Privacy Comissioner says website privacy policies are too long and complex
August 15, 2013 |
The Privacy Commissioner has issued a media release, Privacy Commissioner: Website privacy policies are too long and complex, announcing the release of what he calls as “privacy sweep” of websites used by most Australians. He found nearly 50% of website policies were difficult to read. In my professional experience it is usually more than that and sometimes difficult merges into completely incoherent.
The summary of the sweep is:
the OAIC examined the top sites most visited by Australians (sourced from Alexa.com). Some key trends observed by the OAICincluded:
- 15% had a privacy policy that was hard to find on the website
- 9% of sites reviewed either listed no privacy contact or it was difficult to find contact information for a privacy officer
- Almost 50% of policies raised ‘readability’ issues, ie they were considered to be too long and difficult to read
- The average reading age of the policies was 16. None of the full privacy policies met the OAIC‘s preferred reading age level of 14. The OAIC used the Flesch-Kinkaid Reading Ease test
- More than 65% of privacy policies raised concerns with respect to the relevance of the information provided. For example, some sites with .au domain names were unclear about whether the site complied with the Privacy Act 1988.
About the GPEN Internet Privacy Sweep
The first Global Privacy Enforcement Network (GPEN) Internet Privacy Sweep took place from 6 to 12 May 2013. It is a great example of privacy enforcement authorities working together to protect the privacy rights of individuals around the world.
Nineteen privacy enforcement authorities from around the globe participated in the first GPEN Internet Privacy Sweep. Over the week, participating authorities searched the Internet in a coordinated effort to assess privacy issues related to the common theme of ‘Privacy Practice Transparency’. Transparency is a fundamental privacy principle common to privacy laws around the world.
The goals of the GPEN Internet Privacy Sweep initiative included: increasing public and business awareness of privacy rights and responsibilities, encouraging compliance with privacy legislation, identifying concerns which may be addressed with targeted education and/or enforcement and enhancing cooperation among privacy enforcement authorities.
The Sweep did not involve an in-depth analysis of the transparency of each website’s privacy practices, but sought to replicate the consumer experience by spending a few minutes per site checking for performance against a set of criteria.
The Sweep was not an investigation, nor was it intended to conclusively identify compliance issues or legislative breaches. Rather, it was meant to help participating authorities identify sites or mobile phone apps which may warrant further assessment or follow-up after the Sweep and/or identify trends which might guide future education and outreach.
| Global (Websites) | Global (Mobile apps) | OAIC results(Websites) | |
|---|---|---|---|
| Total number of websites or apps searched* | 2,186 | 90 | 47 |
| Sites/apps for which no Privacy Policy or equivalent was found | 21% (464) | 54% (49) | 2% (1) |
| Sites/apps for which a concern was identified with respect to find-ability | 23% (493) | 60% (54) | 15% (7) |
| Sites/apps for which a concern was identified with respect to contact-ability | 19% (419) | 30% (27) | 9% (4) |
| Sites/apps for which a concern was identified with respect to readability | 31% (688) | 58% (52) | 47% (22) |
| Sites/apps for which a concern was identified with respect to relevance of information provided | 28% (620) | 91% (82) | 66% (31) |
| Overall percentage of sites/ for which one or more concerns was identified** | 50% (1,091) | 92% (83) | 83% (39) |
* It is possible that some websites were examined by more than one Sweep participant. Two participants looked at mobile apps, while the other participants, including the OAIC looked at websites.
** The percentage of websites/apps for which concerns were found varied significantly among participants. For websites, the range was between 25% and 90%. It is important to note that participants used different criteria in assessing websites.
Major global trends observed
- Participants found too many websites with no privacy policy whatsoever. Among the total 2,186 websites and mobile apps examined, 23% had no privacy policy available. A greater proportion of large organisations typically had privacy policies on their websites, in comparison to small and medium-sized organisations.
- One-third of policies raised concerns with respect to the relevance of the information provided. In some cases, sites would make brief over-generalised statements about privacy while offering no details on how organisations were collecting and using customer information. Many policies used ‘boilerplate’ language which did not take into account the relevant privacy jurisdiction. Too often, there was limited information on how organisations were collecting, using and disclosing personal information as it related to their business model.
- Approximately 33% of privacy policies viewed raised concerns with respect to their readability. Many of these policies quoted directly from applicable legislation. In doing so, these policies provide limited benefit to the average consumer seeking a clear and concise explanation of how their information is being collected and used.
- Mobile app privacy policies lagged behind those found on traditional websites. 92% of mobile apps reviewed in the sweep raised one or more concerns with respect to how they present information about their privacy practice, and 54% had no privacy policy at all. In some cases, organisations simply provided links to privacy policies for their websites which did not specifically address the collection and use of information within apps.
