Supplying personal data online
Three-quarters of the UK population now have broadband at home (1), using the internet to share their thoughts, ideas and information, and UK consumers conduct more transactions online, and spending more, than consumers in any other major European country (2). For them, providing personal data can have significant benefits in the form of services and applications that are more tailored to their needs, or that they might otherwise have to pay for. But there are also risks – that consumers disclose personal information without understanding how it is used or by whom, that data are misused, and that the law does not keep pace with industry developments or consumers’ expectations.
A lack of trust and understanding among users could become a barrier to the continued development of innovative services and applications, and the benefits for consumers that they bring.
How concerned are consumers about data gathering? And what steps, if any, do they take to exercise control over the collection of their data?
Against this backdrop, the Panel decided to carry out quantitative and qualitative research with consumers to understand:
- the extent to which consumers are aware of the various methods of collecting data in the online environment;
- the extent to which consumers are prepared to share their own data and what they expect in return;
- consumer awareness of ways in which they can protect their online data, and their use of such methods;
- among those using a social networking site, their use of privacy settings and understanding of how personal data on such sites can be accessed and used by third parties; and
- attitudes towards what is currently being done to protect personal online data.
Just over half (52%) of UK internet users have no top-of-mind concerns when using the internet. The largest top-of-mind concern related to safety of personal details/ID theft -26% of respondents said spontaneously that they were concerned about these issues, followed by ‘privacy issues’ (14%). When prompted, six in ten consumers said they were concerned about privacy online. Just over one in four of those who use the internet on their mobile phone were more concerned about privacy when using their mobile phone than when using a PC, laptop or tablet.
Consumers can only take responsibility if they know how their data are being used online. There was a high level of awareness that companies collect customers’ personal information by asking them to register details with them, and choosing to opt in or out of receiving marketing information (85%), but there was less awareness of passive methods used by companies to collect information. Sixty-four per cent of consumers were aware that cookies are used to collect data about the websites they visit; 59% were aware that companies can gather information from personal profiles on social networking websites (rising to 68% of internet users with a social networking profile); and 45% were aware that mobile phone apps can also collect personal information. Awareness was higher among those who use the internet on their mobile phone (53%).
Consumers also need to understand the benefits of sharing their personal data. Otherwise they will not be able to make an informed decision between, on the one hand, withholding their data and protecting their privacy, and on the other hand, sharing their data and receiving benefits. The research findings suggest that the decisions consumers make might be influenced by how direct they perceive the benefits to be. Only a small minority of respondents were always happy for the methods of data collection we asked about to be used for any reason. In general, younger age groups were more relaxed about this. Respondents were slightly more comfortable if their data was collected as a result of registering with a company or by accepting cookies if this was from a company/brand they trusted. But neither receiving discounts/special offers nor relevant adverts/information increased people’s comfort with these methods.
Levels of concern were lower if the personal information was being used by companies to develop new business and services (31% had a high level of concern) than if it was being sold to third parties for them to target the consumer with products/services (here, 79% had a high level of concern).
Respondents had relatively high levels of awareness of the types of methods that could be used to protect their information online, although those surveyed were more aware of reactive methods (e.g. opting out of marketing (83%) or reading a company’s terms and conditions (78%)) rather than proactive means (e.g. blocking cookies(68%) to protect their personal details. However, use of these methods varied significantly. Again, reactive methods were used much more – 73% of internet users said they regularly opted out of receiving marketing/information from companies and 69% regularly opted out of sharing information with partner companies of the one they were interacting with. And looking at more proactive methods, 50% of respondents said they regularly read companies’ privacy statements to inform their judgements, and 43% said they changed the cookies setting on their browser.
Those surveyed were more comfortable about their data being used when they had control over whether this happened, and knew how the data would be used.
Sharing financial information such as bank details, information from social networking sites and mobile numbers were the causes of most concern. Nearly nine in ten were highly concerned about providing, or companies being able to collect, credit card or debit card details.
