We all see them: those annoying pop-up boxes appearing on our screens asking us to consent to websites’ privacy and digital cookie policies.
You probably don’t read them, instead you frantically rush the messages away by clicking “yes, I accept” without even thinking.
In fact, it’s so rare to engage with jargon that free wine goes unclaimed for months, buried in details.
Last week, it was revealed that Tax Policy Associates, a think tank, had hidden a clause in their website’s privacy policy since February offering a free bottle of “good wine” to the first person who noticed it.
But it wasn’t until this month that someone stepped forward to claim the prize, highlighting how little we care about the piles of legal red tape that increasingly define our digital lives.
A sentence from the nonprofit: “We know no one is reading this, because in February we added that we would send a bottle of good wine to the first person who contacted us, and only received a response in May.” The organization’s updated privacy policy is now detailed.
Think tank founder Dan Neidle says the experiment, which involved a £30 bottle of 2014 Château de Sales Pomerol, was a personal, “childish protest” against regulations requiring all businesses to have a privacy policy “when no one is reading it”.
Our ongoing experiment to see if anyone has read the website Terms and Conditions continues. We put this into our terms in February. Just requested. pic.twitter.com/N7k3weTuA9
— Dan Neidle (@DanNeidle) May 9, 2024
“I got an email out of the blue from a guy named Arthur. He was writing a privacy policy for his own website and doing research for other websites as well. That’s how he found it,” Neidle says, adding that Arthur unfortunately had an “alcohol intolerance.” He adds that he showed up and that’s why he couldn’t enjoy his reward.
“This shows that no one reads these things normally. A normal person wouldn’t have the slightest reason to do this.”
Installer bureaucracy
According to the Information Commissioner’s Office, all firms that process and store customer information such as names and email addresses are required to provide an online privacy policy as part of their obligations under the 2018 General Data Protection Regulation (GDPR).
Those who do not comply will face heavy fines and loss of reputation.
But complying with the directives is often a burdensome task for small and medium-sized businesses (SMEs) and charities, costing energy and resources that could be allocated elsewhere.
As complexity has increased, so has the time companies spend ensuring they comply with regulations, according to new research from data and analytics firm Dun & Bradstreet; This rate increased by 46 percent last year alone.
Meanwhile, a 2021 survey by the Federation of Small Businesses (FSB) showed that two-fifths of its members described data protection as “the most burdensome regulation to deal with”.
Tina McKenzie, the FSB’s head of policy, says these regulations have a “disproportionate impact” on companies “who have fewer resources to devote to compliance than their larger counterparts”.
Neidle points out that even small community coffee shops, for example, need to have privacy policies to comply with GDPR, saying it means “money… [is] is wasted.”
The solution, he argues, is to simplify by falling back on standard privacy terms that “apply by default to typical small businesses that do not process customer data.”
It says these shouldn’t require cookie policies and will help businesses save money and “save consumers from annoying clicks”.
McKenzie, however, agrees that data protection laws are a “vital” part of life in the 21st century.
But their “complex” and “sensitive” nature means small businesses often need greater support and understanding from regulators, not only to ensure compliance but also to “reduce the financial and time costs of doing so”.
Regulators must be “proportionate” in applying these rules, McKenzie said, focusing on “education and support in the first instance”.
“Having tons of text required by law that very few people read in practice undermines the consumer protection we all want to have. “This also costs time and money that small companies cannot afford.”
In fact, stringent requirements can distract entrepreneurs from important priorities such as increasing profits, growing their businesses, and creating jobs for local communities.
“Starting a business isn’t just about doing fun things; there are a lot of compatibilities that can’t be ignored—but all of that contributes to the long hours and the feeling that you’re facing the world while trying to build traction and momentum,” say small business and coworking experts Gareth Jones, CEO of Town Square Spaces Ltd.
Hours of reading time
On the consumer side, there is little incentive to sift through tens of thousands of policy words, no matter what it costs businesses to produce them.
Not only are they extremely complex, but they are also getting longer every day.
A 2021 study by De Montfort University found that the average length of privacy policies increased from 1,000 words in 2000 to 4,000 words in 2021.
Associate professor of computer science, Dr., who conducted the research. Isabel Wagner found that the average word count increased after the European Union implemented the GDPR in 2018 and again after California adopted its own privacy policies in 2020.
“As a researcher working on privacy, I find myself accepting privacy policies but not reading them,” he told New Scientist in 2022, acknowledging that his study of nearly 50,000 texts was triggered by recognition of his own habits.
Typical policies “require a college education to understand” and take at least an hour to read, Wagner said.
If you stop and digest each one, this essentially amounts to a part-time job.
A study of the most popular websites in 19 different countries by NordVPN in October last year found that the average privacy policy was 6,461 words long.
The research found that it would take around 11 hours to read every word of every policy on each of the 20 most visited websites in the UK, based on the assumption that people read an average of 238 words per minute.
And over the course of a month, if the typical Brit fully read every privacy policy on every website they visited, they would get close to 53 hours of reading time; this was approximately 20 hours longer than the length of the average workweek nationwide.
Call for ‘rethinking’
The apparent absurdity of the situation has led to calls for policymakers to make adjustments.
The FSB’s McKenzie says there needs to be a “rethinking of how the system works” to make the legislation “easier to understand for everyone”.
It says this must be done in a way that maintains “the data adequacy we need to maintain the flow of business between the UK and other international jurisdictions with their own rules.”
Jordan Phillips, founder of food delivery company Tin Can Kitchen, agrees that current data protection regulations can be confusing for both consumers and small businesses, arguing that a new approach is needed. He says the wording in the regulations is “verbose” and should be “condensed” to make it easier to understand.
“I think this should definitely apply to small businesses that don’t have the money or resources of big businesses,” he says. “We’ll see how this translates into real-world cases.”
Austin Walters, director of website design firm Triplesnap Technologies, recommends that regulators take a tiered approach that simplifies the requirements of small businesses that do not handle highly sensitive data. Meanwhile, companies with more personal or sensitive information about their customers will need to continue to impose “tighter controls.”
“Simplifying legal jargon and making policies more accessible can increase consumer trust and understanding without compromising data security, ultimately improving user interaction with these important documents,” he says.
Others argue that corporations also have a role to play.
Andrew Wilson-Bushell, a partner at law firm Simkins LLP, says firms need to make sure they only provide clients with information they actually need to engage with.
But he acknowledges that long and unpopular privacy policies ultimately serve an important purpose.
“Writing a privacy policy requires a business to understand its personal data use and map it out in a relatively understandable way. This can often feel like overkill until a serious data breach occurs.”
Neidle, however, remains extremely skeptical about the demands GDPR places on SMEs.
This despite a historic increase in the think tank’s engagement with the little trail behind the wine stunt.
“We had 1,000 people read our privacy policy in the last 72 hours, but no one looked at it for the entire month of April,” Neidle says, citing web traffic data.
“It seems crazy to me that my local coffee shop has to deal with the same rules as Facebook,” he adds.
“Why can’t there be a simplified version of the rules for small businesses and nonprofits?”