The Contradictory Goals of Privacy Policies: Which to Choose?

Peter Fleischer at Google has an interesting post about privacy policies in his personal blog. He notes that privacy policies must serve two contradictory goals: "On the one hand, privacy policies are supposed to be disclosure documents for the average end user. In other words, privacy policies are supposed to be simple, readable notices. . . . " But, Fleischer goes on to say: "On the other hand, regulators around the world, with good intentions, continually call for longer and longer privacy policies (not in those words, of course), by demanding that X, Y, and Z be disclosed."

Focusing on the goal of informing consumers with privacy policies is likely to end in failure. The simpler and shorter privacy policies are written, the less meaningful detail they will often contain. Making informed choices about privacy is quite complicated, so there's a lot to notify people about. Moreover, hardly anyone reads privacy policies. There are so many companies we do business with and websites we visit that reading all the privacy policies would take forever.

Sometimes regulators call for longer privacy policies because they want more information disclosed to consumers, but also because privacy policies function as accountability charters for companies. They are read and enforced by regulators and lawyers.

There's another goal behind privacy policies beyond informing consumers and serving as a document for regulators. Privacy policies help companies think about their privacy practices and strive to adhere to these practices. So privacy policies inform companies a lot more than they inform consumers.

To address problems of conflicting goals in privacy policies, one solution would be to have two privacy policies. One would be a simple summary of the key terms in the privacy policy and the other would be a rather detailed document that sets forth the specifics. The simple summary could help consumers get a very abbreviated sense of what a company is doing with privacy, and the detail could be referred to if consumers are interested in a deeper dive. The detailed document would be for the company's own internal benefit (as a kind of charter document) as well as for regulators to ensure that the company is following its practices.

What would also be helpful to consumers would be to establish a set of standard set of privacy terms which would apply as a default. Companies could deviate from these terms by prominently stating deviations from those terms. This would prevent apps or others from not having privacy policies, as the default terms would apply. This would help consumers understand when companies are deviating from the default, which is much easier to comprehend than reading thousands of privacy policies and trying to figure out which company offers acceptable privacy terms.

Photo: selimaksan/E+/Getty Images

Daniel J. Solove is the John Marshall Harlan Research Professor of Law at George Washington University Law School, the founder of TeachPrivacy, a privacy/data security training company, and a Senior Policy Advisor at Hogan Lovells. The opinions expressed are those of the author only and not of any organization with which the author is affiliated.

Elena Elkina, JD, LLM

Privacy & Data Protection Management Executive | Data Strategist | Entrepreneur | Public Speaker

11 年

Great article and even better discussion! Thank you. It is challenging to have comprehensive privacy policies that are facing consumers. And it is even more challenging to have comprehensive privacy policies for employees. How to find the balance? This is something I am currently working on: looking at our privacy principles and policies holistically to see how we can enhance our privacy policies so they are not legalistic but easy to understand and follow. If you do not mind sharing your ideas with me I would greatly appreciate it! Please contact me directly. I would love to hear your thoughts and recommendations. Thank you!

回复
Randy Dryer

Presidential Honors Professor, Professor of Law (Lecturer) University of Utah

11 年

I agree there are multiple goals served by a privacy policy and that the goals are often competing. I like the idea of of a universally accepted set of privacy definitions or terms. The concept of two policies, however, while attractive to a consumer would no doubt complicate things legally for the company when facing a regulatory action or class action suit for violation of the company's privacy policy.

回复
Norman Mooradian, Ph.D., CIPP/US

Educator, Digital Ethics and Information Science

11 年

One take away from this very informative explanation is that, at least in the commercial sector, privacy policy statements tend to be forced disclosures. Disclosures tend to be detailed. Summarizing them is difficult. There is no value for consumers to read them, because the business practices of entities in a sector are similar, as are their disclosures. So why spend an hour reading about the different, complicated ways an organization will violate your privacy if signficantly better market choices are not available.

回复
R. Jason Cronk

Author, Privacy and Trust Consultant

11 年

The IAPP has long maintained the distinction between the Privacy Statement, that public facing document that serves to inform it's customers and users, and the Privacy Policy which governs their conduct. There is no reason that a company couldn't publish their policy for regulatory scrutiny and comparison against their privacy statement. I do want to mention, however, it is my position that informed consent provides a limited basis for privacy protection. As you mentioned in your previous post about Acquisti's work, people actions are not in line with their stated positions or (mis)understanding of the ramifications of their actions. You can tell people until you're blue in the face but that won't necessarily prove any benefit to them.

回复

要查看或添加评论,请登录

社区洞察

其他会员也浏览了