Proposed Law: Privacy Policies Must Be Less Than 100 Words (Says 336 Word Bill)

from the lawyers-are-not-good-at-being-brief dept

Mon, Feb 11th 2013 12:48pm — Mike Masnick

I've stated in the past, that the whole concept of "privacy policies" is a failed concept. No one reads them, those who do read them don't understand them, and most people incorrectly think that if you have a privacy policy, it means you keep information private. That's not the case. Since the only way you get into legal trouble is by violating your privacy policy, the incentives are totally screwed up: sites have the incentive to make their privacy policies as broad as possible, allowing them to do as much as possible. Since users think any privacy policy means they're safe, then the "ideal" privacy policy is one that says "we don't care about your privacy, we give away or sell all your data, and we laugh all the way to the bank" (more or less). The user thinks their data is secure, while the site has nothing to worry about since they won't "violate" the policy.

And, yet, politicians still seem to focus on privacy policies, as if they're a legitimate replacement for actually doing something to protect privacy. In pointing out how silly privacy policies are, a year ago, we noted that you'd need to take a month off from work each year to actually read all the privacy policies you encounter on a normal basis. It appears that California Assemblymember Ed Chau has a solution to all of this (as pointed out by Eric Goldman): just pass a law that requires all privacy policies to be less than 100 words. Seriously.

This bill would require the privacy policy to be no more than 100 words, be written in clear and concise language, be written at no greater than an 8th grade reading level, and to include a statement indicating whether the personally identifiable information may be sold or shared with others, and if so, how and with whom the information may be shared.

While I'm all for having things like terms of service and privacy policies be more simplified, I still don't see how it's particularly useful to legislate this. Also, lawyers aren't exactly known for their ability to be pithy. Having worked on a couple of privacy policies with lawyers in the past, finding someone who can get such a policy under 100 words would be very, very tricky.

And, not to be snarky or anything, but the text of the law itself (removing the digest explanation and preamble) clocks in at 336 words. So... if your law saying that all privacy policies must be under 100 words can't be written in under 100 words, perhaps you've highlighted the problem with your own law.

Ab 242 Bill 20130206 Introduced (PDF)Ab 242 Bill 20130206 Introduced (Text)

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: 100 words, california, privacy, privacy policies

38 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

silverscarcat (profile), 11 Feb 2013 @ 11:18am

suddenly...
A thought...

"Mr. Website, come up to the front of the class and explain your privacy policy in under 100 words."

"But, teacher, I can't do that."

"Then you get an F, now go stand in the corner until lunch time."
[ link to this | view in chronology ]
- Atkray (profile), 11 Feb 2013 @ 11:47am
  
  Re: suddenly...
  You can't tell people they fail it might hurt their feelings.
  [ link to this | view in chronology ]
  - silverscarcat (profile), 11 Feb 2013 @ 12:03pm
    
    Re: Re: suddenly...
    Bullshit.
    
    I got Fs in elementary school, Jr High and High School, all it did was motivate me to do better and learn from my mistakes.
    [ link to this | view in chronology ]
    - Anonymous Coward, 11 Feb 2013 @ 1:04pm
      
      Re: Re: Re: suddenly...
      I got an F once. And the F certainly didn't motivate me to improve. The threat of another belt across my ass is what motivated me. :)
      [ link to this | view in chronology ]
      - Buster, 11 Feb 2013 @ 1:10pm
        
        Re: Re: Re: Re: suddenly...
        Sounds like your parents and teachers are being bullies to you. Would like like to press charged?
        [ link to this | view in chronology ]
    - Anonymous Coward, 11 Feb 2013 @ 4:28pm
      
      Re: Re: Re: suddenly...
      I got Fs all the way through school too. And I didn't give an F.
      [ link to this | view in chronology ]
      - btrussell (profile), 12 Feb 2013 @ 5:42am
        
        Re: Re: Re: Re: suddenly...
        Eh!
        [ link to this | view in chronology ]
Anonymous Coward, 11 Feb 2013 @ 1:05pm

The problem with a 100 word limit being 336 is that our language has too many words. If we just remove 70% of the English language then this problem will be solved!
[ link to this | view in chronology ]
- VMax, 11 Feb 2013 @ 1:14pm
  
  Re:
  Maybe we could just eliminate the letter "e".
  [ link to this | view in chronology ]
  - Drew, 11 Feb 2013 @ 1:38pm
    
    Re: Re:
    Mr. Burns: All right, let's make this sporting, Leonard. If you can tell me why I shouldn't fire you without using the letter "e," you can keep your job.
    Lenny: Uh, okay. I'm a good... work... guy...
    Mr. Burns: You're fired.
    Lenny: But I didn't say it.
    Mr. Burns: You will.
    [He pulls a lever, dropping Lenny down a trapdoor]
    Lenny: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE.
    [ link to this | view in chronology ]
PW (profile), 11 Feb 2013 @ 1:14pm

This clearly falls into the camp of "doing nothing is better than doing something" ;)
[ link to this | view in chronology ]
Buster, 11 Feb 2013 @ 1:15pm

I'd understnd somewhere between 300 and 500 words, but 100? I figured at best, 200. That's just insane.

