Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Wednesday October 11, @01:35PM   Printer-friendly
from the don't-make-them-100-pages-long dept.

The key to turning privacy notices into something useful for consumers is to rethink their purpose. A company's policy might show compliance with the regulations the firm is bound to follow, but remains impenetrable to a regular reader.

The starting point for developing consumer-friendly privacy notices is to make them relevant to the user's activity, understandable and actionable. As part of the Usable Privacy Policy Project, my colleagues and I developed a way to make privacy notices more effective.

The first principle is to break up the documents into smaller chunks and deliver them at times that are appropriate for users. Right now, a single multi-page policy might have many sections and paragraphs, each relevant to different services and activities. Yet people who are just casually browsing a website need only a little bit of information about how the site handles their IP addresses, if what they look at is shared with advertisers and if they can opt out of interest-based ads. Those people doesn't[sic] need to know about many other things listed in all-encompassing policies, like the rules associated with subscribing to the site's email newsletter, nor how the site handles personal or financial information belonging to people who make purchases or donations on the site.

When a person does decide to sign up for email updates or pay for a service through the site, then an additional short privacy notice could tell her the additional information she needs to know. These shorter documents should also offer users meaningful choices about what they want a company to do – or not do – with their data. For instance, a new subscriber might be allowed to choose whether the company can share his email address or other contact information with outside marketing companies by clicking a check box.

This article was originally published on The Conversation. Read the original article.


Original Submission

Display Options Threshold/Breakthrough

Reply to Article

Mark All as Read

Mark All as Unread

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: -1, Disagree) by Anonymous Coward on Wednesday October 11, @01:42PM (17 children)

    by Anonymous Coward on Wednesday October 11, @01:42PM (#580456)

    an additional short privacy notice could tell her the additional information she needs to know.

    The word "she" is specifically for a special, unusual, or cherished thing such as a boat or a female; that's why "he" is associated with masculinity, because males are expendable.

    The quoted sentence should use "him" and "he".

    • (Score: 2, Touché) by Anonymous Coward on Wednesday October 11, @01:45PM

      by Anonymous Coward on Wednesday October 11, @01:45PM (#580457)

      Nobody reads the whole summary; there's no way to fix that, either.

    • (Score: 2, Disagree) by meustrus on Wednesday October 11, @02:56PM (11 children)

      by meustrus (4961) <reversethis-{moc.liamg} {ta} {surtsuem}> on Wednesday October 11, @02:56PM (#580494)

      It's common in communications like this to alternate genders when the target is ambiguous. It's the more traditionally acceptable alternative to using "them" or invented pronouns like "xe".

      • (Score: 3, Informative) by Anonymous Coward on Wednesday October 11, @03:16PM (9 children)

        by Anonymous Coward on Wednesday October 11, @03:16PM (#580508)

        No, it is not common and it is certainly not traditional.
        Quit telling lies. Default catch-all pronoun in the male one; if you don't want to use that, avoid prounouns and use posessives like "the customer's."

        • (Score: -1, Troll) by Anonymous Coward on Wednesday October 11, @04:33PM (8 children)

          by Anonymous Coward on Wednesday October 11, @04:33PM (#580556)

          I remember the days when the expected way to do it was "he or she" and "his or her." But that is too wordy, I guess for these new people so they'd rather inconvenience everyone else instead of typing more letters. And that isn't even getting into the whole "gender isn't binary," which I still don't understand. I mean, you need a guy with the proper gonads and equipment and a gal with the proper gonads and equipment to make more guys and gals. Sure there are different ways to express that, but it doesn't change the fact that on a biological level you are one or the other.

          • (Score: 3, Insightful) by HiThere on Wednesday October 11, @06:56PM (3 children)

            by HiThere (866) on Wednesday October 11, @06:56PM (#580691)

            That was for a relatively brief period. I think it was common for less than five years. And there was a period when people were inventing pronouns. Which was common for only a short time.

