Wednesday, March 27, 2013

Why Johnny can't read...a privacy policy



Why can't Johnny read a privacy policy?  It's because privacy policies aren't being written for Johnny to read.  They're being written for regulators and lawyers to read.  Or well, more fairly, they're being written for Johnny, in the ways that regulators and lawyers think they should be written.  

Today, privacy policies are being written to try to do two contradictory things.  Like most things in life, if you try to do two contradictory things at the same time, you end up doing neither well.  Here's the contradiction:  should a privacy policy be a short, simple, readable notice that the average end-user could understand? Or should it be a long, detailed, legalistic disclosure document written for regulators?  Since average users and expert regulators have different expectations about what should be disclosed, the privacy policies in use today largely disappoint both groups.  

On the one hand, privacy policies are supposed to be disclosure documents for the average end user.  In other words, privacy policies are supposed to be simple, readable notices that are used by any entity that processes personal data to tell their users basic stuff, like what data they collect, how they use that data, whether they transfer that data to any third parties, etc.  In addition, privacy policies are the main mechanism for entities to obtain consent from end users to process their data, even if that consent is often implicit.

On the other hand, regulators around the world, with good intentions, continually call for longer and longer privacy policies (not in those words, of course), by demanding that X, Y, and Z be disclosed.  Whether Johnny cares about X, Y, and Z is irrelevant.  Companies have to disclose X, Y, and Z, or they'll risk regulatory sanctions.  Johnny probably couldn't understand X, Y, and Z anyway, and X, Y, and Z are probably privacy-legal terms of art.  HIPPA is a famous example of legally-required privacy notices that Johnny can't read.  

The time has come for a global reflection on what, exactly, a privacy policy should look like.  Today, there is no consensus.  I don't just mean consensus amongst regulators and lawyers.  My suggestion would be to start by doing some serious user-research, and actually ask Johnny and Jean and Johann.

5 comments:

Steve Wilson said...

I think it's wrong to have assumed all along that privacy policies have just one reader, the end user. Like contracts, insurance policies, mortgage documents and the like, Privacy Policies might better be aimed at lawyers.

I agree with Peter, it's high time to review what needs are served by Privacy Policies. If there are different audiences then we might move towards different documents each addressing part of the puzzle. And we might need intermediaries to translate amongst them. Thus is not unusual in law and economics. Some arrangements between buyer and seller are so technical and complex that an intermediary (like an adviser, or a government agency depending on regulatory style) is needed to represent one side to the other. When critical societal functions collide with technological complexity (financial services is a classic example) consumer protection bureaus often intermediate some types of businesses and their customers. In Australia for instance we have legally mandated Plain English rules for how insurance policies are written.

It seems to me privacy is much the same. Information flows and information-intensive business models are so complex now that they cannot be set out in a succinct document. But that's what a comprehensive privacy policy must do: set out what PII is collected, how, why, where and when, and who the PII is passed on to.

Many new social media business models are win-wins for consumers and big business. So a big fat complicated privacy policy does not, ipso facto, rip off the consumer! I reckon that 100 word Privacy Policy statute (in California?) is well intended but frankly mad.

We might expect privacy intermediaries to emerge in less regulated privacy environments like the US private sector to interpret privacy policies for the benefit of lay people. Lawyers can review the 'full' policies on behalf on consumers and rule on those policies, not just in respect of cut & dried legal compliance but softer criteria that translate into risk appetite.

Actually this is already happening, with things like "traffic light" privacy labeling models, and similar proposals inspired by nutrition labeling. Such labels are produced or certified by intermediaries.

Somehow I think we need to codify the privacy-publicness risk-benefit tradeoff in information businesses. Jeff Jarvis has written eloquently about the upside of dropping privacy (in "Public Parts"). I don't agree with the default "set point" that Jarvis advocates but his personal preferences and mine and everyone else's could be operationalised if privacy policies were more readily interpreted.

Investment funds characterize their products according to the aggressiveness of their securities, using terms like "Balanced", "Low Risk" and "High growth". Perhaps we're getting to the point where consumers could think about social media privacy in this sort of way?

Anonymous said...

Lots of research has already been done on this--have you really missed the whole impetus toward privacy icons? Ryan Calo's articles on notice? The discussions at the FTC and California AG's office about the problems with the current incarnations of privacy policies? The only thing to be said for the current privacy policies is that they're better than no privacy policies at all.

Matthew Johnson said...

Have you seen this report from the University of Ottawa on best practices for privacy policies on kids' sites?

http://www.idtrail.org/files/broken_doors_final_report.pdf

Robert Bond said...

At The i in online we have worked with kids on privacy policy icons for past 2 years. We published a report in July 2011 on childrens' understanding of data protection. Anyone want a copy?

www.theiinonline.org

Spiros Tassis said...

Coming from the E.U., I can tell that most end users are simply based on the fact that a privacy regulator has pre-surveyed a complex privacy policy and found it sufficient. I do not think that complexity necessarily means "black holes" for your privacy rights but I agree that it is blamed for scaring the average end user. A recent survey by ENISA showed that the end user is concious about its privacy but at the end of the day he will sacrifice it for a better price online!