The public Internet has been around for about thirty years, and the browser-based, graphics-heavy consumer experience has been around for about twenty-five years. In the beginning, commercial websites operated without privacy policies.
Part of the reason privacy policies are confusing is that data privacy is not a precise concept. The definition of data depends on the context. Data could mean information about a transaction, information collected during your browser visit (including where you were before and after the visit), information about you or your equipment, or even information derived from analytics. other information. And we know that anonymized data can be re-identified in many cases, and even generic data collection can lead to one of many ways to identify a person.
The definition of data depends on the context.
The definition of privacy is also messy. An e-commerce business needs to capture certain information to fulfill an online order. In the era of connected objects, the company can continue to collect information on the object while the consumer is using it. This is true for equipment ranging from televisions to dishwashers to sex toys. The company probably uses this information internally to develop its products. It may use the data to market more goods or services to the consumer. It may transfer the information to other companies so that they can market their products more effectively. The company can provide the information to the government. This week’s New Yorker devotes several pages to how the word “privacy” brings together key concepts in US law, including secrecy and autonomy,1 and is therefore confusing for the courts and the public.
Last month, the Washington Post published an article by Geoffrey Fowler with the caption “Let’s abolish reading privacy policies.” The article notes a 2019 Pew survey claiming that only 9% of Americans say they always read privacy policies. I would say more than half of these Americans are lying. Hardly anyone ever reads privacy policies when first logging into a website or downloading an app. That’s not even really what privacy policies are for.
Fowler shows why people don’t read these policies. He writes: “As an experiment, I have compiled all privacy policies only for my phone apps. It totaled almost a million words. “War and Peace” is about half as long. And that’s just my phone. In 2008, Lorrie Cranor, a professor of engineering and public policy at Carnegie Mellon University, and a colleague estimated that reading and agreeing to all privacy policies on websites Americans visit would take 244 hours a year.
The length, complexity and opacity of online privacy policies are of concern. The best way to alleviate this concern would not be to eliminate privacy policies, but to make them less determinative of the most important decisions about descriptive data.
Limit companies’ use of data and we won’t have to fight over their privacy options.
Website owners should not be required to write privacy policies that are both detailed and succinctly readable enough for consumers to make meaningful choices about the use of data that describes them. This type of system obliges a person to be responsible for their own data protection and relieves the company of the responsibility to limit its use of the data. It’s like our current waste recycling system – both inefficient and polluter-backed, because rather than forcing manufacturers to use more environmentally friendly packaging, it pushes consumers to fix the problem at home, shifting the burden from industry to us. Similarly, if lawmakers provided a simple set of rules for website operators – here’s what you’re allowed to do with personal data, and here’s what you’re not allowed to do with it – then no one would read privacy policies to ensure our transaction data was spared from the worst treatment. The worst treatment would be illegal.
State laws are moving in this direction, providing simpler rules restricting certain uses and transfers of personal and sensitive data. We are early in the process, but if the trend continues regarding omnibus state privacy laws in the same way that all states eventually passed data breach disclosure laws, then we can be optimistic and we expect full coverage of online privacy rules for all Americans within a decade. or. But we shouldn’t have to wait for all states to comply.
Unlike data breach disclosure laws that encourage companies to comply only with laws applicable to their particular loss of data, omnibus privacy laws affect how companies conduct the normal course of day-to-day business. companies are beginning to build their privacy recognition functions around the lowest common denominator. It will just make economic sense for companies to give every US customer the same rights that most protective states give their residents. Why create 50 rule sets when you don’t need them? The cost savings of maintaining a single privacy rights recognition system will offset the cost of providing privacy rights to people in states that have not yet passed omnibus laws.
This won’t make privacy policies easier to read, but it will make it less important to read them. Then privacy policies can return to their primary function, providing a record of how a company handles data. In other words, a reference document, rather than a set of choices inserted into a cushion of legal terms.
1 Privacy law also confuses these meanings with obscurity in a crowd or in public.
Copyright © 2022 Womble Bond Dickinson (US) LLP All rights reserved.National Law Review, Volume XII, Number 175