The majority of social networking site users said they used privacy settings, and understood that if privacy settings are not set to ‘private’, anyone is able to access their information. However, 16% were not aware that information on open profiles could be seen by anyone, including companies, and 27% were not aware that this information could be used as the basis of targeted advertising. Nearly two-thirds (64%) of social network users said that they had a high level of concern about the use of information from profiles by companies.
While 12% of respondents felt that enough was currently being done to protect their information online, 22% were unaware of what was being done. Sixty-six percent of internet users felt more should be done to protect their personal information on the internet.
Twenty-one per cent of people felt that it was solely their own responsibility to look after their data, while 17% felt this responsibility should be shared with the companies collecting the information, the government and an independent organisation.
The qualitative research explored participants’ views about the provision of data to companies, both offline and online. When asked directly, people thought there was not much difference between the loyalty cards in shops and use of data online, but there was something about the human touch that made a difference. Personally handing over the card to someone seems to give people a greater sense of trust/control than online, where the exchange of data is happening in the background, often automatically and out of sight.
Participants in the research commented:
“It’s basically the same, but with a card you actually get to speak to someone whereas on the internet you give it to a server. But the information they collect is the same. I would say it was the same but I do prefer it when it comes from a person and not just through my laptop. There’s nothing wrong with it happening online but it’s just my opinion that I like the human touch.”(Male, 35-44 years old, Edinburgh)
“I suppose realistically when you think about it they’re the same. In fact the loyalty cards are probably worse because they collect more information about you. I haven’t thought about it before but they are similar....I tend not to think about how they use my information. I tend to think about how they use my information online more than through the cards though. That’s because there’s potentially more people who can access the information. I feel that with the card it should be protected better but I’m under no illusions, I know that that information is also stored on a computer somewhere.”(Male, 35-44 years old, Halifax)
The qualitative research also echoed the range of views found in the quantitative study:
“Normally when I am on these sites I won’t click on the adverts to see what they are offering. But I am happy for them to use my information to tailor the ads”(Female, 45-55 years old, Merseyside)
“It depends, if they are going to send me offers that I’ll be interested in like discounts or new things that they have then it’s better that they have my details so they can send them to me” (Male, 16-24 years old, Leicester)
“I hate when you can’t get to a certain page without opting in or registering. I don’t like not knowing what they want my information for, especially if it is not a website that I am familiar with” (Male, 35-44 years old, Edinburgh)
“I don’t mind so much if one company has a piece of information but it’s when they start joining it together that I don’t like it. Even if they ask for your permission it’s the principle that bothers me” (Male, 35-44 years old, Birmingham)
“No, I didn’t know about this. I don’t think it is ok for companies to do this. If I haven’t clicked an option then I don’t want this to happen. There isn’t really a reason why I don’t want it, but if I was just minding my own business there is no reason for them to be targeting me with adverts” (Male, 16-24 years old, Walsall)
The report is intended to inform policymakers, as they develop solutions, policies, and potential laws governing privacy, and to guide and motivate industry as it develops more robust and effective best practice and self-regulatory guidelines.
Consumers can only take responsibility if they know how their data are being collected and processed online. The Panel considers that companies should improve consumers’ awareness of how their data are collected and used, and provide straightforward information for consumers.
In summary, the Panel considers that consumers will only be genuinely empowered if they have:
- information to allow them to make an informed decision about the implications of releasing their data;
- control over the use of their data;
- reassurance that companies will always minimise the amount of data that they collect, store it securely, retain it for no longer than is necessary and consider whether to check with consumers after a set period of time whether they still wish their data to be retained; and
- confidence that companies will follow the rules and manage personal data responsibly, and that if they do not, they will face robust enforcement action.
The Panel looks forward to discussing with stakeholders how best to ensure that these conditions are fulfilled. In doing so, we want to ensure that consumers can make an informed decision about sharing their personal data online and maintain the levels of privacy with which they are comfortable.
(2) See Ofcom’s International Communications Market Report 2010 (ICMR), p217 http://stakeholders.ofcom.org.uk/binaries/research/cmr/753567/icmr/ICMR_2010.pdf