            If you're going to be traditional, then "he" is the gender neutral pronoun. If you're less traditional then there are various ways, the most common of which is to avoid pronouns, but occasionally I'll use the plural form when talking about a single entity, if the other approaches seem too clumsy.

            --
            Put not your faith in princes.
            • (Score: 2) by acid andy on Wednesday October 11, @08:16PM (2 children)

              by acid andy (1683) on Wednesday October 11, @08:16PM (#580769)

              If you're going to be traditional, then "he" is the gender neutral pronoun.

              The biggest problem I have with it is that it can actually mislead the reader:

              I squinted at the shadowy figure, struggling to make out detail in the haze. The figure strode purposefully over to the base of cliff and then he stretched an arm up and began to climb.

              This makes it seem to the reader that perhaps I was able to determine the gender of the shadowy figure and that if so, the figure was a male. If "he" is being used in a gender neutral way, then that is false information.

              --
              Make hay whilst the intervening mass is insufficient to inhibit the perceived intensity of incoming solar radiation.
              • (Score: 2) by HiThere on Wednesday October 11, @11:05PM

                by HiThere (866) on Wednesday October 11, @11:05PM (#580838)

                I'm not claiming that the traditional usage is free of problems. It clearly isn't, and I, for one, try to avoid it. But it *is* the traditional usage.

                --
                Put not your faith in princes.
              • (Score: 0) by Anonymous Coward on Thursday October 12, @12:59AM

                by Anonymous Coward on Thursday October 12, @12:59AM (#580884)

                The misinterpretation is the reader's (e.g., yours). Unless the author states that it's a man, you shouldn't assume that it is; that assumption is... shall we say... your unconscious, sexist bias—it's clearly a microaggression against the author.

                Your whole life, you've misinterpreted the word "he".

          • (Score: 1, Informative) by Anonymous Coward on Wednesday October 11, @07:07PM

            by Anonymous Coward on Wednesday October 11, @07:07PM (#580705)

            I'm blind, and I think this "color" thing these "sighted" people tell me about is a conspiracy by libtards. I've never experienced sight in my life, so I don't understand it. I think people who claim objects have "color" are mentally ill.

            (Sorry. I know we have at least one user without eyesight here. No offense intended. It's just that the sighted users seem to be blind to other things. The gender-blind leading the gender-blind. It's amazing. But I guess having sight isn't an advantage if 99.99% of the world is blind. If you share things you've observed with this sense that 99.99% of other people don't have, you just come across as crazy, especially if your observations don't fit neatly with either "side" in this supposed debate about things that are just fucking plain as daylight. Then, of course, a bunch of SJWs, who are equally blind and completely misapprehending everything they've ever heard about wavelengths and colors, will make a royal fucking mess out of it all.)

            (Hmm, I probably could have shorted that up by mentioning blind men and an elephant. However, that metaphor has never sat well with me, because it makes fools of the blind only because it presumes that the blind men are ignorant of elephants. Maybe I'm just overthinking it. What the blind men can't tell you, though, is that the elephant is grey, because colors are an SJW conspiracy, as established above.)

            …it doesn't change the fact that on a biological level you are one or the other.

            All except for the fact that at the biological level things are messy and you're just flat out wrong. But here I am trying to convince blind people of the color of the sky again.

            Maybe that right there is true proof of my insanity.

            Keep groping at that elephant. Hope it doesn't stomp you.

          • (Score: 2) by meustrus on Wednesday October 11, @10:00PM (2 children)

            by meustrus (4961) <reversethis-{moc.liamg} {ta} {surtsuem}> on Wednesday October 11, @10:00PM (#580814)

            "He" may be the traditional ambiguous pronoun, but it fails to convey that the gender is ambiguous. acid andy posted a good example of when this might be important [soylentnews.org]. In that case, the better pronoun might be "it", but unfortunately that implies a lack of personhood.

