Proposed Law: Privacy Policies Must Be Less Than 100 Words (Says 336 Word Bill)
from the lawyers-are-not-good-at-being-brief dept
I've stated in the past, that the whole concept of "privacy policies" is a failed concept. No one reads them, those who do read them don't understand them, and most people incorrectly think that if you have a privacy policy, it means you keep information private. That's not the case. Since the only way you get into legal trouble is by violating your privacy policy, the incentives are totally screwed up: sites have the incentive to make their privacy policies as broad as possible, allowing them to do as much as possible. Since users think any privacy policy means they're safe, then the "ideal" privacy policy is one that says "we don't care about your privacy, we give away or sell all your data, and we laugh all the way to the bank" (more or less). The user thinks their data is secure, while the site has nothing to worry about since they won't "violate" the policy.And, yet, politicians still seem to focus on privacy policies, as if they're a legitimate replacement for actually doing something to protect privacy. In pointing out how silly privacy policies are, a year ago, we noted that you'd need to take a month off from work each year to actually read all the privacy policies you encounter on a normal basis. It appears that California Assemblymember Ed Chau has a solution to all of this (as pointed out by Eric Goldman): just pass a law that requires all privacy policies to be less than 100 words. Seriously.
This bill would require the privacy policy to be no more than 100 words, be written in clear and concise language, be written at no greater than an 8th grade reading level, and to include a statement indicating whether the personally identifiable information may be sold or shared with others, and if so, how and with whom the information may be shared.While I'm all for having things like terms of service and privacy policies be more simplified, I still don't see how it's particularly useful to legislate this. Also, lawyers aren't exactly known for their ability to be pithy. Having worked on a couple of privacy policies with lawyers in the past, finding someone who can get such a policy under 100 words would be very, very tricky.
And, not to be snarky or anything, but the text of the law itself (removing the digest explanation and preamble) clocks in at 336 words. So... if your law saying that all privacy policies must be under 100 words can't be written in under 100 words, perhaps you've highlighted the problem with your own law.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: 100 words, california, privacy, privacy policies
Reader Comments
Subscribe: RSS
View by: Time | Thread
suddenly...
"Mr. Website, come up to the front of the class and explain your privacy policy in under 100 words."
"But, teacher, I can't do that."
"Then you get an F, now go stand in the corner until lunch time."
[ link to this | view in chronology ]
Re: suddenly...
[ link to this | view in chronology ]
Re: Re: suddenly...
I got Fs in elementary school, Jr High and High School, all it did was motivate me to do better and learn from my mistakes.
[ link to this | view in chronology ]
Re: Re: Re: suddenly...
[ link to this | view in chronology ]
Re: Re: Re: Re: suddenly...
[ link to this | view in chronology ]
Re: Re: Re: suddenly...
[ link to this | view in chronology ]
Re: Re: Re: Re: suddenly...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Lenny: Uh, okay. I'm a good... work... guy...
Mr. Burns: You're fired.
Lenny: But I didn't say it.
Mr. Burns: You will.
[He pulls a lever, dropping Lenny down a trapdoor]
Lenny: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
I can see it now "No your stuff isn't private. Yes we will sell your email and pictures, but you'll still use us and hate that you love the experience"
OR count on companies creating some new very creative words.
Hmm 68 word comment. This might not be so bad.
[ link to this | view in chronology ]
change the format
[ ] - we will respect your privacy
[ ] - we will encrypt your password using a quality password tactic (bcrypt, etc)
[x] - we will hash your password using MD5
[x] - we will silently gather all of the data on your device
[x] - we will store all of your data in secret
[x] - we are allowed to sell your data to others for you
[ ] - other: ___
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Privacy policies aren't about your privacy. What you think privacy means aren't what businesses think it means. You think it means to protect your data. Businesses think it's a way to justify invading that data.
If they can't just come out in a couple of sentences to say they don't use your data then that pretty much says it all.
[ link to this | view in chronology ]
100 Words?????
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Maybe laws should be treated this way
[ link to this | view in chronology ]
They could get the word limit down to 100, but there would be a series of increasing "*'s" at the end of each sentence, pointing to an Addendum with several subsections.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
It's under 100 words. If that's what privacy policies boil down to, corporate lawyers shouldn't be allowed to conceal it under 50 pages of legalese.
Maybe a word-count is a ludicrously precise limitation, but some kind of rules are needed to avoid the walls of text nobody reads.
[ link to this | view in chronology ]
And everyone would have copyright on their 'creative one word' privacy policy... but I'm sure that's not what will happen
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
And the winner is:
In the fine print "exceptions" which are not part of the "policy" and limited to 100 words:
1: We will sell the data to partners with similar policies, otherwise, we just give it to everyone.
And the other 10k words of exceptions, limitations and other footnotes which just move the BS out of the 100 word limit.
[ link to this | view in chronology ]
Plain Language is more useful
[ link to this | view in chronology ]
Re: Plain Language is more useful
[ link to this | view in chronology ]
follow the license model
I'd take it a step further - Follow the CC model of licenses, so that you can take one quick glance and know how your data will be used/abused. Also requirements for opt-in on all cases. For example:
Privacy-Complete: We will never store your data and/or use it for any reason except account management.
Privacy-1st Party: We will store your data and use it to contact you, this may or may not include opt-in/out promotions from us.
Privacy-3rd Paty/Commercial: We will use your data however we wish and you can't do squat about it, crybaby.
Might be some more distinct variations possible on this, but you get the idea.
[ link to this | view in chronology ]
There is no such thing as plain language
Also, who will be the judge of if a policy is 'plain language'?
Who will enforce that the policy is 'plain language'?
who will decide what words are acceptable for plain language?
Sounds to me like you will need to set up judicial, executive and legislative entities to ensure how "Plain Language" is decided, judged and enforced.
[ link to this | view in chronology ]
My Privacy Policy
[ link to this | view in chronology ]
100 words
[ link to this | view in chronology ]
Re: 100 words
[ link to this | view in chronology ]
33 words
[ link to this | view in chronology ]
What about a limit on the length of a bill
336 words is still shockingly short, and I think this is a step in the right direction, but congress needs to work on policing themselves before they start throwing arbitrary limits at other people.
[ link to this | view in chronology ]
Unprivacy policies
An actual privacy policy would show the ways in which your information WON'T be used. That is privacy, not the ways it can be used!
The law should maybe call them "Unprivacy Policies".
[ link to this | view in chronology ]