People Don't Read Privacy Policies… But Want Them To Be Clearer
from the sounds-good-to-me dept
We already know that people don’t read online privacy policies and often (falsely) assume that if there’s any such privacy policy it means their data is safe. There are, of course, even questions as to whether or not a privacy policy is even valid if no one reads it. Still, many consumer and privacy activists continue to act as if the privacy policy is a key aspect of online privacy. In fact, regulators in both the UK and the US seem to be admitting no one reads privacy policies, but demanding they are improved anyway. Specifically, a study done by regulators in the UK shows that 71% of people don’t read privacy policies, but 62% want them clearer.
Now, you could make the argument that the reason people don’t read privacy policies is because they are too confusing and not at all clear. And, there’s something to be said for simplifying privacy policies. To be honest, I’m surprised no one has come up with a Creative Commons-like standard setup for privacy policies (pick and choose a few attributes, have nice images, and make it all clear in a single link). However, it seems to be focused on the wrong issue. It seems likely that the uselessness of privacy policies has a lot more to do with the fact that people don’t care (or they don’t believe any privacy policy, no matter how clear) or that they think no matter what the privacy policy is, it won’t matter once the data is leaked or the company changes its policy. So rather than focusing on creating better privacy policies, shouldn’t the focus be on what companies actually do rather than what they say they do?
Filed Under: complexity, privacy, privacy policies
Comments on “People Don't Read Privacy Policies… But Want Them To Be Clearer”
Most people don't read criminal laws either
So now what, let’s get rid of them too?
The privacy policy people want to see is “We don’t own your stuff, we won’t give away your stuff, we won’t sell your stuff and we won’t use your stuff.”
Anything more complicated than that is, people assume, cunningly-written legalese for “This looks like we’re saying we don’t own your stuff, but we really do. Suckers.”
Legalese is pretty much at the point where it’s easier to guess what it says without reading it at at all and rely on an “I could not have possibly understood this, I am not a lawyer and I’m not a Swede; you wouldn’t be allowed to tell me my rights in Swedish, so nobody should be able to tell me their policies in Legalese and expect me to understand those either” defense.
Re: Re:
@Frosty840 – excellent comment, I think you captured the sentiment of many.
I know people don’t read them, but I thought it was to cover your ass?
Privacy Policies
Privacy Policies really do not matter as they can be changed on a whim. There is nothing that allows you to enforce them.
What might be needed is a HIPA for the Internet. where you must do as you say and can’t just change things when the company changes owners. Or debt load. Where there is a cost if you do not do what is right.
I think what people want is a simple, one line thing, “We collect your information and sell for beer money.” or “We don’t sell your information.”
Gobbley Gook
We just received a bunch of these privacy notices from the credit card companies, since they seem to be all changing their policies. I wonder why!?!?!?! (sarcasm).
Anyway they all read: We respect your privacy so we will sell/give/rent/trade or whatever your personal information to anyone who asks (pays) so that they can send you even more junk mail. Oh, by the way, if the personal information that we sold to some unknown entity is used to “steal” your identity, it isn’t our fault since you failed to sign-up and pay for this protection even though we said that we “protect” your data.
What also gets me, if you want to opt-out of having your information broadcast to the world, these companies make it purposely difficult. If privacy/security really mean something, the trading/selling/renting of data that a company collects should be made illegal.
Certification System
Something similar to the ISO9001 certification for privacy would be a nice replacement or even a standard privacy rating system, so that basically there are only a couple of variations on privacy agreements. Something like:
1. Completely Private
2. No Personally Identifiable Info
3. Sign Up for Spam Here!
This way, once you were familiar with the certifications, you would not have to spend 30 minutes readin through legal jargon.
“People Don’t Read Privacy Policies… But Want Them To Be Clearer” clearly nonsense since if people didn’t read tehm they wouldn’t care, but they do care as has been demonstrated often – recently by the latest facebook climb down.
“In fact, regulators in both the UK and the US seem to be admitting no one reads privacy policies….” also nonsense – ehat they actually said was that 71% did not read or understand privacy policies, not understanding is clearly not the same as not reading, and lets face it even the genius Masnicks don’t understand them.
“…uselessness of privacy policies has a lot more to do with the fact that people don’t care…” typical of the Masnicks – big business should be free to do what ever it wants without interference because nobody cares anyway.
Re: Re:
“‘People Don’t Read Privacy Policies… But Want Them To Be Clearer’ clearly nonsense since if people didn’t read tehm they wouldn’t care, but they do care as has been demonstrated often – recently by the latest facebook climb down.”
Hardly anyone read that. A very small amount of people did, took a misleading excerpt and blew it out of proportion all over the blogosphere (do people even use that term anymore…). Basically, most people read a tiny portion of the changes and started freaking out, because they thought Facebook was going to start selling user-content.
