Summary of Lorrie Cranor’s presentation in a panel on “Disclosure and Notice Practices in Private Data Collection” at Data Privacy & Transparency in Private and Government Data, April 4, 2014 at Benjamin N. Cardozo School of Law.
Privacy policies are everywhere. Nearly every website you visit has one, detailing what information the site will collect from you and how it is allowed to use that data. The idea is that the privacy policy will serve as notice to the user as to what using the website means for the user’s privacy.
But have you ever read a privacy policy? Would you ever do it again? The fact is, most people ignore privacy policies altogether, clicking “I agree” to continue on using the site.
“We all know that nobody actually wants to read privacy policies,” Lorrie Cranor said on Friday, adding that for the average person, reading every necessary privacy policy would take 244 hours of time a year.
According to Cranor, who is an Associate Professor of Computer Science and Engineering and Public Policy at Carnegie Mellon University, part of the problem is the inerent user-unfriendliness of the standard block of text. Compare that, Cranor said, to a nutrition label on food, which presents information in a standardized format and language, with enough brevity to be useful at a glance but enough detail to cover all the necessary information.
Cranor presented what a nutrition label-style privacy policy could look like, a sort of chart detailing what type of info might be used, and how it would be used, a display that would offer a quick visual snapshot of how much data collection activity is going on. Such a chart would be easily compared to similar charts on other sites, allowing the user to make a decision between competing sites based on their respective data collection activities.
Other efforts to improve privacy policies have been thus far unsuccessful. Mozilla has tried to use icons, but the symbols are not intuitive and difficult to learn. P3P format has largely been circumvented. A study showed that the AdChoices symbol, which is intended to show that the advertisement you see is being displayed based on websites you have visited in the past, is widely misunderstood, with nearly half of participants believing if they clicked the symbol it would take them to a site where they could buy advertisements.
A glimmer of hope, according to Cranor, can be seen in the financial privacy notices that accompany credit card bills and bank statements. In their new form, information on data collection and use is presented in a simplified chart form that is much more accessible to consumers and coming closer to actual “notice” than the brick of legalese that is most privacy policies. The next step would be to provide some method for consumers to compare privacy policies alongside the description of services, to allow consumers true informed choice in deciding which bank to use.
For more from this panel, click here.
[…] Lorrie Cranor – Better Notice is Needed […]