I can see it now "No your stuff isn't private. Yes we will sell your email and pictures, but you'll still use us and hate that you love the experience"
OR count on companies creating some new very creative words.

Hmm 68 word comment. This might not be so bad.
[ link to this | view in chronology ]
Anonymous Coward, 11 Feb 2013 @ 1:19pm

change the format
like on an Android app, or a menu at some restaurants - have a check-box type of system, and show the necessary items. Only allow one "other" and 100 words on that.

[ ] - we will respect your privacy
[ ] - we will encrypt your password using a quality password tactic (bcrypt, etc)
[x] - we will hash your password using MD5
[x] - we will silently gather all of the data on your device
[x] - we will store all of your data in secret
[x] - we are allowed to sell your data to others for you
[ ] - other: ___
[ link to this | view in chronology ]
jupiterkansas (profile), 11 Feb 2013 @ 1:23pm

I'd rather have privacy policies that are standardized and every business must follow, but I fear that would get so complex so fast that nobody but lawyers would understand what they are.
[ link to this | view in chronology ]
- RyanNerd, 12 Feb 2013 @ 5:41am
  
  Re:
  Too late.
  [ link to this | view in chronology ]
Anonymous Coward, 11 Feb 2013 @ 1:26pm

I've always had a rule of thumb. If the privacy policy is more than one page it tells me they need some fine print to hide whatever it is they are worried about. Don't have to read a privacy policy to figure that out.

Privacy policies aren't about your privacy. What you think privacy means aren't what businesses think it means. You think it means to protect your data. Businesses think it's a way to justify invading that data.

If they can't just come out in a couple of sentences to say they don't use your data then that pretty much says it all.
[ link to this | view in chronology ]
WDS (profile), 11 Feb 2013 @ 1:28pm

100 Words?????
This is a fairly short Techdirt post. I was going to show how unrealistic the law was by counting the words in the post, but when I got to 156 in the first paragraph I changed my mind.
[ link to this | view in chronology ]
Anonymous Coward, 11 Feb 2013 @ 1:29pm

Sorry Mike, this article cannot pass. It is 376 words long, not counting the headline and the exerpt. You have to remove 276 words for it to be within the limits of this law.
[ link to this | view in chronology ]
gorehound (profile), 11 Feb 2013 @ 1:51pm

Another lying Hypocritical Politician.
[ link to this | view in chronology ]
McCrea (profile), 11 Feb 2013 @ 2:11pm

That bill does not define nor reference how to count words. Excessive litigation will result.
[ link to this | view in chronology ]
Anonymous Coward, 11 Feb 2013 @ 2:17pm

Maybe laws should be treated this way
Why can't we have laws that have a word limit (100 might be a tad low but maybe we could set a page limit and font size)? Why aren't laws crafted so that the average person of an 8th grade reading level can comprehend them? Because they couldn't hide shit in them, that's why. And that's why they can't do that to privacy policies. People will understand what is being done, assuming they actually look over it.
[ link to this | view in chronology ]
ShellMG, 11 Feb 2013 @ 3:18pm

C'mon, we're talking about lawyers.

They could get the word limit down to 100, but there would be a series of increasing "*'s" at the end of each sentence, pointing to an Addendum with several subsections.
[ link to this | view in chronology ]
- Anonymous Coward, 11 Feb 2013 @ 3:51pm
  
  Re:
  I think it is even more likely that you get junk laws with extremely broad categories for who and what the law covers! Interestingly exceptions would be too space-consuming, so it could actually serve as a good formula for reducing the number of pages in the laws, to start with finding the formulation needing the fewest exceptions.
  [ link to this | view in chronology ]
Anonymous Cowherd, 11 Feb 2013 @ 4:16pm

"we don't care about your privacy, we give away or sell all your data, and we laugh all the way to the bank"

It's under 100 words. If that's what privacy policies boil down to, corporate lawyers shouldn't be allowed to conceal it under 50 pages of legalese.

Maybe a word-count is a ludicrously precise limitation, but some kind of rules are needed to avoid the walls of text nobody reads.
[ link to this | view in chronology ]
Anonymous Coward, 11 Feb 2013 @ 4:24pm

Wellwhatitwouldreallydoisresultinlongsentencesofwordsstrungtogetherwithoutanyspacesorotherdiscrenabl ebreaksinthewordsthuscreatingaprivacypolicythatconformstothelawbybeing1longmessedupword.

