The key to turning privacy notices into something useful for consumers is to rethink their purpose. A company's policy might show compliance with the regulations the firm is bound to follow, but remains impenetrable to a regular reader.
The starting point for developing consumer-friendly privacy notices is to make them relevant to the user's activity, understandable and actionable. As part of the Usable Privacy Policy Project, my colleagues and I developed a way to make privacy notices more effective.
The first principle is to break up the documents into smaller chunks and deliver them at times that are appropriate for users. Right now, a single multi-page policy might have many sections and paragraphs, each relevant to different services and activities. Yet people who are just casually browsing a website need only a little bit of information about how the site handles their IP addresses, if what they look at is shared with advertisers and if they can opt out of interest-based ads. Those people doesn't[sic] need to know about many other things listed in all-encompassing policies, like the rules associated with subscribing to the site's email newsletter, nor how the site handles personal or financial information belonging to people who make purchases or donations on the site.
When a person does decide to sign up for email updates or pay for a service through the site, then an additional short privacy notice could tell her the additional information she needs to know. These shorter documents should also offer users meaningful choices about what they want a company to do – or not do – with their data. For instance, a new subscriber might be allowed to choose whether the company can share his email address or other contact information with outside marketing companies by clicking a check box.
This article was originally published on The Conversation. Read the original article.
(Score: 3, Interesting) by shrewdsheep on Wednesday October 11 2017, @02:22PM (4 children)
I don't think so. The solution would be to build broad categories analogous to the creative commons set of licenses. The policy categories would define bounds within which the specific policy would fall (IdentityRegistration-NoSharing-LocalLinking-NoCommerce, IdentityRegistration-NoSharing-CrossSiteLinking-ForCommerce (that would be google), ...). I would be willing to accept more policies knowing such a category than I do now. Of course I do not read policies at the moment, I just opt-out as soon as too many questions are asked.
(Score: 1, Interesting) by Anonymous Coward on Wednesday October 11 2017, @02:39PM
Interesting idea. One could even make those definitions machine-readable, so that you could configure your browser to block (or show only after confirmation) sites with policies that you did not mark as always-agreeable.
Maybe a good set of blocks would be:
(Score: 2) by frojack on Wednesday October 11 2017, @05:09PM
Smaller chunks have more problems than can be solved by mere standardization.
ESPECIALLY when they are presented piecemeal.
Small chunks represent something of a sneak attack, slowly boiling the Frog, in for a penny, in for a pound.
You get comfortable using a website or an app. Then they want to some other knowledge, another right to your data, and another usage of your data.
I don't know how many times I've gotten into an website, only to be asked for a email address for no discernible reason.
Just do you draw that line in the sand? Especially if you've paid money for the app. Then they demand to know your location, use your GPS, or want you to key in your email address or something.
The chunks should continue to be presented all at once in a rational order with easily understandable text, and a link to the your open source definitions.
There should be acceptance/denial options for each.
If a denial choice make it impossible to use the app/site or some parts there of, then you should know right then and there which parts won't work.
No, you are mistaken. I've always had this sig.
(Score: 2) by JoeMerchant on Wednesday October 11 2017, @07:01PM
The first principle would be to make it more difficult to operate a business that trades on personal information (which the privacy laws do, slightly.)
Demanding personal information in exchange for things that do not need your personal information to provide is... annoying, intrusive, and there really should be an alternative to providing personal information to get the same product or service.
🌻🌻 [google.com]
(Score: 2) by HiThere on Wednesday October 11 2017, @07:08PM
That's a reasonable approach. Now how do you make it binding and beneficial to the companies using that approach?
This is the real problem. Privacy policies are only slightly binding...bankruptcies get around them. And laws favor impermeable policies...in fact they even favor "visit our website daily, because you are bound by any changes we make to our policies there" notices. Those terms *may* not be actually legally binding, but it would take a lot of time and money with a fancy lawyer to prove that.
As long as "customer information" is seen as a financial good, the current laws will favor companies that collect and sell it. And promises not to sell it aren't all that binding. Almost always there's a notice that says something like "we may share this information with our business partners, and those partners aren't bound by even the pretense of a promise to not sell the data.
So any change to make not sharing the data beneficial to the company would need to be more beneficial to the company than selling the data.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.