“I agree to the terms and conditions”: (How) do users read privacy policies online? An eye-tracking experiment

Privacy policies are widely used by online service providers to regulate the use of personal data they collect, but users often skip on reading them and are unaware of the way information about them is being treated, and how they can control the ways in which that information is collected, stored or shared. Eye tracking methodology was used to test if a default presentation of a policy encourages reading it, and how the document is being read by users. Results show that when a privacy policy is presented by default, participants tend to read it quite carefully, while when given the option to sign their agreement without reading the policy, most participants skip the policy altogether. Surprisingly, participants who actively choose to read the policy spend significantly less time and effort on reading it than participants in the default condition. Finally, default policy presentation was significantly related to understanding user rights and restrictions on the use of personal data.