> These are documents created by lawyers, for lawyers.
Except they bind normal consumers, not lawyers.
This is the law's version of the old softare forum 'RTFM' dismissal when people asked technical questions.
It is not acceptable to have a privacy policy intended for ordinary people if it's not also intended to be understood by ordinary people. If a normal consumer needs to consult a lawyer before they sign up for Facebook, something has gone horribly wrong.
> It is not acceptable to have a privacy policy intended for ordinary people if it's not also intended to be understood by ordinary people.
I agree, but by extension this is also true for all laws and legal documents. The fact that world still works with this situation (the laws which people are supposed to abide by are not really understandable to those same people) doesn't mean we don't have a problem to solve here.
>The fact that world still works with this situation
Depends upon what you mean by works? We have clear favoritism, nepotism, racism, sexism, etc. in how the existing system works. It isn't complete anarchy, but by that standard the most kafka-esque regimes still work.
I think we have massive room for improvements in both laws and contracts.
When reading your argument, I can't help but think about a stat a Polish journalist computed. At that point, reading the law at the pace it came out would take about four (or was it six) hours per day. That's assuming you read law as fast as prose and don't need to read the preexisting acts.
>> These are documents created by lawyers, for lawyers.
> Except they bind normal consumers, not lawyers.
> This is the law's version of the old softare forum 'RTFM' dismissal when people asked technical questions.
Thanks for pointing this out.
> It is not acceptable to have a privacy policy intended for ordinary people if it's not also intended to be understood by ordinary people. If a normal consumer needs to consult a lawyer before they sign up for Facebook, something has gone horribly wrong.
Here's my secret hope that articles like this will force the opinion - and courts - to realize that these documents are worthless and shouldn't protect any company that abuses customer data from lawsuits.
Also for us Europeans I still look forward to seing consumer protection agencies here finally getting annoyed and starting to use their new GDPR claws.
> These are documents created by lawyers, for lawyers. They were never created as a consumer tool
This, I think, is the core issue. The Privacy Policy is seen as the same type of thing as the Terms of Service. Of course, this begs the question of why does there need to be two different documents.
GDPR has pretty explicitly tried to reverse this. The Terms of Service can be as legal-y as you want, but there must be a plain-language Privacy Policy for the data subject. We'll see how much that happens in practice... the regulators probably have much bigger fish to fry than unclear PP documents, but a fine for a separate issue could include "no one could understand this, so it doesn't count" as a way to side-step technical loopholes.
More importantly GDPR grants statutory rights that cannot be waived by a shrinkwrap agreement. Its only real weakness is that is does not grant a right of private enforcement, and national regulatory agencies are too understaffed to address even a small portion of abuses today.
> Its only real weakness is that is does not grant a right of private enforcement, and national regulatory agencies are too understaffed to address even a small portion of abuses today
Article 79, Right to an effective judicial remedy against a controller or processor
1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.
2. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.
> "no one could understand this, so it doesn't count" as a way to side-step technical loopholes.
In fact, the GDPR explicitly says any declaration that isn't intelligible and using clear and plain language "shall not be binding". Which means the service doesn't actually have consent.
Companies that think of their Privacy Policy as a “Legal” or “Compliance” function will have their lawyers write it, and it will be incomprehensible to users. That’s Legal’s job: to write documents for judges and other lawyers to read.
I’d argue that companies should think of their privacy policy as not a legal document but as a product feature, and let product managers (or whoever is responsible for feature ideas) write them. The audience then would be the user and the wording would more likely be understandable. Most companies’ product teams are better equipped to articulate the benefits and trade-offs to end users.
The problem is when product managers use language that is understandable to most people but leaves a lot of loopholes and results in lawsuits.
Writing legal documents is a lot like writing code— you are trying to leave no room for ambiguity (or bugs), need to cover all the edge cases, and the code is inevitably at least as complex as the domain in which it operates.
Depends on your legal system. It doesn't have to be letter of the law, which is how the US operates, leading to abominations of phrasing like "damages including but not limited to foo, bar, baz" etc. In other jurisdictions, spirit of the law is good enough, so you can just write "damages" and something like a reasonable person test is applied.
Example: In the US, rent agreements can be dense, 30 page affairs and still be legally binding. In Europe or Australia, 5 pages or less usually suffices, and longer documents may simply be ruled unreasonable.
I think there should be a law that puts the burden of proof that the user understood the privacy policy on the company. This way the company would have an incentive to make it as easy to understand as possible and to ensure every user understands what they're doing -- otherwise, if any user sues them over a privacy breach, the company has a high-risk of losing that lawsuit if the judge/jury determines it wasn't easy for the user to comprehend the privacy policy, as per the mentioned law.
GDPR sorts of does this, but I think it's only half-way there.
