Does It Really Matter How Complex Privacy Policies Are?
from the not-really dept
Slashdot points out that a recent study of various privacy policies shows that most are at an extremely high reader level, in some cases ridiculously high. Of course, this is used to suggest that people don't understand the privacy policies they read -- but that's been known for years. But the issue has little to do with the policies themselves, because no one tends to read them, no matter how readable (or not) they are. In fact, many people falsely assume that the very presence of any policy means that their privacy is safe. So, even if a site has a privacy policy that says "you have no privacy, and we'll reveal all your data to whoever pays top dollar," people won't read it and will assume that a site will keep their data private. That's because people assume that any privacy policy means the site takes privacy seriously, even if that's not the case. Given that, it doesn't really matter how readable the privacy policy is, people aren't going to read it and aren't going to pay attention to what it says if they do read it. It seems like privacy policies, in general, are simply a relic of a legal system, rather than anything actually useful. Instead of focusing on the readability of privacy policies, shouldn't we be looking for a better solution altogether?
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: complexity, privacy, privacy policies
Reader Comments
Subscribe: RSS
View by: Time | Thread
Recently I've even come across software where you actually had to scroll down to the end of the EULA before the Next button was enabled. Clever trick, but except for the very first time when I was stumped for a good 10mins., now it's just become one more (irritating) step in the routine.
So while readability does indeed make a difference and following the KISS principle would make it more likely to be read, I'm not too sure what can be done about the fact that we all seem to be in a tearing hurry nowadays for some reason...
[ link to this | view in chronology ]
It might be nice if they were intended to inform the user first but,
It doesn't matter how complex they are as long as it helps some judge to decide that X did enough to inform the user that X was selling email addresses to the highest bidder.
[ link to this | view in chronology ]
But I'm sure the reason that most of these agreements are so long still is b/c people will sue companies for anything just to get a buck. It all comes back to the McDonald's coffee incident years ago when the woman sued McDonald's b/c SHE spilt her coffee in her lap and burned herself b/c there was nowhere on the cup that said "Caution: Hot." It's b/c of her that people realized they can pretty much sue for anything, no matter how ridiculous, and win $$$. That just trickles down to everything else such as the Privacy Policy. If it's not written out or the words aren't carefully crafted so that people can't find loopholes in the writing then someone will find a way to sue for something stupid.
That's also why you get companies like Google who have recently come under fire for their EULA. I don't know the exact story, but I'm sure it's a case of "copy and paste policy" syndrome and forgetting to completely vet it through legal to make sure it made sense for that specific product. If one privacy policy works then it should work for all the other products...or at least that's what most companies will assume.
Honestly, I'd feel safer agreeing something that said,
"We value your privacy while using our service. However, we do need to make money because we're giving you a free service and the only way to do that is to sell some bits of personal information like First name, Last name, Email address only. Because we value your privacy, you have the option (below) to NOT allow your personal information to be shared with third-party services. You can change your options at anytime from your Account preferences. Thanks for understanding and realizing we need to make a buck or two to keep this service free...otherwise we'd be charging you...and you wouldn't really keep using it if it wasn't free, now, would you? We thought so.
[]Check to keep your personal information (name and email) safe
[Agree]
"
[ link to this | view in chronology ]
However, overwhelmingly what is happening is exactly the opposite - reception of a privacy policy typically means that the company is informing you that as a consumer you are losing privacy - and they're just "warning" you about that so when they disclose your information you will have less grounds to sue them.
It is a classic corporate "dirty trick".
[ link to this | view in chronology ]
RE: a better solution
[ link to this | view in chronology ]
Internet Education 101
And people wonder why they get tons of spam after signing up to one of these sites.
Note: Take the opposite approach to the quoted line above and you'll be alright.
[ link to this | view in chronology ]
I always assume the Privacy Policy is
The privacy policy that you get in the mail from the bank/credit-card/insurance/grocery store are simply giving the company permission to violate your privacy. They are a formal statement of "Your privacy is valuable to us, and this is how we are going to get value from your privacy."
Companies realize that your private information is valuable and now the company has another revenue stream; selling your private information.
I am always concerned when another "Privacy Policy" shows up on my door step. Another company has recognized that it has some of my private information, it is valuable and the company is now trying to find the best way to maximize profit on my private information.
Be Ware, Beware, be afraid; there is no privacy.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
I think commenter Govy said it all. The only thing I can add is if EULAs and Privacy Statements are not on purpose written to be hard to understand - and I think that is true - maybe we should blame the reading level of the average user, which is, in turn, a vilification of the education system, insofar as the proper teaching of the English language.
This is a bit off topic, but having several foreign co-workers and having been a military linguist I am fairly confident that the vast majority of native American English speakers drench their speech in colloquialism and jargon to the point of making much of what they say ambiguous, albeit understandable to fellow native speakers.
In other words, we have allowed our language to diverge from what we now call "legalese."
[ link to this | view in chronology ]
Until There's Something Better
We should absolutely be looking for a better solution, but while it's likely that technology will provide it, law still has a place.
Personally, I often judge a site based on how simple it's privacy policy (and terms of service) are. The more complex, the more they're trying to hide something. People don't read these things because they've learned that they are complex, take too much time, and generally people don't care.
I agree completely that most people on the web think that if a site has link to a "privacy policy" they wrongly assume their privacy is protected. But it's when someone discovered an egregious breach of what they thought their privacy rights were, they wish they had read the policy.
The policy is primarily for the protection of the web site or service provider and only secondarily for the user, and in that they are useful.
If privacy policies are a relic of the legal system, what are possible solutions to protecting user privacy (assuming that's a goal) or at least informing users about what information is collected and what is done with it?
[ link to this | view in chronology ]
yep! So if no one reads them and they aren't really good for anything until a site gets big enough to sue BASED on them if a violation occurs (and let's see someone try and prove it in 90% of the cases) what are they good for?
Most sites on the web don't make any or much money. So if they violate their own "policy" what real recourse does the offended party have?
[ link to this | view in chronology ]
privacy policy law
In principle, contract law does not favor either businesses or customers/users. As the future of privacy law unfolds, individuals may be able to use contract law to assert their legal terms on other parties, such as search engines or advertisers. Why shouldn't a consumer be able to broadcast what she expects to be the legally binding terms under which she does business? --Ben http://hack-igations.blogspot.com/2008/05/google-privacy-policy-terms-of-service.html My ideas are not legal advice for any particular situation; they are just ideas for public discussion.
[ link to this | view in chronology ]
Re: privacy policy law
For one thing the user is caught in a bind, they have nothing to bargain with besides their business and with current trends there is no real competition in terms of privacy standards, you either want to use their service badly enough that you sign or you go without.
Another problem is that, at least in america, in every privacy policy there is a clause that allows the companies to change their policy at will. this is also allowed in contracts, and since the user don't have a position in which to bargain...
[ link to this | view in chronology ]
Privacy Policy
[ link to this | view in chronology ]
complexity = uneforceable = problems
Now, it does precious little for the user to have a privacy policy deemed unenforceable, which would mean the website/company is not in fact bound by its terms. BUT, if websites/companies are required to have privacy policies (see California), THEN they must have privacy policies and not a bunch of legally unenforceable words. A totally incomprehensible privacy policy could get a website/company in trouble with the state. Additionally, if it's unenforceable, then the company can't assert any rights that it may claim in the policy either.
So, this may not mean much for users, but it should mean a lot to websites/companies and their attorneys who draft these things.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]