Today in Digital Marketing - The Uncomfortable Truth About Privacy Consent Banners (deep-dive interview)
Episode Date: February 9, 2024One of the jobs of a marketer is to instill in the consumer a sense of trust — trust in the brand, trust in the product or service, trust in how the company handles their personal data, and so on.Th...at latter job is often fulfilled by putting a privacy notice on the site. Sometimes we do it because it's the law in our country; sometimes, in an effort to show people we're a responsible company.But are we shooting ourselves in the proverbial foot?That's what Aaron Brough and his colleagues set out to discover. Dr. Brough is an Associate Professor of Marketing at Jon M. Huntsman School of Business at Utah State University. He is the co-author of a new scientific research study called "[The Bulletproof Glass Effect: Unintended Consequences of Privacy Notices](https://journals.sagepub.com/doi/10.1177/00222437211069093).".Our Sponsors:* Check out Kinsta: https://kinsta.comPrivacy & Opt-Out: https://redcircle.com/privacy
Transcript
Discussion (0)
It's the season for new styles, and you love to shop for jackets and boots.
So when you do, always make sure you get cash back from Rakuten.
And it's not just clothing and shoes.
You can get cash back from over 750 stores on electronics, holiday travel, home decor, and more.
It's super easy.
And before you buy anything, always go to Rakuten first.
Join free at Rakuten.ca.
Start shopping and get your cash back sent to you by check or PayPal.
Get the Rakuten app or join at Rakuten.ca.
R-A-K-U-T-E-N dot C-A.
Do you have business insurance?
If not, how would you pay to recover from a cyber attack, fire damage, theft, or a lawsuit?
No business or profession is risk-free. It is Friday, February 9th, and normally, of course, you hear the podcast at this time.
Today, our agency is off at a full staff retreat.
So instead, we bring you this deep dive interview.
One of the jobs of a marketer is to instill in the consumer a sense of trust, trust in
the brand, trust in the product or service, and trust in how the company handles their
personal data.
The latter job is often fulfilled by putting a privacy notice on the site.
Sometimes we do it because it's the law in our country.
Sometimes in an effort to show people
we are a responsible company.
But are we shooting ourselves in the proverbial foot?
That's what Aaron Brough and his colleagues
set out to discover.
Dr. Brough is an associate professor of marketing
at the John M. Huntsman School of Business
at Utah State University. He is the co-author of a scientific research study called
The Bulletproof Glass Effect, Unintended Consequences of Privacy Notices. And he joins
me from his office in Logan, Utah. Dr. Brock, welcome. Thanks, Todd. Good to be here. All right,
let's start with the top line findings.
What were those unintended consequences?
Yeah, so we set out trying to understand how consumers respond to privacy notices.
And so as part of the research, we surveyed managers across different industries,
and a large majority of these managers expected privacy notices to help customers feel more secure, but it turns out
their intuition was flawed. So we conducted a series of six experiments involving nearly 20,000
people, and we compared consumers' interest in purchasing from a website or an app that either
included or didn't include a privacy notice. And one of the things we found is that telling
customers how their
personal data is protected can undermine consumer trust and discourage them from making a purchase.
So I like to compare it to going to an elementary school and seeing bulletproof glass and metal
detectors, right? Their purpose is there to protect you, but instead of making you feel safe,
they could make you feel more vulnerable. It's interesting because that's counter to, I think, everything that is both instinctive as marketers and everything that's taught as well.
Like you would think that the more we layer on sort of, you know, we'll take care of your data, the more secure people feel.
Yeah. And, you know, so certainly this does challenge that intuition, right?
That telling consumers how their personal data will be protected is going to be good for business.
And for most firms and privacy advocates, that's not great news.
As researchers, my co-authors and I are definitely supportive of respecting consumers' privacy.
And we want to encourage firms to be responsible and transparent in their data practices. So another thing we looked at after kind of initially discovering this is how could we
provide actionable guidance to managers on how to effectively convey privacy information
without hurting purchase interest.