            In technical documentation, it generally doesn't make any difference to the clarity. But it does make a difference for comfort and identity. The difference is small, but considering that we have a massive shortage of competent women in STEM, it's worth trying to solve even small discomfort.

            I would personally avoid pronouns, although that makes it much harder to construct sentences that aren't super awkward. But the alternating-gender strategy is not wholly invented in this one post, and it's not worth getting your knickers in a twist. It's not like a better-qualified male pronoun was passed over for the job.

      • (Score: 2) by Phoenix666 on Wednesday October 11, @05:37PM

        by Phoenix666 (552) on Wednesday October 11, @05:37PM (#580614) Journal

        I thought that was resolved with "shklee [theinfosphere.org]."

        --
        Washington DC delenda est.
    • (Score: 2) by acid andy on Wednesday October 11, @08:08PM (3 children)

      by acid andy (1683) on Wednesday October 11, @08:08PM (#580761)

      Just use they / them already!

      an additional short privacy notice could tell them the additional information they need to know.

      It sounds perfectly fine. The meaning is clear and there's no ambiguity over single versus plural because the person has already been introduced at the start of the sentence.

      Surely, surely this is infinitely preferable to the awful clumsiness of alternating genders or using "he" or some other made up words?

      The amount of time people spend arguing over this seems to suggest that my solution must be absolutely intolerable to a great number of people, otherwise everyone would just STFU and use it. So seriously, what gives?

      --
      Make hay whilst the intervening mass is insufficient to inhibit the perceived intensity of incoming solar radiation.
      • (Score: -1, Troll) by Anonymous Coward on Thursday October 12, @12:55AM (2 children)

        by Anonymous Coward on Thursday October 12, @12:55AM (#580882)

        Sure, [ab]using the plural forms works for everyday, mundane discussions in vernacular, casual speech. However, when precise language is important, such usage totally destroys the ability to convey nuance.

        This is the reason that sentences in modern mathematical logic are constructed in terms of individuals rather than groups (unlike the old, tired, limited Aristotelian logical forms). [Ab]using the plural forms not only betrays heuristic failures in the mind and thus poor thinking, but also leads to further poor thinking.

        • (Score: 2) by acid andy on Thursday October 12, @08:28AM (1 child)

          by acid andy (1683) on Thursday October 12, @08:28AM (#581034)

          However, when precise language is important, such usage totally destroys the ability to convey nuance.

          As does [ab]using the masculine form. There may be a historical precedent for its use but that doesn't make it any more logical or unambiguous.

          See my example here [soylentnews.org] for the ambiguity.*

          Honestly, the only form I can see that would fit your very specific criteria would be "it" (It would have worked well in my shadowy figure example) but don't be surprised if that causes you a few problems when you use it in some contexts in polite society.

          *Note though that "base of cliff" should be "base of the cliff".

          --
          Make hay whilst the intervening mass is insufficient to inhibit the perceived intensity of incoming solar radiation.
          • (Score: 0) by Anonymous Coward on Thursday October 12, @09:38AM

            by Anonymous Coward on Thursday October 12, @09:38AM (#581050)

            How many times must this be pointed out to you?

            If you want to refer to a male explicitly, then use an articled "man": "a man", or "the man".

            Of course the word "it" cannot be used; there is a need to speak of non-human things (human language is mainly about expressing the human experience):

                He and she did it in from of them.

  • (Score: 4, Insightful) by Anonymous Coward on Wednesday October 11, @01:51PM

    by Anonymous Coward on Wednesday October 11, @01:51PM (#580463)

    The only purpose of privacy policies it to get around privacy laws by pretending that by not reading the privacy policy users consent.

    I have noticed that they share their view on consent with rapists.

  • (Score: 3, Insightful) by Anonymous Coward on Wednesday October 11, @02:22PM (6 children)

    by Anonymous Coward on Wednesday October 11, @02:22PM (#580475)

    Nobody should read privacy policies because they don't matter whatsoever.