It's always about incentives. Companies have all the incentives in the world to make the privacy policies as complicated and obfuscated as possible, while also putting in there that basically the user gives up all rights and data the moment they see the company's website, so that they remove any responsibility they might have otherwise.
I don't think most users want to spend any time understanding privacy policies. If you made people take a quiz showing the understand what they're getting into (like when getting a driver's license), user signups would go down dramatically.
Plus this would probably be considered free labor and/or discrimination, like some people complain about captchas.
I think the GDPR is quite good, just not actually being applied. In fact, I'd say most or all of these are plainly invalid, since they don't present the request for consent "in a manner which is clearly distinguishable from the other matters", and they don't allow consenting separately for each purpose.
"For comparison, here are the scores for some classic texts. Only Immanuel Kant’s famously difficult “Critique of Pure Reason” registers a more challenging readability score than Facebook’s privacy policy. (To calculate their reading time, I measured the first chapter of each text.) "
I'm feeling an interesting mix of laughter and sadness. How can you not laugh at the ridiculousness of a privacy policy being less legible than "Criqiue of Pure Reason"? How can you not feel a tinge of sadness at the state of the world when this is not only acceptable, but expected?
Yet, it doesn't surprise me that privacy policies are generally hot garbage. And that's sad too.
The real measuring stick of readability should be The Silmarillion :)
There are plenty of ways privacy policies are bad, but I think the reading scores NYT is using from Lexile are a bogus criticism. From a reading length and vocabulary perspective, I don't see anything in the Facebook privacy policy that I wouldn't expect a high school student to be able to comprehend.
My main criticism of privacy policies is that, after reading them, you realize that there is practically no upper bound on how your data can actually be used. You give the company a key to your house, and it is up to them to decide if they want to trash the place.
>I don't see anything in the Facebook privacy policy that I wouldn't expect a high school student to be able to comprehend.
I think, vocabulary wise, yes. High school students should be able to read each word.
The problem is context and impact. Can the reader not only read the words, but understand them in the context of the entire document as well as in the context of their usage?
For example:
>"[...]we collect information from and about the computers, phones, connected TVs and other web-connected devices you use that integrate with our Products, and we combine this information across different devices that you use."
The words are easy to read. The meaning, however, is not. Most people don't take the time to learn how severe of an impact aggregating data has. It seems harmless to share two pieces of non-PII, until you learn that two pieces of non-PII may become PII when aggregated.
The test by Lexile claims to measure complexity, not just the legibility. However, I haven't looked into the test that much and don't have an opinion on its accuracy. That said, I don't think the average person can _understand_ the documents, even if they can read the words - which is the same conclusion reached in the parent article:
>"Even policies that are shorter and easier to read can be impenetrable, given the amount of background knowledge required to understand how things like cookies and IP addresses play a role in data collection."
I read the Silmarillion when I was 11. It's hardly challenging reading like dense and opaque German philosophy texts tend to be (I am looking at you, Wittgenstein).
> The BBC has an unusually readable privacy policy. It’s written in short, declarative sentences, using plain language.
This is good to know. Startups often adapt language for their own privacy policies from those of big companies (on the assumption that such policies are good/vetted).
Hopefully founders who read this article will turn to the BBC's policy when figuring out how to fashion their own.
They make extremely illegitimate claims about "needing" to collect your personal information to provide their "services". Which is absolutely untrue since they're a newspaper you could read completely anonymously with zero degradation to experience (except where they've deliberately hobbled that option).
> The New York Times is as bad at privacy as anyone
...and its dot in the charts in the article reflects that. Go diagonally up to the right from the Facebook dot until you are just about to leave the "college" reading level region, and you'll find the dot for the Times.
Do you suppose the author of this opinion piece wrote the New York Times' privacy policy?
Edit: some fair counterpoints to me, below. But publishing an opinion piece does not necessarily imply endorsement, and nor does it diminish the author's point(s) one iota.
I keep hearing this. Every time the NYT writes an article on X, while being a hypocrite on X, "Do you think the guy who wrote this was also in charge of X at the NYT?"
It's a valid counterpoint. The guy who wrote about X is not, usually, in charge of X. Agreed. The criticism, however, is not about the author - it's about the organization that endorses both the action X, and the criticism of X.
The NYT is an opinionated organization, not a public wall open to whoever wants to throw things at it. They have an editorial stance. When they write criticisms of X, they are implicitly - as an organization - criticizing X. When they do X themselves, they are - as an organization - implicitly endorsing X. When they wish to distance themselves from a criticism in an article, they explicitly point out - hey, this is an Op-Ed from such-and-such author, and doesn't represent the views of the NYT. When it's not an Op-Ed, and/or when it's not disavowed, they are saying: this article represents the views of the NYT.
