When was the last time you read a privacy policy? I use dozens of online services—email, social networking, data storage, banking, photos, shopping, etc.—and I’ve only skimmed a couple. What does this mean for the companies that offer these services? Can they reasonably say that they have informed their users of the content of their policies, if most users simply click “Okay” without bothering to read the things?
Mobile devices and applications only exacerbate the problem. Mobile users are even more impatient than desktop users to put the apps they download to use—and the screens, well, they might be fine for reading tweets, Facebook updates, and maybe longer things of interest, but privacy policies? No thanks!
This is the strange state we live in: users increasingly want companies to protect their information, but they remain unwilling to follow basic privacy principles, such as, you know, reading a company’s privacy policy.
Jim Brock, founder of PrivacyChoice, told the New York Times:
Everybody complains that no one reads privacy policies and that privacy policies are too long and too difficult. The mobile environment requires you to say things very succinctly, and it requires you to say things in layers.
PrivacyChoice analyzes and indexes online privacy policies. It has compiled hundreds of online policies and used the data to create a tool that allows organizations to create compliant privacy policies without a lawyer. According to the Times:
Developers who want to use the tool can select answers to basic questions about how they collect data, how that data is used and whether it can be deleted. … The resulting policy boils complicated policy language down to a few sentences like “We collect or share your location only with your permission” or “We keep personal data until you delete it.”
The app is based on law in the United States, and it is still in developers’ beta, but I’m sure Canadian organizations and application developers could apply the principles of simplicity and layers to their own privacy policies.
I think there needs to be a trade-off. Privacy policies should be written in short, plain-language sentences, and only as much information as is immediately necessary should be presented, but apps should present users with the information as needed, and require consent to proceed. If I were presented a short and clear policy statement (e.g., one–three sentences), rather than an invitation to click through to read a longer policy somewhere else, I would gladly read the former and ignore the latter. If that means I have to view these brief messages more frequently, that is the price I’ll pay to be informed. A reminder of the importance of the message might help.
Of course I have no idea if anybody else agrees!
But please let me know. Does your organization have trouble informing customers of your privacy policies? Do you worry that customers might not understand how you treat their personal information once you’ve collected it? Do you have clear policies that your employees can understand and apply?
Adam Gorley
First Reference Internal Controls, Human Resources and Compliance Editor