Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Wednesday October 11 2017, @01:35PM   Printer-friendly
from the don't-make-them-100-pages-long dept.

The key to turning privacy notices into something useful for consumers is to rethink their purpose. A company's policy might show compliance with the regulations the firm is bound to follow, but remains impenetrable to a regular reader.

The starting point for developing consumer-friendly privacy notices is to make them relevant to the user's activity, understandable and actionable. As part of the Usable Privacy Policy Project, my colleagues and I developed a way to make privacy notices more effective.

The first principle is to break up the documents into smaller chunks and deliver them at times that are appropriate for users. Right now, a single multi-page policy might have many sections and paragraphs, each relevant to different services and activities. Yet people who are just casually browsing a website need only a little bit of information about how the site handles their IP addresses, if what they look at is shared with advertisers and if they can opt out of interest-based ads. Those people doesn't[sic] need to know about many other things listed in all-encompassing policies, like the rules associated with subscribing to the site's email newsletter, nor how the site handles personal or financial information belonging to people who make purchases or donations on the site.

When a person does decide to sign up for email updates or pay for a service through the site, then an additional short privacy notice could tell her the additional information she needs to know. These shorter documents should also offer users meaningful choices about what they want a company to do – or not do – with their data. For instance, a new subscriber might be allowed to choose whether the company can share his email address or other contact information with outside marketing companies by clicking a check box.

This article was originally published on The Conversation. Read the original article.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Interesting) by shrewdsheep on Wednesday October 11 2017, @02:22PM (4 children)

    by shrewdsheep (5215) on Wednesday October 11 2017, @02:22PM (#580476)

    The first principle is to break up the documents into smaller chunks...

    I don't think so. The solution would be to build broad categories analogous to the creative commons set of licenses. The policy categories would define bounds within which the specific policy would fall (IdentityRegistration-NoSharing-LocalLinking-NoCommerce, IdentityRegistration-NoSharing-CrossSiteLinking-ForCommerce (that would be google), ...). I would be willing to accept more policies knowing such a category than I do now. Of course I do not read policies at the moment, I just opt-out as soon as too many questions are asked.

    Starting Score:    1  point
    Moderation   +2  
       Interesting=2, Total=2
    Extra 'Interesting' Modifier   0  

    Total Score:   3  
  • (Score: 1, Interesting) by Anonymous Coward on Wednesday October 11 2017, @02:39PM

    by Anonymous Coward on Wednesday October 11 2017, @02:39PM (#580483)

    Interesting idea. One could even make those definitions machine-readable, so that you could configure your browser to block (or show only after confirmation) sites with policies that you did not mark as always-agreeable.

    Maybe a good set of blocks would be:

    • Data collected:
      • None at all
      • Only IP address
      • IP address and page history
      • Limited only by applicable law
    • Place of data collection:
      • Only local server
      • External service (e.g. Analytics, Ad tracking)
    • Collected data shared with:
      • No third parties, except as required by law
      • Third parties used to provide service
      • Any third parties providing shown content (including advertisers)
      • Any third party paying for it
    • Collected data used for:
      • Detection and mitigation of attacks/abuse only
      • Site optimization
      • Targeted advertising
      • Limited only by applicable law
  • (Score: 2) by frojack on Wednesday October 11 2017, @05:09PM

    by frojack (1554) on Wednesday October 11 2017, @05:09PM (#580581) Journal

    Smaller chunks have more problems than can be solved by mere standardization.

    ESPECIALLY when they are presented piecemeal.

    Small chunks represent something of a sneak attack, slowly boiling the Frog, in for a penny, in for a pound.
    You get comfortable using a website or an app. Then they want to some other knowledge, another right to your data, and another usage of your data.

    I don't know how many times I've gotten into an website, only to be asked for a email address for no discernible reason.

    Just do you draw that line in the sand? Especially if you've paid money for the app. Then they demand to know your location, use your GPS, or want you to key in your email address or something.

    The chunks should continue to be presented all at once in a rational order with easily understandable text, and a link to the your open source definitions.
    There should be acceptance/denial options for each.
    If a denial choice make it impossible to use the app/site or some parts there of, then you should know right then and there which parts won't work.

    --
    No, you are mistaken. I've always had this sig.
  • (Score: 2) by JoeMerchant on Wednesday October 11 2017, @07:01PM

    by JoeMerchant (3937) on Wednesday October 11 2017, @07:01PM (#580698)

    The first principle would be to make it more difficult to operate a business that trades on personal information (which the privacy laws do, slightly.)

    Demanding personal information in exchange for things that do not need your personal information to provide is... annoying, intrusive, and there really should be an alternative to providing personal information to get the same product or service.

    --
    🌻🌻 [google.com]
  • (Score: 2) by HiThere on Wednesday October 11 2017, @07:08PM

    by HiThere (866) Subscriber Badge on Wednesday October 11 2017, @07:08PM (#580706) Journal

    That's a reasonable approach. Now how do you make it binding and beneficial to the companies using that approach?

    This is the real problem. Privacy policies are only slightly binding...bankruptcies get around them. And laws favor impermeable policies...in fact they even favor "visit our website daily, because you are bound by any changes we make to our policies there" notices. Those terms *may* not be actually legally binding, but it would take a lot of time and money with a fancy lawyer to prove that.

    As long as "customer information" is seen as a financial good, the current laws will favor companies that collect and sell it. And promises not to sell it aren't all that binding. Almost always there's a notice that says something like "we may share this information with our business partners, and those partners aren't bound by even the pretense of a promise to not sell the data.

    So any change to make not sharing the data beneficial to the company would need to be more beneficial to the company than selling the data.

    --
    Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.