The writer is not a hypocrite. The organization, however, is.
There's nothing illogical or invalid about holding the organization accountable for doing bad things, and for pointing out that the organization is trying to earn goodwill from the public by being "against X" while perpetrating the act themselves.
The linked article is in the Opinion section, so no, it does not necessarily reflect the stance of the NYT and accusations of hypocrisy are therefore unfounded in this case.
> The writer is not a hypocrite. The organization, however, is.
This is not how how a functioning news room works. That's not how any of this works. You don't check your individuality at the door. A good publication can and should promote well reasoned work, especially if it conflicts with the status quo or view points of other writes in the org.
Even assuming the New York Times or the author are hypocrites, that does not diminish their point.
I follow the news to get informed, not to measure the moral virtue of the media (except as it relates to the accuracy and representativeness of their reporting).
I think accusations of hypocrisy usually map to an insightful argument: "Hey, there's a reason people do that thing you object to, and it's usually a good reason, as demonstrated by the fact that, given all the options, you find yourself resorting to it. So, maybe instead of shaming people, you should be helping to isolate the reason and find a way to obviate it instead of just throwing stones."
To be fair, the New York Times' privacy policy actually is represented as one of those dots in the image (and it's not in a particularly good spot ... it's pretty close to the top):
I think this piece is about making people aware of privacy and pointing out that the platform you’re reading it on is one of the worst offenders is worth doing. As another commenter pointed out that the New York Times policy contains the entire Google privacy policy within it:
I don't suppose the author of this opinion piece wrote or controls any of the privacy policies they reported on. But they chose which privacy policies they were going to report on, and which ones they were willing to highlight in their article. Is it really an unreasonable ask of a reporter who is focused on privacy to also be willing to research the practices of the website that hosts them?
To be fair, of all the news organizations I have beefs with on privacy, the NYT has been doing a lot better in their reporting than their competition:
- They have a disclaimer at the bottom of this article linking to their own policy. They also include several news organizations (including themselves) in this dataset.
- Reporters have been willing to publish articles that talk about and link to (good) ad blockers like Ublock Origin, and acknowledge that they're an effective way to increase privacy.
- Their editorial staff has been (relatively) self aware about the NYT's privacy practices and appears to be talking about it internally.
Could they be better? Yes. Is it a weird omission that in an article that specifically calls out Google, the reporter doesn't mention that the current NYT privacy policy is both more complicated and longer than Google's current version? Yes. But comparatively, if I was going to call out any set of reporters on this, I wouldn't start with anyone working for the NYT. I think they're moving in the right direction here. This is a well written article.
In general though, it's not unreasonable to call out reporters for failing to look at or refusing to talk about the privacy policies of their employers in their articles. I don't expect them to force their tech teams to change things, I don't expect them to walk away from their jobs, and I don't expect them to lobby their bosses on my behalf. I just expect them not to ignore important, relevant parts of the stories they report on -- because shifts in privacy regulation are going to have huge impacts on things like news funding, and we need to talk about that.
> Is it really an unreasonable ask of a reporter who is focused on privacy to also be willing to research the practices of the website that hosts them?
And the article ends with the NYT's own message: "Like other media companies, The Times collects data on its visitors when they read stories like this one. For more detail please see our privacy policy and our publisher's description of The Times's practices and continued steps to increase transparency and protections."
Yep, I mention that - of the reporters/organizations that need to be called out on this, the NYT is low on my list.
In general though, I disagree that reporters lacking control over the platforms they use means that they're immune from this type of criticism. News organizations are a part of this conversation whether they like it or not, and there are no resolutions (legal or technical) that won't affect news sites. It's irresponsible for a reporter to ignore that.
When people call out the hypocrisy in articles like this, they're not blaming the reporter for their employer's data policies, they're blaming them for ignoring that those data policies exist.
It doesn't mean the reporter's points aren't valid, it does mean there's a dimension of the story they're ignoring, either through ignorance or through choice.
This wasn't published on Kevinlitmannavarro.com, and it's not his name on the big top-of-the-page header: it's an opinion column written by him but published by the New York Times under their banner. It's a pretty basic expectation for journalistic entities to address potential conflicts or hypocrisy. It's not a requirement, but is a reasonable complaint, and dismissals like asking if the opinion author wrote the privacy policy are beyond nonsensical.
Apart from that, addressing seeming hypocrisies in things that newspapers complain about but engage in is often illuminating: I recall an Atlantic(?) article complaining about deceptive ads that went out of their way to talk about their own likely serving of deceptive ads, describing the difficulty in knowing which ads you'll be serving given the byzantine web of sellers, resellers, exchanges, etc etc that Web publishers deal with.