And so we tested how changes in the wording of a privacy notice affected consumers'
willingness to purchase.
And we found that consumers were less turned off by privacy notices that included what we call benevolence cues.
So those would be statements like, we care about protecting your privacy, or we respect you and promise to treat you fairly, or we're committed to the protection of your information. And the interesting thing is that although these statements don't offer any legal protection to consumers, they do seem to help build trust by conveying to consumers that companies have good intentions.
And so adding these benevolence cues to a privacy notice can reduce or even reverse its negative effects on purchase interest. I think the example that you use in this study was
that you changed the phrase, we collect your information to we protect your information.
Did you study how people's purchase intent changed when you made substitutions like that?
Yes. So in fact, in one study, people were more likely to buy a product when a privacy notice
had these benevolence cues than when a privacy notice had these benevolence cues
than when a privacy notice did not include comforting language or when privacy information
wasn't readily available at all during the checkout process.
One of your studies came from a test that you did on a financial services website, like
a real site, one that's in the market.
Can you walk us through what you tested and what you found?
Sure. So, you know, there was surprisingly little previous research about how privacy notices
affect consumers' purchase decisions. And as far as I know, we conducted the first published field
experiment looking at this issue with actual customers. So the company we partnered with
was Borrowell, which is a Canadian financial technology
firm with over a million users. And to sign up for Borrowell's service, visitors have to complete a
nine-step enrollment process that involves providing some sensitive personal information.
They have to give things like their name, their address, birth date, phone number, income,
financial goals, and access to a credit report.
And so each prospective customer who visited the site was randomly assigned to one of two
conditions. In the control condition, only a hyperlink to Borrowell's privacy policy was
provided on the first screen of the signup process. In the other condition, the link was
preceded by an explanation of Barwell's commitment
to the protection of customers' personal information. And as predicted, enrollment was
significantly lower in the condition with the detailed description of privacy protections
than in the control condition that included only a privacy policy link. And so these results suggest
that prominently displaying detailed privacy protections can drive consumers away, which could end up costing BorrowWell hundreds of thousands of dollars per year in lost revenue.
We conducted this study over a seven-day period, and so if you extrapolate, that's kind of the estimate for what they could stand to lose. One of the things I thought was interesting is that you found that while people might be less willing
to buy something after seeing a privacy notice,
their perception of the value of that product
didn't actually change.
Did that surprise you?
Yeah, I think, you know,
the thing that surprised me the most
is that consumers are more likely to purchase from a company that makes no promises regarding the protection of consumer privacy than from one that is transparent in describing its data practices.
And the reason for that is that a privacy notice places legally enforceable limits on a firm's data practices. It communicates safeguards, and it might be expected to promote
confidence that one's personal data will not be misused. But as I said, instead of making people
feel more secure, we found that it does undermine trust and purchase interest. And yeah, it doesn't
change the value, but it does change the willingness that they have to pay for that product.
And I was also surprised that something as seemingly trivial as including benevolence cues in the privacy notice,
these subtle changes that we make to the language, could counter the negative effects.
Yeah. Were there any significant differences between generations or genders?
No. So we looked at age and gender as covariates, meaning, you know, we tried to see if there were
differences across those variables, and we didn't find any. I don't often laugh when I'm reading
scientific journals or scientific papers, but I did chuckle a little bit because one of the test variations that you did that I thought was clever, you know, we've talked about sort of the two A, B tests that you've done before with this financial services.
But one of your tests included a third option beyond there's a privacy policy link and I read it and there was no privacy policy link at all.
And that third option was that you had a link to a privacy policy.
But when people clicked it, the web browser just barfed back a file not found error.
So people were aware that there was a privacy policy, but they didn't get to read it.
How did that change people's purchase intent?