    If a service collects personal information then it will be shared. Even when an upstanding business promises not to do nefarious things (and intends to keep their promise) one of two things will inevitably happen:

    • Attackers obtain copies of the databases and sell or leak them, or
    • The business goes bankrupt, and the personal information is sold by creditors not bound by the privacy policy.
    • (Score: 3, Funny) by The Mighty Buzzard on Wednesday October 11, @02:46PM (2 children)

      Yes, they do. They let you know which company is trying to screw you and which is willing to give you a reach-around whilst doing so.

      --
      Save Ferris!
      • (Score: 0) by Anonymous Coward on Wednesday October 11, @04:14PM (1 child)

        by Anonymous Coward on Wednesday October 11, @04:14PM (#580543)

        They let you know which company is going to screw you...

        FTFY

        • (Score: 0) by Anonymous Coward on Wednesday October 11, @05:19PM

          by Anonymous Coward on Wednesday October 11, @05:19PM (#580588)

          They let you know which company is screwing you...

          FTFY

    • (Score: 2) by JoeMerchant on Wednesday October 11, @06:58PM

      by JoeMerchant (3937) on Wednesday October 11, @06:58PM (#580693)

      The business goes bankrupt, and the personal information is sold by creditors not bound by the privacy policy.

      Actually, the point of the written and agreed upon privacy policy is, in part, so that the successors and assigns of such information as is covered by the policy are also bound by the agreement. This would, in theory, extend to creditors, liquidators, and anyone who comes into possession of the covered information.

      In practice: yeah, sure, whatevah, so sue me.

    • (Score: 2) by stretch611 on Wednesday October 11, @07:11PM

      by stretch611 (6199) on Wednesday October 11, @07:11PM (#580709)

      Not to mention the number of companies that later change their privacy policy after you read it. You may get a blurb saying it changed and that you need to re-read it.

      And lets face it, there are plenty of companies that lie and say one thing while doing another. The FTC does go after these companies, but not nearly as often as necessary and their legal action results in a fine, but your data is still out there being shared to everyone willing to pay.

    • (Score: 2) by bob_super on Wednesday October 11, @09:31PM

      by bob_super (1357) on Wednesday October 11, @09:31PM (#580801)

      You forgot the most common: The privacy policy gets "updated" (read: gutted) and the company does what it wants.
      In the best of cases, you'll get a notice of the update, which nobody will ever read.

  • (Score: 3, Interesting) by shrewdsheep on Wednesday October 11, @02:22PM (4 children)

    by shrewdsheep (5215) on Wednesday October 11, @02:22PM (#580476)

    The first principle is to break up the documents into smaller chunks...

    I don't think so. The solution would be to build broad categories analogous to the creative commons set of licenses. The policy categories would define bounds within which the specific policy would fall (IdentityRegistration-NoSharing-LocalLinking-NoCommerce, IdentityRegistration-NoSharing-CrossSiteLinking-ForCommerce (that would be google), ...). I would be willing to accept more policies knowing such a category than I do now. Of course I do not read policies at the moment, I just opt-out as soon as too many questions are asked.

    • (Score: 1, Interesting) by Anonymous Coward on Wednesday October 11, @02:39PM

      by Anonymous Coward on Wednesday October 11, @02:39PM (#580483)

      Interesting idea. One could even make those definitions machine-readable, so that you could configure your browser to block (or show only after confirmation) sites with policies that you did not mark as always-agreeable.

      Maybe a good set of blocks would be:

      • Data collected:
        • None at all
        • Only IP address
        • IP address and page history
        • Limited only by applicable law
      • Place of data collection:
        • Only local server
        • External service (e.g. Analytics, Ad tracking)
      • Collected data shared with:
        • No third parties, except as required by law
        • Third parties used to provide service
        • Any third parties providing shown content (including advertisers)
        • Any third party paying for it
      • Collected data used for:
        • Detection and mitigation of attacks/abuse only
        • Site optimization
        • Targeted advertising
        • Limited only by applicable law
    • (Score: 2) by frojack on Wednesday October 11, @05:09PM

      by frojack (1554) Subscriber Badge on Wednesday October 11, @05:09PM (#580581) Journal

      Smaller chunks have more problems than can be solved by mere standardization.

