University researchers conducted a study of 543 participants (communication majors studying privacy, big data and surveillance issues) to measure the frequency and depth of online terms review and comprehension. The research was motivated by a desire to point out the fallacy of a privacy regulatory regime that relies exclusively on the notice-and-consent model.
The study authors used modified versions of LinkedIn's terms and policies. They asked the students to sign up to a fictitious social network, similar to LinkedIn, that the university, the students were told, had contracted with. The terms required the user to consent to the disclosure of data to the NSA and to "third parties [building] data products designed to assess eligibility", which, the terms state, "could impact … employment, financial service (bank loans, insurance, etc.), university entrance, international travel, and the criminal justice system."
The terms even obligated the user to turn over the user's first born child to the site owner.
Average reading time for most people would be 29-32 minutes for the privacy policy, and for the terms: 15-17 minutes. But for the participants in the study who bothered to read the terms, 80% spent less than one minute doing so, and 14% spent less than five minutes. Median reading time was 14 seconds. 79% of the participants skipped reading the terms altogether. Less than two percent of participants made note of the child assignment clause and the extreme data-sharing provision. Actual click-acceptance was 100%.
In the words of the study authors:
Transparency is a great place to start, as is notice and choice; however, all are terrible places to finish. They leave digital citizens with nothing more than an empty promise of protection, an impractical opportunity for data privacy self-management, and … too much homework.