Stories
Slash Boxes
Comments

SoylentNews is people

Nobody Reads Privacy Policies – Here's How to Fix That

posted by Fnord666 on Wednesday October 11 2017, @01:35PM   Printer-friendly
from the don't-make-them-100-pages-long dept.

Phoenix666 submitted:

The key to turning privacy notices into something useful for consumers is to rethink their purpose. A company's policy might show compliance with the regulations the firm is bound to follow, but remains impenetrable to a regular reader.

The starting point for developing consumer-friendly privacy notices is to make them relevant to the user's activity, understandable and actionable. As part of the Usable Privacy Policy Project, my colleagues and I developed a way to make privacy notices more effective.

The first principle is to break up the documents into smaller chunks and deliver them at times that are appropriate for users. Right now, a single multi-page policy might have many sections and paragraphs, each relevant to different services and activities. Yet people who are just casually browsing a website need only a little bit of information about how the site handles their IP addresses, if what they look at is shared with advertisers and if they can opt out of interest-based ads. Those people doesn't[sic] need to know about many other things listed in all-encompassing policies, like the rules associated with subscribing to the site's email newsletter, nor how the site handles personal or financial information belonging to people who make purchases or donations on the site.

When a person does decide to sign up for email updates or pay for a service through the site, then an additional short privacy notice could tell her the additional information she needs to know. These shorter documents should also offer users meaningful choices about what they want a company to do – or not do – with their data. For instance, a new subscriber might be allowed to choose whether the company can share his email address or other contact information with outside marketing companies by clicking a check box.

This article was originally published on The Conversation. Read the original article.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Nobody Reads Privacy Policies – Here's How to Fix That | Log In/Create an Account | Top | 59 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by NotSanguine on Wednesday October 11 2017, @07:17PM (3 children)

    by NotSanguine (285) <{NotSanguine} {at} {SoylentNews.Org}> on Wednesday October 11 2017, @07:17PM (#580716) Homepage Journal

    Here's the (sanitized) privacy policy I (IANAL) wrote for a website I created. I think it balances the privacy of users with shielding the website owner(s) from liability:

    [Website] Privacy Policy

    No personal information* will be stored on the https://www.[website] [www.[website]] web server (except as specifically authorized), and every effort will be made to protect the integrity and privacy of such information.

    [Website], its management or assignees will never sell personal information collected on this site, nor will they use such information for purposes other than specifically related to the operation of the [Website] website and/or to facilitate the dissemination of information regarding [business] and other group activities related to [members] and other [group] related group activities.

    Under no circumstances will street address or telephone number information be stored on the www.[website] by [Website], its management or assignees.

    [Website], its management and assignees will never, under any circumstances reveal email addresses, street addresses and/or telephone numbers to anyone without explicit authorization. From time to time, [website] may offer services to allow [members] to contact each other. For these services, [Website], its management and assignees makes no warrantee of fitness for any purpose, including maintaining the privacy of users' personal information.

    All personal information will be held in confidence and will only used for the purposes of the [business]s and official [membership organization] business.

    This business includes (but is not limited to) providing personal information for inclusion (by the [membership organization]) in a [other compilation] to be published at a later date. If this published work is then used for illegal and/or nuisance purposes, [Website], its management and assignees disavow any responsibility or liability for the use of that information by third parties for any purpose.

    If a subscriber (limited to members of [group]) chooses to share their personal information with other subscribers via any mechanism made available through the [Website] web site, mailing list or other conveyance provided by [Website], its management and assignees disavow any responsibility or liability for the use of that information by third parties for any purpose.

    Under no circumstances will [Website], its management or assignees be liable or otherwise legally responsible for the theft, misuse or other unauthorized use of personal information.

    Any person or entity registering on, providing contact information, or subscribing to the [Website] web site explicitly agrees to all the terms of this privacy policy.

    This policy applies to the www.[Website] web site and the [Business]@[Website] mailing list.

    If any portion of this policy is found, by any competent jurisdiction, to be invalid or unlawful, the remainder of this policy will continue to be in force.

    The terms of this policy may be modified at any time at the discretion of [Website]. It is the responsibility of the subscriber to review the terms of this policy on a regular basis. Current versions of this policy can be found at https://www.[website]/privacy.html. [www.[website]]

    *Personal Information: Data such as street address, email address and telephone number which would enable direct contact with the subject of that information.

    The above would need to be modified to support different business models, but the basics should be retained:
    1. Website will *not* share data with *anyone* without authorization;
    2. Website will *not* store personal information on the site;
    3. Website will make every effort to secure personal information;
    4. Website will not be liable for the release of personal information by others.

     

    --
    No, no, you're not thinking; you're just being logical. --Niels Bohr
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 0) by Anonymous Coward on Thursday October 12 2017, @12:55AM (2 children)

    by Anonymous Coward on Thursday October 12 2017, @12:55AM (#580883)

    Your policy is worthless to the users. Terms can be changed at any time without notice. "specifically authorized" isn't defined nor limited so management can authorize anything regardless of what the rest of the policy says. Who stores data mining data on web servers? You transfer that data onto other servers, your policy doesn't prevent that. You try to disclaim any liability for your own screw ups, so even if you had a good policy you just told everyone you don't have to follow it. Etc... Your policy sucks. Get one reviewed by a lawyer next time.

    • (Score: 2) by NotSanguine on Thursday October 12 2017, @01:02AM (1 child)

      by NotSanguine (285) <{NotSanguine} {at} {SoylentNews.Org}> on Thursday October 12 2017, @01:02AM (#580886) Homepage Journal

      Thank you for your input.

      Go ahead and try to sue me. See how well that works, friend.

      --
      No, no, you're not thinking; you're just being logical. --Niels Bohr

      • (Score: 0) by Anonymous Coward on Thursday October 26 2017, @11:57PM

        by Anonymous Coward on Thursday October 26 2017, @11:57PM (#588059)

        Exactly, you claimed it balances rights for the user and it doesn't.