      ESPECIALLY when they are presented piecemeal.

      Small chunks represent something of a sneak attack, slowly boiling the Frog, in for a penny, in for a pound.
      You get comfortable using a website or an app. Then they want to some other knowledge, another right to your data, and another usage of your data.

      I don't know how many times I've gotten into an website, only to be asked for a email address for no discernible reason.

      Just do you draw that line in the sand? Especially if you've paid money for the app. Then they demand to know your location, use your GPS, or want you to key in your email address or something.

      The chunks should continue to be presented all at once in a rational order with easily understandable text, and a link to the your open source definitions.
      There should be acceptance/denial options for each.
      If a denial choice make it impossible to use the app/site or some parts there of, then you should know right then and there which parts won't work.

      --
      No, you are mistaken. I've always had this sig.
    • (Score: 2) by JoeMerchant on Wednesday October 11, @07:01PM

      by JoeMerchant (3937) on Wednesday October 11, @07:01PM (#580698)

      The first principle would be to make it more difficult to operate a business that trades on personal information (which the privacy laws do, slightly.)

      Demanding personal information in exchange for things that do not need your personal information to provide is... annoying, intrusive, and there really should be an alternative to providing personal information to get the same product or service.

    • (Score: 2) by HiThere on Wednesday October 11, @07:08PM

      by HiThere (866) on Wednesday October 11, @07:08PM (#580706)

      That's a reasonable approach. Now how do you make it binding and beneficial to the companies using that approach?

      This is the real problem. Privacy policies are only slightly binding...bankruptcies get around them. And laws favor impermeable policies...in fact they even favor "visit our website daily, because you are bound by any changes we make to our policies there" notices. Those terms *may* not be actually legally binding, but it would take a lot of time and money with a fancy lawyer to prove that.

      As long as "customer information" is seen as a financial good, the current laws will favor companies that collect and sell it. And promises not to sell it aren't all that binding. Almost always there's a notice that says something like "we may share this information with our business partners, and those partners aren't bound by even the pretense of a promise to not sell the data.

      So any change to make not sharing the data beneficial to the company would need to be more beneficial to the company than selling the data.

      --
      Put not your faith in princes.
  • (Score: 3, Insightful) by meustrus on Wednesday October 11, @02:52PM (10 children)

    by meustrus (4961) <reversethis-{moc.liamg} {ta} {surtsuem}> on Wednesday October 11, @02:52PM (#580490)

    It is not in web site owners best interests to make privacy policies more accessible. More accessible, actionable privacy policies would either mean a) some users decide not to participate, or b) some monetization strategies become untenable. The status quo, where users don't ever read the policies and they are legally in the clear, is the best situation for them.

    • (Score: 3, Informative) by The Mighty Buzzard on Wednesday October 11, @03:12PM (9 children)

      Depends on the site. We, for instance, try to collect as little as possible information and share that information with nobody (we encrypt the small amount of metadata necessary to know who paid for what that we send with subscription payment requests). It's in our interest that this policy be known.

      --
      Save Ferris!
      • (Score: 1, Touché) by Anonymous Coward on Wednesday October 11, @04:17PM (1 child)

        by Anonymous Coward on Wednesday October 11, @04:17PM (#580547)

        Yeah, but you guys are weird like that... :P

      • (Score: 2) by rigrig on Wednesday October 11, @05:54PM (4 children)

        by rigrig (5129) Subscriber Badge <soylentnews@tubul.net> on Wednesday October 11, @05:54PM (#580629) Homepage

        It's in our interest that this policy be known.

        Maybe it could be linked to a bit more prominent, like in the footer and from the registration form?