Best practices observed
- Many organisations had privacy policies that were easily accessible, simple to read, and contrained privacy-related information that consumers would be interested to know, which demonstrates that it is possible to create transparent privacy polices.
- Many described what information is collected, for what purposes it is used, and with whom it is shared.
- Some of the best examples observed during the sweep were policies that made efforts to present the information in a way that was easily understandable and readable to the average person. This was accomplished through the use of plain language; clear and concise explanations; and the use of headers, short paragraphs, FAQs, and tables, among other methods.
- A majority of organisations (80%) ensured that their privacy policy included contact information for the particular individual with responsibility for privacy practices within that organisation. Providing more than one option for contacting that individual (eg mail, toll-free number and/or e-mail) is a thoughtful way of ensuring there are no barriers to contacting an organisation about its privacy practices.
- Some policies observed had been tailored for mobile apps and sites, going beyond simply providing a hyperlink to an organisation’s existing website privacy policy. Recognising that explaining privacy practices can be difficult on a mobile platform with a small screen. Organisations are encouraged to find innovative ways of conveying their privacy policies on mobile devices.
This release was reported in Zdnet here in Many privacy policies are long, complex: OAIC. The Atlantic last year published a very interesting article on the dark arts of privacy policy drafting and the complexity and length of the policies in Reading the Privacy Policies You Encounter in a Year Would Take 76 Work Days. It provides:
One simple answer to our privacy problems would be if everyone became maximally informed about how much data was being kept and sold about them. Logically, to do so, you’d have to read all the privacy policies on the websites you visit. A few years ago, two researchers, both then at Carnegie Mellon, decided to calculate how much time it would take to actually read every privacy policy you should.
First, Lorrie Faith Cranor and Aleecia McDonald needed a solid estimate for the average length of a privacy policy. The median length of a privacy policy from the top 75 websites turned out to be 2,514 words. A standard reading rate in the academic literature is about 250 words a minute, so each and every privacy policy costs each person 10 minutes to read.
Next, they had to figure out how many websites, each of which has a different privacy policy, the average American visits. Surprisingly, there was no really good estimate, but working from several sources including their own monthly tallies and other survey research, they came up with a range of between 1,354 and 1,518 with their best estimate sitting at 1,462.
So, each and every Internet user, were they to read every privacy policy on every website they visit would spend 25 days out of the year just reading privacy policies! If it was your job to read privacy policies for 8 hours per day, it would take you 76 work days to complete the task. Nationalized, that’s 53.8 BILLION HOURS of time required to read privacy policies.
To put a dollar amount on this massive time suck, Cantor and McDonald followed some standard procedures that the economics literature suggests could be used to calculate the opportunity cost of tasks. First, they split up web surfing between work and home visits. For work visits, they valued the time spent reading privacy policies at two times that worker’s wages to take into account overhead and salary. For home visits, they multiplied the time spent reading at home by one-quarter of average wages. (A simpler hours multiplied by wages calculation would yield a higher cost than the one the researchers calculate here.)
The net effect of all this complicated figuring is that the researchers calculated the hypothetical opportunity cost to the nation of actually reading the Internet’s privacy policies. The number they came up with is stunning:
That’s greater than the GDP of Florida, which has the fourth largest state economy in the US.
It’s also worth noting that this calculation was made in 2008, so undoubtedly, the number would be larger today, given the growth of the U.S. Internet population and the number and diversity of websites. Of course, no one is actually going to read all those privacy policies. What that massive number tells us is that the way we deal with privacy is fundamentally broken. The collective weight of the web’s data collection practices is so great that no one can maintain a responsible relationship with his or her own data. That’s got to change.
There are no doubt a number of reasons why policies are often bloated verbiage. In my observation poor draftmanship is a contributing factor. Brevity is sometimes regarded as poor drafting, despite the fact that the opposite should be the case. Another issue is privacy policies are drafted as complex documents produced by lawyers who are not well versed in privacy law and the purpose of policies. Sometimes it appears that privacy policies are drafted by lawyers who are at heart, and practice, commercial practitioners who draft contracts and securities. Every contingency seems to be covered, including those which are not contemplated or capable of being contemplated in the legislation. It is possible that in some cases privacy policies are deliberately obfuscatory and, to use a legal term, oppressive. Those policies do the opposite of what they are supposed to do, explain and inform a person of their rights, options and what will be done with their personal information.
A privacy policy which by obfuscation and complexity confuses and bewilders the reader should be regarded in a similar way as a policy which is cursory and omits necessary information. It will be interesting to see how the Privacy Commissioner exercises his new powers on 12 March 2013 regarding organisations’ obligations to maintain a proper privacy policy.