Online data protection for adults “is not working”, according to research commissioned by Schillings

Study tracking personal online data footprint leaves volunteers “scared” and “concerned”

A report commissioned by Schillings shows most people are “unable to control their identities online” – despite measures intended to help.

The report, commissioned by Schillings and produced by think tank Demos, forms part of Schillings’ Accept All: Unacceptable? campaign to highlight and address the urgent need for governments to do more to protect individuals’ privacy online. 

The study – in which volunteers attempted to track and delete their personal data online – found that:

  • Controlling your data footprint online is virtually impossible
  • Up to 65% of companies did not respond to data requests, despite this being a legal requirement under GDPR
  • Processes to help consumers take control of their data – e.g. cookie banners – “actively seek to dissuade” people from restricting their data permissions
  • Volunteers were “stunned” and “scared” by how widely their data was spread and sold by companies – with one volunteer discovering 2,242 companies were using their ‘off-Facebook’ interactions to target them with advertising.
  • Volunteers found inaccuracies in the data profiles created about them online – which can cause real-world problems such as applying for credit

To create the report, Demos, with support from consumer rights company, Rightly, worked with volunteers to discover how far information about them had travelled online – and how it had morphed along the way. The volunteers were supported to exercise their Right of Access (the right under GDPR to ask companies if they are using your personal information and for copies of what they hold) and The Right To Erasure (the right to ask for that data to be deleted – also known as the right to be forgotten).

The research found a deeply frustrating and confusing process, and an inconsistent picture across data requests to companies. Responses varied dramatically: of all the access requests put out, rates ranged from 65% of companies not responding to one volunteer, to just 10% not responding to another. Under GDPR laws, companies are required to respond to consumer requests – but many did not, or made the process difficult and time-consuming.

The study also found that processes put in place to help consumers have more control over their information online in fact made them more likely to give it away. The biggest gateway to personal data for most users is the GDPR- compliant ‘cookie banners’  – but Demos concluded the banner’s design often actively sought to dissuade users from changing data permissions “through nudges to incentivise you to agree to the most permissive settings”.

Volunteers were shocked to discover that by “accepting all” they often gave companies permission to sell their data onto data brokers, who then package this information up and sell it on further.

“One of the biggest problems right now is companies gathering enormous amounts of data on people, selling it off to data brokers and even they don’t know where it ends up”, commented one volunteer.

They added that this made them question whether they wished to continue buying from that company, explaining: “It’s not necessarily that I don’t trust them as a brand not to misuse my data – it’s the fact that I don’t know who they’re selling it to and who that broker is selling it on to”.

Study volunteers were also surprised by the inaccuracy of profile information companies had compiled about them based on their online activity. This ‘propensity data’ is intended to help advertisers target users who are most likely to be interested in their products. However, this data is also used to make decisions which have far-reaching ramifications in the real world, such as whether an individual would qualify for a mortgage or credit card. 

The study states:

“We found a chaotic system that profits from our data, while doing little to empower users to exert their rights: data is collected and inferred about us, and used to make decisions in the dark about what sort of person we are, what sort of products and services we should be offered – from health insurance to mortgages”.

Allan Dunlavy, Partner at Schillings, explained the study findings show a crisis waiting to happen.

“Our study shows that we’re in the middle of the largest privacy crisis in history and there is a reputation timebomb waiting to blow up many brands. Brands that are intentionally and inadvertently misusing our data could suffer a serious impact to their reputations, customer base and revenue. We are in a situation where many companies are holding consumer data, not giving people their legal right to access it, and then selling it on into a system they have no control over. The burden is currently on the consumer, rather than the business, to change this but we see the tide turning against companies that are not helping consumers.”

“For many companies the rush to move to an online business model during the pandemic, resulted in shortcuts being taken. We are seeing a lot of data privacy codes of practice overlooked despite the best of intentions – with many companies often unknowingly contravening data legislation through poorly set up processes. But with privacy becoming a key focus for consumers, companies need to take these issues more seriously. 

“It’s time every company took a long, hard look at how confident they are of their data ethics. This is a strategic reputational problem that needs addressing in the boardroom – not in isolation by a marketing or IT team”.

Renowned for its precedent setting work in the area of privacy, Schilling’s commissioned the study as part of its Accept All: Unacceptable? campaign, highlighting and addressing the urgent need for society to do more to protect personal privacy online. 

Volunteers from the study can been seen in the 40-minute documentary, Accept All: Unacceptable?, also commissioned by Schillings, which is now available to view on YouTube here.  The film sets out to answer the question : “Why should we care about online privacy?”.