        It took me quite a while to find the draft version on the wiki (an obsolete TodoList being the first search result for "privacy policy" [soylentnews.org] didn't help)
        Even if it's just a page with

        SoylentNews doesn't have an official privacy policy (yet [soylentnews.org]).
        That said, we try to collect as little as possible information and share that information with nobody (we encrypt the small amount of metadata necessary to know who paid for what that we send with subscription payment requests).

        (or even a direct link to the wiki)

        --
        No one remembers the singer.
      • (Score: 2) by number11 on Wednesday October 11, @07:05PM

        by number11 (1170) on Wednesday October 11, @07:05PM (#580702)

        Yes, but this website is not a very representative of websites in general. For one thing, you Big Soys aren't frantically pushing to monetize the site. You're also probably a bit more aware of the potential downfalls (and, between the libertarians and the lefties, know that we'd pounce if we found anything).

        Of the 20 tabs I have open at the moment, there are only 2 others that I even suspect might have a similar philosophy (both are news sites funded by donations and perhaps media syndication fees of their radio and TV programs). But I can't find a privacy policy on either for website visitors (there are policies re donors, where they obviously have to keep a bit more information). I'll give an honorable mention to The Intercept, whose privacy policy, while long, is written in coherent English instead of boilerplate, and points out 18 third parties (including AWS and Cloudflare) that you might be exposed to when you visit.

      • (Score: 2) by meustrus on Wednesday October 11, @10:06PM

        by meustrus (4961) <reversethis-{moc.liamg} {ta} {surtsuem}> on Wednesday October 11, @10:06PM (#580816)

        And that's truly commendable! But I'm sure you'll agree that the SoylentNews demographic is unusually concerned with privacy. Unfortunately, with almost any other demographic, the reaction to a user-friendly privacy policy is almost always "meh".

  • (Score: 4, Insightful) by sjames on Wednesday October 11, @03:38PM

    by sjames (2882) on Wednesday October 11, @03:38PM (#580517) Journal

    As long as the policy is subject to change after the fact, it is worthless. Especially when the "display department" is as described by Douglas Adams.

  • (Score: 3, Insightful) by Anonymous Coward on Wednesday October 11, @04:12PM

    by Anonymous Coward on Wednesday October 11, @04:12PM (#580541)

    The first principle is...

    There's a thing you need to understand: companies want their policies to be impenetrable because they are used to fuck over their users, their products, their partners and everyone else they can fuck over. These things are written by lawyers who always ask the same thing: "how can we constrain the other guy while giving us free reign?" or "you may not want to do X now, but what about tomorrow... you don't know whether you'll want to do that tomorrow. Don't lock yourself out from doing that tomorrow and enshrine this into this policy". They embed things like "and we can change this whenever we feel like it" or "in case of a dispute, someone who works for us will decide on the matter (and in our favor)" for these types of reasons.
    There's a very good reason why these policies are always in ALL CAPS because it makes them even less comprehensible.

    You've identified a valid problem, but you're going about the wrong way to try to solve it!
    Good luck finding companies that actually take your advice and incorporate it into their practices! I'm not holding my breath...

  • (Score: 2, Insightful) by Anonymous Coward on Wednesday October 11, @04:48PM (4 children)

    by Anonymous Coward on Wednesday October 11, @04:48PM (#580566)

    Nobody Reads Privacy Policies – Here's How to Fix That

    letmestopyourightthere

    Have they ever seen people use a computer? Nobody reads two-word dialog boxes.

    Users don't read anything. [joelonsoftware.com]

    • (Score: 4, Funny) by frojack on Wednesday October 11, @05:17PM (1 child)

      by frojack (1554) Subscriber Badge on Wednesday October 11, @05:17PM (#580586) Journal

      Users don't read anything.

