The Problem With A 100-Word Privacy Policy

Last Thursday a new bill was introduced by California Assemblymember Ed Chau that seeks to cut legalese in online privacy policies to a minimum and give people easy-to-digest policies.

From the bill itself:

"The privacy policy required by this section shall be no more than 100 words and shall be written in clear and concise language at no greater than an eighth grade reading level. The privacy policy shall include a statement indicating whether the personally identifiable information may be sold or shared with others, and if so, how and with whom the information may be shared."  Assembly Bill 242 proposed by California Assemblymember Ed Chau (D-Alhambra).

It sounds good. It really does. A privacy policy in 100 words or less, in simple language that even an eighth grader could understand. But is this a realistic answer to industry concerns, or just the latest in a slew of half-baked attempts by lawmakers to tackle the privacy issue? Does the bill have a chance of passing - and if so, would it be the answer to very public privacy problems?  Maybe we've finally discovered the holy grail of privacy. But wait. Don't sip from the chalice just yet.

Caution

While it's true people often skip over lengthy policy documents because they're lengthy, limiting the amount of words may do more harm than expected, by shackling and curbing just what developers and creators can tell consumers. And, long or short, people are going to skip disclosure policies.

That's not the issue with which we should be concerned. Our concerns should lie in just what personal data our feudal lords are sharing with third parties and what kind of data retention policies they're practicing. That's the inherent problem with our security. Not how long the text of the policy is.

Jim Fenton, the chief security officer of digital identity service OneID, says the data-use issue is the real problem with the bill, which "doesn't include information about how the recipient of the data may use it and how long any of the personally identifiable information may be kept."

Parker Higgins, a free speech activist at the Electronic Frontier Foundation calls the new bill a "stunt, plain and simple." He says a word count basically guarantees writing a bad privacy policy for users.

"You can't write a good privacy policy in 100 words, but you can write a bad one," Higgins said. "It's a real problem that privacy policies are too long and hard for most people to understand. But a limit of 100 words is not a real solution. A privacy policy that isn't appropriately tailored to the actual data use is bad for users."

Higgins isn't the only one in the space who remains unconvinced. 

"This proposal is a bad joke, though it's not very funny," added Eric Goldman, an Internet law professor at Santa Clara University's School of Law.

Better Solutions

Goldman thinks the bill has a very low chance of passage and believes there are better options to shortening privacy policies. One is enacting new legal immunity to protect websites from being sued over what he calls "minor and inconsequential privacy breaches or omissions in a privacy policy" (ironically, most policies are written in legalese to fend off aggressive litigators, not to enlighten consumers). Goldman also cited efforts to develop logos and icons as ways to save space and eliminate text.

Brian Draves, OneID's general counsel offers another option to improving the legislation. He posits that "a better solution would be to enforce a set of required disclosures at the beginning of each policies." Draves thinks this notification would be easier to understand for consumers than limiting text to word counts.

"Our goal is to engage the public by creating a dialogue," Chau wrote in an email to ReadWrite, encouraging interested parties to visit the Assemblyman's website. Such dialogue could improve this bill, or lay the foundation for something better down the road.

 

Image courtesy of Shutterstock