What is a privacy policy?

When Pew Research Center asked about this on a recent survey measuring public knowledge of technology and the web, we found that it was one that many Americans answered incorrectly. Our true/false statement question asked, “When a company posts a privacy policy, it ensures that the company keeps confidential all the information it collects on users.” Some 52% of internet users believe — incorrectly — that this statement is true, and that privacy policies actually ensure the confidentiality of their personal information. (In fact, a privacy policy is simply a legal document that discloses how customer data is managed and used.) Just 44% correctly identified this statement as false, and 3% chose not to answer the question.

This particular question was based on polling conducted by Joseph Turow, who studies digital marketing and privacy issues at the University of Pennsylvania’s Annenberg School for Communication. Back in 2003, when he first surveyed home internet users on this subject, 57% believed (again, incorrectly) that when a website has a privacy policy, it will not share their personal information with other websites or companies. A decade later, little has changed.

Even accounting for the slight differences in question wording between the two studies, it is clear that there is deeply embedded and long-standing confusion among consumers when it comes to privacy policies and the protections they afford.

Turow says that several issues contribute to confusion over privacy policies, beginning with the assumptions users make about what it means to have a privacy policy in the first place. “Many people don’t actually read privacy policies; they simply look at the label,” says Turow. “And the intuitive understanding — the cultural understanding — of the label is that when something says ‘privacy policy,’ it protects your privacy.”

These misperceptions are enhanced by privacy policies that are often difficult to interpret, even to the small number of consumers who do try to read them, says Turow. “Other researchers have found that people do not read privacy policies — they’re unreadable. They are filled with jargon that is meant to be understandable only to the people writing them, or to people who work in the advertising industry today. Words like ‘affiliate’: nobody outside of the digital marketing industry knows what that means.”

Turow’s research also suggests that ordinary users don’t fully understand the scope of the data that is being collected on them — or how small amounts of data can be used to create a much more detailed portrait when matched with information from third-party sites that collect and share various types of customer information with each other. “The general sense among marketers is that people understand that their data is being used, but we’ve found in our research that people don’t truly understand how data mining works. They may realize that one or two pieces of their information are being given out; what they don’t realize is that those one or two data points can be linked with other sources to uncover information they would have never given out in the first place.”

Ultimately, this issue is likely to become even more contentious in the future as wearable devices, clothes, smart appliances, connected cars, and other elements of daily life become linked together. Many experts have told Pew Research that they think privacy challenges will worsen as the Internet of Things expands, and that people will be increasingly enticed (if only grudgingly) to give up personal information in return for the conveniences afforded by digital technology.

Test your knowledge of the web and compare yourself with other Americans in our Web IQ quiz.

Aaron Smith  is director of Data Labs at Pew Research Center.