California Wants to Make Online Privacy Policies a Little More Understandable

The Citizen's Guide to the Future
May 22 2014 5:15 PM

California Wants to Make Online Privacy Policies a Little More Understandable

Although 50 percent of Internet users are concerned about the amount of their personal information available online, getting them to actually read privacy notices is almost impossible.

And that’s not entirely their fault. Since the dawn of the Internet, the design of privacy notices has remained much the same—miles of dense print that it would take a heroic effort to read. In fact, Aleecia McDonald and Lorrie Cranor calculated in 2008 that it would take an individual American an average of 244 hours to read the privacy notices of all the sites they visit annually—and it’s doubtful that the situation’s gotten any better in the last six years.

Advertisement

Most sites also make it easy to ignore their policies and apps tend to serve their notices in such a way that users skip past them as quickly as possible. Admit it: We’ve all clicked “agree” without reading the privacy policy when downloading a Google Maps update.

But some states are pushing back. In 2003, the California Online Privacy Protection Act was the first law in the United States to require digital companies and websites to display a privacy notice and abide by it. And late last year, the act was amended to force companies to disclose details about their tracking of users across websites. To help companies comply with their new privacy notice requirements, the California Department of Justice’s attorney general, Kamala D. Harris, recently issued guidelines that outline recommended practices such avoiding jargon and being more specific about the type of information collected.

The California DOJ’s new guidelines also want websites to overhaul how they direct people to the privacy notice. They ask sites to use a clear link on their homepage, to “[m]ake the link conspicuous by using larger type than the surrounding text, contrasting color or symbols that call attention to it.” Or in the case of mobile apps, make the policy available on the platform page.

This is worthy advice (although the guidelines are not enforceable), but the main hurdle remains—getting people to read and understand the damn thing. Cranor, an associate professor of computer science at Carnegie Mellon University, wrote in a later paper: “Even when information is available, processing this information may be more burdensome than is feasible for a continual process that is supposed to occur in the background, as a secondary task as we go about our daily living.” To that end, perhaps we should be rethinking the manner in which we serve this information up to internet users?

The guidelines mention a few formats that might be useful: First, online privacy notices could be standardized into a grid format, much like the neat, digestible nutrition information labels we’re all familiar with. Listing, for example, the type of personal identifying information collected, the third parties it’s shared with, and how long it’s held for, for easy comparison with the policies of other sites.

There are obvious problems with the grid format, however—the sheer complexity of most privacy policies would be difficult to render so simply and these grids might not be particularly readable on tiny smartphone screens. However, it’s been suggested that the use of privacy icons that have the same meaning across platforms could be a useful compromise.  For example, Apple uses a geolocation symbol when any app is accessing a user’s location.

HT5467_03--system_services-001-en

So how about “just-in-time”, in-context pop-up notices, as the California DOJ’s guidelines also suggest (and as supported by the FTC)? Just-in-time notices serve up privacy information, one bite at a time. They’re usually accompanied by a consent request at the time the information is collected. This format would be particularly useful on mobile screens that don’t lend themselves to long text. And they could promote user understanding—according to a 2013 FTC study, in-context disclosures at multiple points allowed participants to better comprehend the implications of sharing information with the service.

Some companies are beginning to head in the direction of just-in-time notices. Facebook announced on Thursday that it would be using something similar—giving each of its more than 1.23 billion users a “privacy check-up” tool.

making-it-easier-to-share-with-who-you-want_2

Image from Facebook

Facebook’s announcement describes how the tool will walk users through steps to make it clear which apps have access to their data and what private information they’ve included in their profile. The tool will also have a public posting reminder that will ask people to reconfirm the audience they want to share their post with—whether friends-only, public, or otherwise—and a redesigned app control panel, where Facebook users will be able to manage their information-sharing permissions.

The extent to which these just-in-time privacy notices will be used by Facebook remains to be seen. Mike Nowak, a Facebook product manager, told the New York Times that Facebook is concerned that too many of such notices would be intrusive. “We don’t actually like to interrupt people because when they come to Facebook, they are there to interact with their friends, not us,” he told the paper.

But it’s worth pointing out—users are not on Facebook to share personal information with random advertisers either, so the company’s new delivery of privacy notices is a step in the right direction.

Future Tense is a partnership of SlateNew America, and Arizona State University.

Ariel Bogle, a contributor to Future Tense, is an associate editor at New America.

TODAY IN SLATE

Politics

Blacks Don’t Have a Corporal Punishment Problem

Americans do. But when blacks exhibit the same behaviors as others, it becomes part of a greater black pathology. 

I Bought the Huge iPhone. I’m Already Thinking of Returning It.

Scotland Is Just the Beginning. Expect More Political Earthquakes in Europe.

Lifetime Didn’t Think the Steubenville Rape Case Was Dramatic Enough

So they added a little self-immolation.

Two Damn Good, Very Different Movies About Soldiers Returning From War

Medical Examiner

The Most Terrifying Thing About Ebola 

The disease threatens humanity by preying on humanity.

Students Aren’t Going to College Football Games as Much Anymore, and Schools Are Getting Worried

The Good Wife Is Cynical, Thrilling, and Grown-Up. It’s Also TV’s Best Drama.

  News & Politics
Weigel
Sept. 19 2014 9:15 PM Chris Christie, Better Than Ever
  Business
Moneybox
Sept. 19 2014 6:35 PM Pabst Blue Ribbon is Being Sold to the Russians, Was So Over Anyway
  Life
Inside Higher Ed
Sept. 19 2014 1:34 PM Empty Seats, Fewer Donors? College football isn’t attracting the audience it used to.
  Double X
The XX Factor
Sept. 19 2014 4:58 PM Steubenville Gets the Lifetime Treatment (And a Cheerleader Erupts Into Flames)
  Slate Plus
Slate Picks
Sept. 19 2014 12:00 PM What Happened at Slate This Week? The Slatest editor tells us to read well-informed skepticism, media criticism, and more.
  Arts
Brow Beat
Sept. 19 2014 4:48 PM You Should Be Listening to Sbtrkt
  Technology
Future Tense
Sept. 19 2014 6:31 PM The One Big Problem With the Enormous New iPhone
  Health & Science
Medical Examiner
Sept. 19 2014 5:09 PM Did America Get Fat by Drinking Diet Soda?   A high-profile study points the finger at artificial sweeteners.
  Sports
Sports Nut
Sept. 18 2014 11:42 AM Grandmaster Clash One of the most amazing feats in chess history just happened, and no one noticed.