“‘In fact, regulators in both the UK and the US seem to be admitting no one reads privacy policies….’ also nonsense – ehat they actually said was that 71% did not read or understand privacy policies, not understanding is clearly not the same as not reading, and lets face it even the genius Masnicks don’t understand them.”
They’re interrelated. You don’t read them because they’re overly long and difficult to understand. You have to muddle through a bunch of ambiguous garbage to understand any of the basic concepts. I make an effort to skim through them and get what I can, but that’s more than I can say for most people I know. I mean, I think it’s safe to say most people don’t even read instruction manuals unless they’re absolutely stuck, and those usually are much easier to read (and often come with pretty pictures!)
“‘…uselessness of privacy policies has a lot more to do with the fact that people don’t care…” typical of the Masnicks – big business should be free to do what ever it wants without interference because nobody cares anyway.”
That’s not what Mike was saying; you’re taking it out of context. It’s ironic how you insult his ability to grasp things when you can’t even grasp the simple things he’s saying. What he’s saying is privacy policies are rendered useless when no one cares to navigate through them, or don’t trust that the company is going to hold true to the policy anyway.
may YOU don't
I always read the privacy policy, EULA, and any other legal documentation that comes with my software or accompanies any online accounts. So because the vast majority of people are idiots, the few that have some common sense should not be protected? Ya F*ck you.
Privacy Policies, A Neccessary Evil?
I think people are missing the point slightly here. Privacy Policies, as they exist, are an important contract (like terms of service) to which companies are held legally accountable. Unfortunately because they are often, exhaustive, they have become a lazy way for companies to communicate customer data policies and practices to consumers. Typically the privacy statement is not the location for consumers to manage their preferences about their personal or anonymous information. Facebook is one of the best examples of this. You can manage the exposure of your detailed profile information to a single person or noone. Privacy controls in their best implementation should be seamless to us.
Second thing, the free internet in all its wonder, is made possible by advertising. Advertising, while annoying sometimes, is arguably, not very harmful, and our surveys show that users prefer relevant advertising.
Re: Privacy Policies, A Neccessary Evil?
Carolyn Hodge -> Privacy Policies, as they exist, are an important contract (like terms of service) to which companies are held legally accountable.
That is what they want you to believe. In truth, the only ones that are being held to the “contract” are the users.
These EULAs and TOSs are just a means for the corps to justifiy their bad behavior. If you continue to use their service, then you have implicitly agreed to their terms. This is unconscionable and therefore not binding.
it has been done
There has been an “Iconset for Data-Privacy Declarations” proposed at influential german blog netzpolitik.org: http://netzpolitik.org/2007/iconset-fuer-datenschutzerklaerungen/
The PDF: http://netzpolitik.org/wp-upload/data-privacy-icons-v01.pdf
Privacy-Iconset Beta
Hi there,
as mentioned in the comment above, I already proposed this idea 2007 and heard afterwrds that Mary Rundle (former Harvard/Bergman-Center, now Oxford) propsed already in 2004.
We restarted working on it!
A small Kick-off-Meeting will take place, as a workshop, on the conference “Privacy OpenSpace” in beginning of April in Berlin. Here the preperation / overview:
https://www.privacyos.eu/wiki/index.php/PrivacyRightsAgreements
We have mailinglist for this circle, feel free to contact me with any question or support you may have concerning this project:
wetterfrosch@einmachglas.info
Best,
Matthias
Re: Privacy-Iconset Beta
There is an english article by the german digital-rights activist Ralf Benrath about it:
http://bendrath.blogspot.com/2007/05/icons-of-privacy.html
And other receiptions, as in this english-speaking blog:
http://konrad.foerstner.org/2007/06/google-privacy-again-and-how-to-improve-privacy-communication/
Facebook
It makes no sense that Facebook would risk messing up a good thing by edging in on people’s intellectual property. They had people’s trust and then they go and risk losing it; not smart.
Ah! An article that addresses the underlying social issues. How refreshing. Although, the rabbit hole is much deeper, there are some very serious epistemological questions about privacy and autonomy, that are completely untouched. Specifically, icons address a piece of the issues but will not be very useful until the deeper issues of transparency are first addressed. Icons are definitely a tool which provides transparency, but a better understanding of contextual values need to be identified and addressed so that icons can be applied on a scale that would be useful. So what are the deeper issues? Control, Power, Access to Information?
Dig Deeper
Ah! An article that addresses the underlying social issues. How refreshing. Although, the rabbit hole is much deeper, there are some very serious epistemological questions about privacy and autonomy, that are completely untouched. Specifically, icons address a piece of the issues but will not be very useful until the deeper issues of transparency are first addressed. Icons are definitely a tool which provides transparency, but a better understanding of contextual values need to be identified and addressed so that icons can be applied on a scale that would be useful. So what are the deeper issues? Control, Power, Access to Information?
I think if the privacy policies are written in short and bullet style format (briefing very basic points of the context), then it would be rather helpful and easy to read