A significant number of Americans hold significant misconceptions about their privacy, according to opinion research — misconceptions that privacy-invading companies love. That’s according to research on American understandings of privacy carried out over the past couple decades by the Annenberg School for Communication at the University of Pennsylvania, lead by Prof. Joseph Turow, whom I recently heard give a talk summarizing these studies.

Misconception #1: “We care about your privacy!”

One misconception is that when a web site has a “privacy policy,” that actually means the site has a policy to protect your privacy. Annenberg presented respondents with the false statement that “When a web site has a privacy policy, it means the site will not share my information with other websites or companies without my permission.” In 2018, nearly 60 percent of Americans either said they believed this was true, or that they did not know. In past years the percentage of those surveyed giving incorrect answers was as high as 78 percent.

Unfortunately, nothing could be further from the truth. Most “privacy” polices start by declaring, “We care about your privacy!” and then go on to say, in extremely long and complicated legal language, that you have no privacy. Lawyers write these policies to minimize the presence of any actual concrete promises that might limit what a company does. Because the United States doesn’t yet have a baseline privacy law, the only thing protecting our privacy in most commercial contexts is a prohibition on “acts or practices that are unfair or deceptive.” That prohibition was enacted in 1914 — just slightly before the advent of today’s online advertising surveillance systems. What that means is that (outside of a few narrow areas that are regulated such as credit reporting) a company can do whatever it wants with your personal information. The only thing it generally cannot do under federal law is say it’s going to do one thing and then do another, which would count as “unfair or deceptive,” and leave a company vulnerable to enforcement by the Federal Trade Commission.

Turow says that “marketers know” about this misconception and benefit from the confusion and the misplaced consumer trust it creates. Turow suggests that “privacy policy” is “a deceptive term” and that “the FTC should require a change in the label.” “How We Use Your Data” would be more accurate.

Misconception #2: What is unfair is also illegal.

A second misconception that many Americans hold is that the law protects them more than it does. For example, in 2015, 62 percent of Americans didn’t know that it is completely legal for an online store to “charge different prices to different people at the same time of day”; in 2012, 76 percent did not know that “online marketers are allowed to share information about diseases you or your family members have”; and in 2018, 46 percent did not know that an “internet provider has a legal right to sell information to marketers about the websites you visit.” (We think they actually don’t have such a right under the Communications Act, which states that “every telecommunications carrier has a duty to protect the confidentiality” of personal information — but an attempt to craft detailed rules enforcing that law was killed by Congress and President Trump in 2017, and there’s no sign that such a right will be enforced by the federal government anytime soon.)

What’s going on here, Turow believes, is that people have fairly well-defined feelings about what kinds of behavior are fair and what are not — and they tend to think that things that are unfair are also illegal. They think, as he puts it, that the government has our backs much more than it actually does.

Annenberg’s polling confirms other polling in consistently finding that people are deeply uncomfortable with the state of their privacy online. Two-thirds (66 percent) of adults, for example, told surveyors that they do not want advertisements “tailored to their interests,” and 91 percent disagreed with the statement that “if companies give me a discount, it is a fair exchange for them to collect information about me without my knowing.” Asked whether “It’s okay if a store where I shop uses information it has about me to create a picture of me that improves the services they provide for me,” 55 percent disagreed.

These findings, Turow concludes, “refute marketers’ insistence that Americans find increased personalized surveillance and targeting for commercial purposes acceptable.”

So why do people give up so much information? The problem is that they feel helpless. The surveys found that 58 percent of Americans agreed with the statement, “I want to have control over what marketers can learn about me online” but at the same time 63 percent also agreed, “I’ve come to accept that I have little control over what marketers can learn about me online.” Although marketers like to portray Americans as cheerfully accepting a tradeoff between their privacy and the benefits they gain, that’s not at all what’s happening. As Turow told me, “The bottom line for us is resignation. It’s not as if people want to give up their privacy, but in order to get through life they feel they have to, and they don’t feel like they have the ability to change things.”

Misconception #3: We’ve lost the privacy battle.

This, I would argue, is the third misconception: that the battle is lost and there’s nothing people can do about protecting their privacy. It’s true that there are good reasons why people feel that way — there’s only so much that an individual can do to protect their privacy, especially if they’re short on technical expertise or willingness to tolerate inconveniences in order to fight surveillance. It’s true that our privacy depends to a large extent not on individual decisions but on collective decisions we make as a nation about the policies we want to set. It’s also true that the companies that profit from surveillance are wealthy and politically powerful.

Nevertheless, the clouds are gathering for a major reckoning. The European Union has enacted a  comprehensive privacy law called the General Data Protection Regulation (GDPR) that is forcing even many U.S.-centered businesses to improve their privacy practices. California, where one in eight Americans live, has also enacted a broad privacy law called the California Consumer Privacy Act (CCPA). And as these laws weaken the will of companies to oppose privacy protections, scandals such as the Cambridge Analytica fiasco have strengthened the desire of politicians across the political spectrum to support such rules. The result: For the first time in many years, members of both parties are reportedly working to draft and enact comprehensive privacy legislation. 

There are major battles ahead, but, as I have argued, in the end people need — and always demand — privacy. Privacy-invading companies love it that people feel helpless, but now is the time for people to trade resignation for anger and activism, and voice that demand to ensure that any new privacy laws are strong and meaningful. The status quo is not stable, and the battle is just getting underway.

Jay Stanley, Senior Policy Analyst, ACLU Speech, Privacy, and Technology Project