Article on privacy policies

January 31, 2012 |

In today’s Sydney Morning Herald there is an interesting article on privacy policies. It provides:

In the spring of 2010, thousands of online customers clicked on the terms of service at and unwittingly sold their souls.

As an April Fool’s prank, the British gaming retailer slipped an “immortal soul clause” into its licence agreement, knowing full well that nobody looks at them.

“People don’t read privacy policies,” said Nick Bicanic, founder of Echoecho, a Los Angeles location app with baked in privacy features, last week. “Like nobody.”

f participants read these sorts of agreements “often and thoroughly”.

That puts everyone in a privacy quandary. It means consumers don’t really know how much personal information they’re giving up and how it might be used. It calls into question the informed consent rational for our primarily self-regulatory approach to online privacy in the United States. And it undermines the argument the industry has used to wash its hands of further responsibility: Hey we told users what we were doing.

But informing just isn’t informing when no on reads it – especially if you know no one reads it.

And let’s just get this out the way: People don’t ignore these policies because they’re lazy. People ignore them because they couldn’t possibly read all the terms they come across. It would take the average consumer more than 300 hours to read the privacy policy at the websites they visit each year, according to the high-end estimates of a 2008 study published in the technology policy journal I/S. That’s seven and-a-half standard work weeks.

The other wrinkle is that most people think the very existence of privacy disclosures means the company is operating in a responsible manner, as the Berkeley survey noted.

“When consumers see the term ‘privacy policy,’ they believe that their privacy will be protected in specific ways,” it said. “Of course, this is not the case.”

So where does this leave us?

If we choose to be honest about how human beings really behave, we’re left with a few options. First, we can place greater restrictions on how companies collect and use personal data. There are plenty of privacy advocates who argue it this way, and it should happen anyway to a certain extent.

But any such rules need to be carefully balanced against the risks of discouraging or hampering the creation of new technological tools – a point that’s easier to state in a newspaper column than it is to lay down in legal language.

The other option is to come up with improved ways of providing notice.

We’ve seen some of this already. Regulators around the world have been pushing companies to create simpler, more transparent disclosures. Citing those very directives, Google last week announced that it was consolidating the privacy policies of 60 products into a single, clearer document.

One certainly beats dozens and plain English trumps legalese. But it’ll make little difference for the vast majority of consumers.

“They’re still not going to read it,” said Jules Polonetsky, director of the Future of Privacy Forum, a Washington-based think tank.

He added that posting broad privacy policies is still important, even if consumers don’t read them. It forces companies to carefully consider how they use information, provides standards that regulators can hold them to and allows privacy wonks and tech writers to read and highlight the critical points.

But a better model for getting the message out is one developing around behavioural advertising, based on federal and industry self-regulation guidelines, Polonetsky said.

In early 2010, for instance, a group of industry and privacy groups, including the Future of Privacy Forum and TRUSTe of San Francisco, introduced a privacy label that indicates the use of targeted advertising in a more obvious way than some buried policy line.

Websites can post it to signal in a consistent way that information is being collected. Users can also click on the widget to find out more information or change their privacy settings.

One wonders, however, how the proliferation of such labels and their small, friendly appearance affects how consumers perceive the message. They can seem like stamps of approval rather than warnings, in the same way that the mere existence of broad privacy policies can.

Ryan Calo, director for privacy at Stanford’s Center for Internet and Society, offers another model for informing consumers that he calls “visceral” notice.

This approach takes advantage of technology we’re familiar with or our anthropomorphic responses to warn people about how technology is working. It’s the tech equivalent of using rumble strips instead of a “road narrows” sign, he wrote in a recent paper for Notre Dame Law Review.

For instance, laws have been proposed that would require mobile phone cameras to include a shutter-like clicking sound, so people are aware when they’ve been photographed. Another example would be to add the image of a face to a website that’s monitoring your behaviour.

The paper noted that studies have shown people are more likely to pay for coffee available on the honour system when there was a nearby picture of a set of eyes. Calo suggests the appearance of an avatar when third-party advertisers are monitoring a person’s behaviour online could make users similarly self-conscious.

They might avoid such sites, opt out of the tracking or reconsider their online actions. Or they might do nothing at all. But it would seem, at least, they’re making something closer to an informed choice.

“Experience as a form of privacy disclosure is worthy of further study before we give in to calls to abandon notice,” Calo said.


Leave a Reply

Verified by MonsterInsights