Yeah, so I think, you know, that was actually a study that didn't make it into the published paper. That was one of the earlier studies that we ran. And, you know, one of the reasons it didn't make it into the published paper is because I think one issue could have been that people are thinking there might be some kind of problem with the site, right? If they can't get a link to
their privacy policy to work properly, then maybe there's other, you know, incompetence in their
ability to, you know, manage my personal data. And so that was kind of an alternative explanation
for the results of that study. And so we ran some subsequent studies to be cleaner tests
that wouldn't be susceptible to that alternative explanation.
Right, right.
You know, a lot of people who are listening to the podcast, people who manage e-commerce sites and so on, they don't have control, this like level of granularity of control over whether there's a privacy box, what it says, you know, that sort of thing. So for those people, like, like, I'm thinking people
who use, you know, kind of like a preset theme in Shopify or something like that. For those people,
is there any way to counter the loss in purchase intent? Yeah, that's a good question. I think,
you know, anything that you can do to build consumer trust, and to let them know that you can do to build consumer trust and to let them know that you care about them,
that you're committed to, you know, not only competently protecting their privacy,
but also that you have their best interest in mind and at heart. I think any kind of cues that
you can give along those lines should be effective. But you're sometimes limited by the platform
in terms of the extent that you can use to communicate these cues.
Yeah. Well, let's go the other way. If someone has full control over their site and they can
choose whether a privacy notice appears or doesn't appear, is it your finding that they should just not show one?
No, I would say that the finding is if you incorporate benevolence cues into your privacy
policy, we found that in some cases it can actually be beneficial. So it can actually
increase purchase intent beyond what it would be in the absence of any privacy communication. The downside or the thing you want to avoid
is having a privacy notice that does not include benevolence queues. And as part of the research,
one of the things that we did is we looked at a random sample of privacy notices of companies
listed on the NASDAQ stock exchange, and we found that benevolence queues were in fact quite rare.
So one of the things that I
hope that our research will prompt more companies to do is to include language in their privacy
notices that communicates caring and fosters consumer trust so that consumers are more
willing to provide that information and do business with the companies, but the companies
are not discouraged from being transparent
in what they're doing with the customers' personal data.
Do you have business insurance?
If not, how would you pay to recover from a cyber attack,
fire damage, theft, or a lawsuit?
No business or profession is risk-free.
Without insurance, your assets are at risk
from major financial losses, data breaches,
and natural disasters.
Get customized coverage today starting at $19 per month at zensurance.com.
Be protected. Be Zen.
It's the season for new styles, and you love to shop for jackets and boots.
So when you do, always make sure you get cash back from Rakuten.
And it's not just clothing and shoes. You can get cash back from over 750 stores on electronics, holiday travel, home decor, and more.
It's super easy.
And before you buy anything, always go to Rakuten first.
Join free at Rakuten.ca.
Start shopping and get your cash back sent to you by check or PayPal.
Get the Rakuten app or join at rakuten.ca.
R-A-K-U-T-E-N dot C-A.
So what would be like the perfect,
like if you were VP of policy or VP of privacy
or whatever for an e-commerce company
and the CEO said, you've got a day,
design for me the perfect privacy apparatus
as it is forward facingfacing to the consumer.
What does it look like? Is it a box? Is it a pop-up? How big is it? Tell me the words to use.
Yeah, that's the million-dollar question, right?
Yes, it is. Or more.
So I think that there's obviously no solution that fits all different situations.
And I think some of that's going to be dictated by the situation and the context.
But I think the key results from our research are do things that build consumer trust.
And so in addition to conveying that you will protect their information, make sure that you're communicating how much you care about their privacy and how much you care about them. being very concise, trying to avoid jargon that people aren't going to understand,
but to be very open and transparent about what you're doing and explaining to them why you're
collecting this data, how it will be used, and what the benefits are to them of your collecting
this information. So if you're collecting, you know, a particular piece of
information explaining, you know, that this might allow you to customize the product or the
experience to their needs, right, that can be a way to help. What surprised you the most about
your findings? Well, like I said earlier, I think one of the biggest surprises was just the fact that people would be so willing to give up their personal data without any promise that it will be protected.
