Thursday, September 04, 2008

Privacy policy readability

Most of us are now exposed to the privacy policies of many companies that we deal with, via annual mailings, clickthrough licenses, or pages on their websites. The cynical among us tend to think that these policies are carefully prepared with the intent that they not be understood.

This blog post by Erik Sherman supports the cynics' view.

See also this 2005 paper by Annie I. Antón, et al., focusing specifically on the privacy policies of health care organizations.

Updated 9/5/08 to add: See also this post on The Privacy Place.
Most Web sites display a privacy policy that describes the site’s privacy-related information practices. However, in spite of the many guidelines for the content and layout of these policies, privacy policy content inevitably differs from site to site, even in the presence of laws which would be expected to lead to some form of standardization. Because of the lack of standardization and the varied use of terms by each institution, the process of comprehending the meaning of the privacy policies proved challenging and tedious. While most Internet users are concerned with their privacy and how their PII is being used, the effort one must expend to fully discern the privacy practices of the nine institutions we examined is plainly unrealistic. For example, it took experienced analysts with the aid of well-defined heuristics and the PGMT an average of 1.5 hours to analyze each privacy document. For some institutions, it even required an entire day to fully understand how that institution handles sensitive information.

... Our findings suggest that law makers need to do a better job of considering how the introduction of law can benefit, or adversely affect, not only the ways in which sensitive information is handled but also how it affects the ways in which organizations choose to express these practices online. Moreover, the United States needs additional non-domain-specific legislation that broadly regulates online privacy and which protects the consumer rather than institutions.

Labels: ,


Comment by Blogger Erik Sherman:

To be fair, I'm not sure that the policies are constructed to be misunderstood so much as being the product of business processes gone awry. Lawyers prepare these, and they are trying to cover every circumstance which could come back to bite their employers. Combine that with the observation that many lawyers don't write all that well after years of putting together one dense clause after another, and it's almost inevitable. To create a readable privacy policy, a company would have to have a writer put it together, and then restrict the lawyer to pointing out technical problems and not allowing them to rewrite the text themselves. But companies don't think this way; they just have the lawyers write such things because they've always done it that way.

3:27 PM  

Post a Comment