collected, let’s unpack some of the issues that have resulted in the ever growing calls for increasingly consumer rights when it comes to privacy.
For one, the issue of data maximalism is growing to become a particularly significant issue among apps across the Android and iOS ecosystems. Throughout Arrka’s study, it was found that the manner in which apps collect personal data through permissions and trackers was highly contextual, varying significantly between the app category and the functionalities a given app provides. With multiple, yet highly granular variations in permissions, Arrka found that it was “difficult to justify [these variations] as the functionalities provided were similar”, indicating excessive, redundant requests for consumer permissions and therefore, an over-collection of data. This observation was shared across both web and mobile.
Meanwhile, Arrka’s study also evaluated the issue of transparency, assessing the extent to which organisations were being fully transparent with their consumers when it came to their privacy policies. By leveraging the Fleisch Reading Ease Scale — a standard readability formula used by US government agencies — Arrka found that the privacy notice of an average India-based organisation was rated 32/100 on the Readability Scale. Standard acceptable scores on the Scale fall under the 60 to 70 range, clearly conveying that local brands are falling short with no significant increase in readability having been observed in the last three years.
With today’s data-driven advertising ecosystem continuously growing in complexity coupled with the ubiquity of online platforms, consumers have equally become more aware and conscious of their rights to data privacy. Whether it’s invasive ads or the jarring realisation you’ve been a victim of a data breach, consumers have become increasingly sceptical of advertisers and brands.
A fragmented regulatory regime
As we traverse across the globe from East to West, one thing is certain: the trend towards greater data privacy and ethical data collection will only grow upwards. This is most evident through a slew of regulations that have cropped up over the years, namely the gold standard pioneered by the European Union’s General Data Protection Regulation (GDPR) to the more recently sworn-in California Privacy Rights Act (CPRA). To take a deeper dive into this new regulation, check out our blog post on CPRA and what this means for marketers.
In fact, the impact of GDPR cannot be overstated with Arrka’s study finding that across both the Android and iOS ecosystems, EU apps take the least permissions overall when it comes to access to contacts and messages, recording audio, location, permission to notify, phone status, and other apps on one’s device. Shaped by the framework’s steadfast encouragement of data minimisation, platforms and developers have been forced to adopt their default app permission settings and privacy policies accordingly.
On the other hand, when comparing US apps to Indian apps, a markedly higher percentage of US apps seek to “Always Have Access” in a user’s permissions settings even when the app is not in use: 24 percent of US apps had this setting compared to 18 percent of Indian apps. The CPRA, therefore, represents a crucial step forward, one that can potentially set an even higher standard for privacy protections in what is arguably the world’s most valuable market for tech, as shaped by long-standing Silicon Valley giants.
If we zoom out, the problems are clear: the global regulatory regime for consumer data privacy and protections is woefully inconsistent, fragmented, and varied, leaving brands and platforms alike at a loss as to how to best navigate tumultuous waters. After all, no business today is confined by geographical, political borders.
Setting the standards
In the same way that the digital advertising industry is responding to the impending threat of third-party cookies, we equally need to take the same approach when it comes to privacy compliance. We need to set our own standards, we need to self-regulate. By holding ourselves accountable and understanding the technologies that we leverage today and where they stack up in relation to existing privacy frameworks, we can ensure that we’re always building with the future in mind.
Take India: now on the verge of releasing its own Personal Data Protection Bill, Arrka developed its own Privacy Index to evaluate the state of privacy on the country’s digital platforms and applications across multiple industries. Arrka’s Privacy Index provides a Unified Privacy Score ranked 1 out of 100 across the country’s landscape of mobile apps and websites based on 9 privacy principles and evaluated across 57 parameters. Through its holistic approach, it evaluates privacy on a contextual basis, taking into account sector-specific nuances and how these industries rank against one another and against the country’s average score. For more information on Arrka’s Privacy Index, read on here.
Metrics such as the Privacy Index provide consumers with the much-needed resource and assurance of transparency of where their privacy rights are most needed and whether organisations and industries alike are being sufficiently forthcoming in how their data is used. As an example of what ongoing monitoring and self-regulation can look like, the Privacy Index is a promising model for what cross-sector collaboration can provide.
With only 132 out of 194 countries having data privacy frameworks in place with Africa and Asia showing a similar level of regulatory robustness, what lies in store for some of the world’s emerging markets and how will marketers adapt? As discussions surrounding privacy continue to gain prominence, these countries face a tipping point as digital transformation accelerates: will they put their citizens first, as they navigate the realities of a digital economy?