      TL;DR

      --
      No, you are mistaken. I've always had this sig.
    • (Score: 2) by maxwell demon on Wednesday October 11, @07:12PM (1 child)

      by maxwell demon (1608) Subscriber Badge on Wednesday October 11, @07:12PM (#580710) Journal

      OK, then let's make it with images. I mean, the standard policy is "we get everything, you are fucked." I'm sure that can be put into an easy to understand picture. ;-)

      --
      The Tao of math: The numbers you can count are not the real numbers.
      • (Score: 0) by Anonymous Coward on Thursday October 12, @10:40PM

        by Anonymous Coward on Thursday October 12, @10:40PM (#581400)

        It's been done. You'll find the picture over at http://goatse.cx/ [goatse.cx]. The only thing that picture is missing is the sentence "this is what we expect from you when you do business with us"

  • (Score: 0) by Anonymous Coward on Wednesday October 11, @04:56PM

    by Anonymous Coward on Wednesday October 11, @04:56PM (#580571)

    This articles solution won't work. Greed drives companies and the only way to convince them to make a decisions will be if it affects their bottom line.

    We would need privacy laws that protect citizen's privacy and are enforced with punishments that kill a companies bottom line. Having national rules instead of per company rules would also make it easier for people to understand (i.e. one or several sets of rules instead of a huge number that can change at any time). Getting this done on a national level would be difficult as the Democratic party is sold out to corporations and the Republican party is sold out and seems to actively hate the majority of the country's citizens. But this would be part of the best solution.

    Technical solutions blocking identifying information, like those mentioned in comments above, would be good in any case.

  • (Score: 2) by crafoo on Wednesday October 11, @05:15PM

    by crafoo (6639) on Wednesday October 11, @05:15PM (#580584)

    Everything you do online is collected, categorized, and associated with your real name. It doesn't matter if you are using public wifi and TOR. It's just a minor speed bump in the automated collection and profile building algorithms. It doesn't matter what the privacy policy is that you clicked through. The information will be sold and abused to make money, cc'ed to the NSA & FBI, and then made available to even the most disinterested, unmotivated hacker bored and trolling around on a Sat. night.

  • (Score: 2) by NotSanguine on Wednesday October 11, @07:17PM (2 children)

    by NotSanguine (285) Subscriber Badge on Wednesday October 11, @07:17PM (#580716) Homepage Journal

    Here's the (sanitized) privacy policy I (IANAL) wrote for a website I created. I think it balances the privacy of users with shielding the website owner(s) from liability:

    [Website] Privacy Policy

    No personal information* will be stored on the https://www.[website] [www.[website]] web server (except as specifically authorized), and every effort will be made to protect the integrity and privacy of such information.

    [Website], its management or assignees will never sell personal information collected on this site, nor will they use such information for purposes other than specifically related to the operation of the [Website] website and/or to facilitate the dissemination of information regarding [business] and other group activities related to [members] and other [group] related group activities.

    Under no circumstances will street address or telephone number information be stored on the www.[website] by [Website], its management or assignees.

    [Website], its management and assignees will never, under any circumstances reveal email addresses, street addresses and/or telephone numbers to anyone without explicit authorization. From time to time, [website] may offer services to allow [members] to contact each other. For these services, [Website], its management and assignees makes no warrantee of fitness for any purpose, including maintaining the privacy of users' personal information.

    All personal information will be held in confidence and will only used for the purposes of the [business]s and official [membership organization] business.

    This business includes (but is not limited to) providing personal information for inclusion (by the [membership organization]) in a [other compilation] to be published at a later date. If this published work is then used for illegal and/or nuisance purposes, [Website], its management and assignees disavow any responsibility or liability for the use of that information by third parties for any purpose.

    If a subscriber (limited to members of [group]) chooses to share their personal information with other subscribers via any mechanism made available through the [Website] web site, mailing list or other conveyance provided by [Website], its management and assignees disavow any responsibility or liability for the use of that information by third parties for any purpose.

    Under no circumstances will [Website], its management or assignees be liable or otherwise legally responsible for the theft, misuse or other unauthorized use of personal information.