When I first started doing this research, I looked at some of the most popular apps on the App Store.
And this was before there was regulation that required them to
have privacy policies. And some of the most popular apps for finance or for fitness, where
you're entering personal health information or medical conditions or things like that,
or you're entering financial data, there were no privacy policies on those apps. And I thought that was shocking, frankly.
And then the other thing that I think is surprising, like I said earlier, is that I think
just changing the language slightly can reduce these negative effects that we've observed of
bringing privacy information kind of to the forefront of people's minds.
It's interesting because I think a lot of people in the industry,
I mean, obviously they're used to multivariate testing. And there's lots of things that we test,
there's image, there's the color of buttons, you know, Google once tested 32 different shades of blue for their hyperlinks. I don't know that many people would consider testing the privacy portion of that. And yet, as you discussed, you know, it's pretty critical to of recently published papers where we look at the implications
of the pandemic for privacy. One effect of the pandemic is that there's been this large pool
of personal data that's been generated that was not previously available. And that's partly due
to increased collecting and sharing of consumer information by governments and businesses,
but it's also partly due to an increase in online activities and voluntary self-disclosure by people who are isolated. And we identify some
opportunities, challenges, and open questions that this poses for both consumers and marketers.
In another paper, we look at the need to consider both individuals' motivation to protect their
personal information,
but also their knowledge of how to do so. A lot of the research in privacy looks either at motivation or at knowledge, but not at both. And in fact, many consumers are fairly privacy
illiterate. They're not able to accurately predict how they will respond to privacy threats.
And so in order to do that, we need to consider not only their
motivation, but also their familiarity with privacy related issues. So to answer your question,
you know, privacy has been something that I've been interested in for a while now,
and working on it from several different angles. And that's kind of what got me thinking about
privacy notices. As I said, I'm an advocate of transparency and privacy practices. I think it's
ethical for companies to disclose how they are going to be using consumers' personal information.
And as a consumer, I want my personal information to be protected. And I think there's a lot of
benefits that I can get by providing it. But I want to make sure that I know how they're going to be using it, how they will
be protecting it. And so, you know, I think privacy notices are important. And I think that,
you know, as our research shows, they can be very influential in influencing consumer purchases.
I'm curious, given that your research sort of focuses around privacy and the web and e-commerce and so on. Has your
research or your experience in this changed the way that you move through the web as a consumer?
You know, it has a little bit, but I'm like everyone else, I think, where I often don't read
privacy notices all the way through, especially if they're long and full of technical jargon.
But I have become more aware of it, I think. I've been particularly more aware of their absence.
And I think that's the thing that a lot of people, when they're shopping, they're not always thinking about privacy. And so that's the thing that kind of started us off on doing this research is that the absence of a privacy
notice doesn't usually send up red flags to consumers, but it should. Because what that
means is they're making no promises. They could be collecting any data from you and making no
promises about how it'll be protected or used. And so I think privacy notices are there to protect us. And so I just want to make sure that companies have a way of communicating that in a way that won't hurt their business, because otherwise they're essentially given an incentive not to convey that information, which I think hurts consumers overall. I hate to say it. I'm one of those people who when I arrive at a website and
it has the privacy banner, probably GDPR inspired, you know, where there's a big accept everything
button and then a big customize your choices button. And then, you know, I usually click that.
I like to think I'm privacy aware. I run the Brave browser. I run a VPN on all my devices.
But yet that accept all button is so tantalizingly easy to click.
Maybe this will eventually change all of us.
It's certainly interesting research.
I'm super delighted that you could share it with us.
Aaron Brough is an associate professor of marketing at the John M. Huntsman School of Business at Utah State University.
His study is called The Bulletproof Glass Effect, Unintended Consequences of Privacy Notices.
Dr. Brough, thank you for joining us.
Thank you, Todd.