And everyone would have copyright on their 'creative one word' privacy policy... but I'm sure that's not what will happen
[ link to this | view in chronology ]
Anonymous Coward, 11 Feb 2013 @ 4:25pm

That might just run afoul of the first amendment. But since that's never stopped the government before...
[ link to this | view in chronology ]
Anonymous Coward, 11 Feb 2013 @ 5:10pm

New privacy policy: "Fuck You"
[ link to this | view in chronology ]
Anonymous Coward, 11 Feb 2013 @ 5:14pm

And the winner is:
We will not sell your data to anyone. (1)

In the fine print "exceptions" which are not part of the "policy" and limited to 100 words:

1: We will sell the data to partners with similar policies, otherwise, we just give it to everyone.

And the other 10k words of exceptions, limitations and other footnotes which just move the BS out of the 100 word limit.
[ link to this | view in chronology ]
G Thompson (profile), 11 Feb 2013 @ 9:26pm

Plain Language is more useful
Wouldn't it be easier to mandate that all contractual terms, policies and other legal devices by private companies be actually written in Plain English (Language) not unlike your Plain Writing Act (Federal) instead of mandating 100 words or less which will result in more legalese and latin
[ link to this | view in chronology ]
- dennis deems (profile), 12 Feb 2013 @ 7:04am
  
  Re: Plain Language is more useful
  It does say "eighth grade reading level", but everyone's having so much fun with the number 100 that they didn't notice.
  [ link to this | view in chronology ]
F!, 12 Feb 2013 @ 1:54am

follow the license model
I like what G Thompson says above about plain language. Certainly a great place to start.

I'd take it a step further - Follow the CC model of licenses, so that you can take one quick glance and know how your data will be used/abused. Also requirements for opt-in on all cases. For example:

Privacy-Complete: We will never store your data and/or use it for any reason except account management.
Privacy-1st Party: We will store your data and use it to contact you, this may or may not include opt-in/out promotions from us.
Privacy-3rd Paty/Commercial: We will use your data however we wish and you can't do squat about it, crybaby.

Might be some more distinct variations possible on this, but you get the idea.
[ link to this | view in chronology ]
RyanNerd (profile), 12 Feb 2013 @ 5:58am

There is no such thing as plain language
When a corporation can be sued for not following their privacy policy there will be no 'plain language' policy.
Also, who will be the judge of if a policy is 'plain language'?
Who will enforce that the policy is 'plain language'?
who will decide what words are acceptable for plain language?

Sounds to me like you will need to set up judicial, executive and legislative entities to ensure how "Plain Language" is decided, judged and enforced.
[ link to this | view in chronology ]
Jasmine Charter, 12 Feb 2013 @ 6:18am

My Privacy Policy
"I will take any data you give me and do whatever the heck I want with it, but I'll try not to be an arse about it. Thanks for visiting my site. I would give you more details, but the law currently prohibits me from going into details. Cheers!"
[ link to this | view in chronology ]
dennis deems (profile), 12 Feb 2013 @ 7:08am

100 words
It's just as easy to get these things right. The bill doesn't say "less than" or "under" 100 words. It says no more than. Honestly I don't understand why people find the idea so hilarious. If 100 words are insufficient to tell me what you plan to do with my data, then maybe you don't need my data.
[ link to this | view in chronology ]
- Jason, 12 Feb 2013 @ 7:36am
  
  Re: 100 words
  Yes exactly! Thank you for not being an idiot like some others commenting on here...or the person that wrote the article. How does it change the fact that privacy policies should be under 100 words just because the actual law is over 300? There is no reason for the law to follow the same standards, especially since that one law should cover as many loopholes and exceptions as it can to further prevent companies from abusing privacy policies
  [ link to this | view in chronology ]
Anonymous Coward, 12 Feb 2013 @ 10:52am

33 words
"Effective upon the signing of this bill into law, any privacy policy to apply within the United States will be not more than 100 words in length, else it is null and void."
[ link to this | view in chronology ]
Anonymous Coward, 12 Feb 2013 @ 11:01am

What about a limit on the length of a bill
I think there should be a reasonable limit on the length of a bill in congress. Maybe 10 pages? 100? Certainly something shorter than the Obamacare text, which is quoted as being anywhere from 900 to 2700 pages long. If you can't tell me for sure how long it is, it's too long.

336 words is still shockingly short, and I think this is a step in the right direction, but congress needs to work on policing themselves before they start throwing arbitrary limits at other people.
[ link to this | view in chronology ]
John, 12 Feb 2013 @ 11:30am

Unprivacy policies
Most are basically "You have none. We can do what we want. Sue us but you won't win." which can easily be done in 100 words.

An actual privacy policy would show the ways in which your information WON'T be used. That is privacy, not the ways it can be used!

The law should maybe call them "Unprivacy Policies".
[ link to this | view in chronology ]