    Any person or entity registering on, providing contact information, or subscribing to the [Website] web site explicitly agrees to all the terms of this privacy policy.

    This policy applies to the www.[Website] web site and the [Business]@[Website] mailing list.

    If any portion of this policy is found, by any competent jurisdiction, to be invalid or unlawful, the remainder of this policy will continue to be in force.

    The terms of this policy may be modified at any time at the discretion of [Website]. It is the responsibility of the subscriber to review the terms of this policy on a regular basis. Current versions of this policy can be found at https://www.[website]/privacy.html. [www.[website]]

    *Personal Information: Data such as street address, email address and telephone number which would enable direct contact with the subject of that information.

    The above would need to be modified to support different business models, but the basics should be retained:
    1. Website will *not* share data with *anyone* without authorization;
    2. Website will *not* store personal information on the site;
    3. Website will make every effort to secure personal information;
    4. Website will not be liable for the release of personal information by others.

     

    --
    No, no, you're not thinking; you're just being logical. --Niels Bohr
    • (Score: 0) by Anonymous Coward on Thursday October 12, @12:55AM (1 child)

      by Anonymous Coward on Thursday October 12, @12:55AM (#580883)

      Your policy is worthless to the users. Terms can be changed at any time without notice. "specifically authorized" isn't defined nor limited so management can authorize anything regardless of what the rest of the policy says. Who stores data mining data on web servers? You transfer that data onto other servers, your policy doesn't prevent that. You try to disclaim any liability for your own screw ups, so even if you had a good policy you just told everyone you don't have to follow it. Etc... Your policy sucks. Get one reviewed by a lawyer next time.

      • (Score: 2) by NotSanguine on Thursday October 12, @01:02AM

        by NotSanguine (285) Subscriber Badge on Thursday October 12, @01:02AM (#580886) Homepage Journal

        Thank you for your input.

        Go ahead and try to sue me. See how well that works, friend.

        --
        No, no, you're not thinking; you're just being logical. --Niels Bohr
  • (Score: 2) by driven on Wednesday October 11, @08:18PM

    by driven (6295) on Wednesday October 11, @08:18PM (#580771)

    Simple shortcut: If the software you are using provides a privacy policy, ask yourself: am I willing to give up my privacy for this software? Weight it against what you're doing and make a decision. Software that doesn't spy doesn't have a privacy policy you need to click through.

  • (Score: 0) by Anonymous Coward on Thursday October 12, @01:10AM

    by Anonymous Coward on Thursday October 12, @01:10AM (#580891)

    Not necessary for the specific transaction strangely absent but collect it all is the motto of who now?

  • (Score: 2) by opinionated_science on Thursday October 12, @09:49AM

    by opinionated_science (4031) on Thursday October 12, @09:49AM (#581057)

    that's what I would call it - you hold personal information you are liable - and if you sell it , you are liable. If it is released , you are liable.

    Go read about HIPPA, it's why you still fill out paper at your Dr's offices.... but the insurance company happily sell your information to anyone.

    If the "equifax" hack shows anything, there is not anywhere enough liability around holding personal information....

  • (Score: 0) by Anonymous Coward on Thursday October 12, @10:05AM

    by Anonymous Coward on Thursday October 12, @10:05AM (#581062)

    Many users don't care much, as they are powerless to any of it except maybe not use it. To tip that balance, the users need negotiating power, to e.g. approach an ISP that they don't like the fine print in their standard contract and want it removed.

    I can't really think of a solution here, but maybe the next two points may do something:
    1. Making the companies responsible for the data they collect. (e.g. if that data is stolen from the company, it should be handled as the company violating the privacy of it's users, with fines in the form of compensation to those users.)
    2. Make it illegal for companies to sell personal information without informed consent from the user for each entity they sell the data to. E.g. company has a bunch of data and wants to sell it to corp X, they have to get agreement from all users to sell their data to corp X.

(1)