The Privacy BlogPrivacy, Security, Cryptography, and Anonymity

May/13

2

Why California’s Suggested 100 Word Privacy Policy is the Best Worst Idea

A guest post by Janelle Pierce who enjoys writing about various business issues, and spends her time answering questions like, “what is point of sale”?

 

Just last month California’s Assemblymember Ed Chau (D-Alhambra) introduced a bill that would require the website privacy policy of any company located in California to be no more than 100 words long, and written at the reading level of an 8th grade student.

While Chau’s practice what you preach 64-word bill has garnered a lot of negative press lately, one thing is for certain; it has gotten people talking about something most people don’t talk about, the privacy policy. For those who don’t know what a privacy policy is, it’s simply the legal document that every website must have. According to Wikipedia.org a privacy policy is:

“A statement or a legal document (privacy law) that discloses some or all of the ways a party gathers, uses, discloses and manages a customer or client’s data. Personal information can be anything that can be used to identify an individual, not limited to but including; name, address, date of birth, marital status, contact information, ID issue and expiry date, financial records, credit information, medical history, where you travel, and intentions to acquire goods and services.”

Whenever you register a username on a website, whether for free e-mail, picture sharing, or social networking, you must agree to the site’s established privacy policy. Generally speaking most users simply click “accept” without ever reading, much less understanding, what is written in the privacy policy. This is often because site privacy policies are long, written in confusing legalese, and often overshadowed by the false assumption that a site with a privacy policy will keep your data private. While I do agree that ultimately the responsibility for reading and understanding the privacy policy lies with the users of a site, the same can be said about those who write and present the policy.

Which brings me to the point I’d like to make, that is, I think Chau’s idea to force privacy policies to a maximum of 100 words, and require that they’re written at an eighth grade reading level, is a good one. However, I do feel it has a few drawbacks that almost invalidate its ability to be credible. First, requiring that a legal document be 100 words or less is a little short sighted. Don’t get me wrong, I think the thought behind making this otherwise lengthy, unreadable, and downright obnoxious (yet important) document accessible to everyone is a great goal, but requiring 100 words or less doesn’t offer a company the chance to disclose everything they need to disclose. I think a maximum word count should be required, but there is no reason it needs to be so low.

Second, I think requiring an 8th grade reading level is an excellent idea. Too often these policies are chalked full of legal words and phrases that even college educated users cannot make sense of. That being said, I think Chau’s attempt at “rewriting” the privacy policy is a good one, albeit a little short sighted. Like many things in life that we’ve put up with for too long the privacy policy is definitely in need of an overhaul. However, trying to shore up its lacking all at once and in such an aggressive manner may not be the right approach. There’s no doubt that something needs to be done about the state of the average privacy policy, but rushing headlong into it so aggressively tends to alienate people who would otherwise be supporters of Chau’s intention.

For help creating a privacy policy you can contact a business lawyer or simply use an online privacy policy generator.

Do you read privacy policies or simply click “accept”? Share your thoughts below.

· ·

2 comments

  • erin · May 2, 2013 at 2:53 pm

    Hi Lance- Just got wind of your privacy thought blog. To the most recent re: CA 100 wrd privacy policy, there’s definitely a movement to simplify and make transparent privacy policies. The most visible on the national scale is NTIA’s work in developing a code of conduct for mobile app developers re: privacy policies and practices viz ‘short form notices’ and symbols. I agree in general that these policies need to be more consumable by users (including consumers). However, I think that dumbing them down can be dangerous insofar as it may perpetuate a false perception of user control (not to mention kicking the can down the road). IOW, if ultimately the resolution of a privacy dispute anchors on the long form privacy policy which is deliberately vague and/or contains loopholes that one could drive a 16-wheeler through, have we really moved the ball fwd from a privacy protection standpoint? I see potential value in these types of efforts raising the bar for de facto data protection and privacy practices in an industry that is essentially unregulated. At the end of the day, it’s going to take lash-on-back enforcement actions (eg, FTC or state consumer protection agency) and/or reputation calamities to motivate companies to walk the privacy talk. Finally and relatedly, more attention needs to be paid w/ making transparent the link between companies’ policy-violating actions and the privacy loss event.

  • erin · May 3, 2013 at 3:37 pm

    serendipitously, this is exactly why focusing efforts on privacy policies sans enforcement exposes it as busywork at best and a deflection at worst: http://www.latimes.com/business/la-fi-digital-privacy-20130503,0,7322818.story?goback=.gde_1807664_member_235386389

Leave a Reply

<<

>>