They're a newspaper that charges customers to read it, which means they need to limit access to their services for people who haven't paid. Which means they need a way to distinguish paying users from non-paying ones. Which means that they have to have some idea who you are when you access their services, so they can tell which services you should have access to and which you shouldn't.
It's funny, you never see anyone arguing that Netflix is under some kind of obligation to let everyone watch their programming anonymously for free.
When they claimed it was necessary to support the service. It’s absolutely not. Newspaper ads are not targeted.
Anyway ads in any form still produce perverse incentives for a supposedly journalistic entity—I don’t know how anyone can read a newspaper that takes ad money and consider it unbiased.
>It's funny, you never see anyone arguing that Netflix is under some kind of obligation to let everyone watch their programming anonymously for free.
That's because we don't bother talking about it, it just gets done. Why waste time on a trivial situation? Instead, talk about the NYT which is an important cultural institution. Plus I can read a free copy at my local library, or at NYPL, anonymously.
> Plus I can read a free copy at my local library, or at NYPL, anonymously.
Now that would be an innovation: libraries providing access to commercial streaming-media services, through your library membership. Much like they provide access to scientific-journal subscriptions, or e-book services.
With the proliferation of different streaming services, it almost seems like an inevitability.
> Collection of personal information is necessary to delivering you the NYT Services or to enhance your customer experience.
I'll grant them delivery in some cases. They have to collect IP addresses, some browser details, info from HTTP headers etc. but they don't have to keep any of it for any longer than it takes to serve pages (although there are good and sane reasons for keeping some of that stuff for a while at least). What kills me every time is "enhance your customer experience" which I assume means present you with ads, track your usage to help us increase the number of clicks/page views/ad impressions, and sell your data to our "partners" who will spam/advertise to you relentlessly.
New York Times also abuses advertising, paywalls and page size. But the fact that they write about issues should signal that they still have some journalism integrity.
No, that's not what that means. An ad hominem attack is invalid because the target is simply being insulted or called evil in some way. "You can't believe Bill Smith: all the Smiths are no-good iron-pounding dummkopfs."
If the NYT calls other organizations out on their privacy policies without pointing out that their own is terrible, the term for that is a hypocritical omission.
>The vast majority of these privacy policies exceed the college reading level. And according to the most recent literacy survey conducted by the National Center for Education Statistics, over half of Americans may struggle to comprehend dense, lengthy texts. That means a significant chunk of the data collection economy is based on consenting to complicated documents that many Americans can’t understand.
How is this different to law itself? If we're going to argue that it's problematic for something as (relatively) inconsequential as privacy policies to be unintelligible, shouldn't we start with something more basic?
That the legibility of the law could and should be improved is a fair point. That said, humanity isn't incapable of concurrency - there's no reason to have to wait for the law before tackling privacy policies, which while a lesser issue, are also easier to change.
I’d argue that the vast majority of Americans would struggle to comprehend a basic cell phone contract, auto loan, or mortgage, which we routinely sign. The problem is that people have to pretend to understand/agree with something in order to receive a service. You should not have to agree to a deliberately incomprehensible document as a condition of receiving a service you pay for.
There's an ongoing study whose early results found that even if people read and understood privacy policies (for mobile apps), those policies are incomplete, wrong, or self-contradictory a decent chunk of the time: https://www.ieee-security.org/TC/SPW2019/ConPro/papers/okoyo...
It's hard to see privacy policies being written in good faith. In my opinion, they're little more than declarations of "I'm going to do all these sketchy things with your data, and it's your responsibility to protect yourself from me."
Whether or not they are incomprehensible, I worry more that most of them seem to boil down to:
"We can do whatever we want with any data we have about you. Your only alternative is to not use our services and not use any other business or organization that uses our services."
Any privacy policy that has the usual clause saying, "We can change this policy at any time by posting an update to our website," is saying essentially the above.
I suppose it would help if they were forced simply to put their policy in those terms - then more people might push back against it.
I have recently been wondering if, instead of a company having a privacy policy, they could instead use a privacy license. This way you could easily discern their stance on privacy from the name of the license. Not sure if anything like this exists or if it would be worth looking into.
This actually sounds like an interesting deal, as it would make figuring out what a company does with your data easier to understand, but I'm fearful of 2 main things:
1. It's still a battle to explain to non-technically minded people whether an image is Creative Commons or free use or to get them to understand that there are different kinds of CC.
2. It will mean there is less to read through, but many companies will still fit blocks together (ie. General Use+Advertising Third Party+Server Backup in Other Country) or resort to using a license that is more general than they need, but definitely includes the things they want to do.
It's a _really_ cool idea though, and I'm curious whether anyone has ever tried anything like it before.
Twilio does an excellent job with their Terms of Service and Privacy Policies. For example, their Terms of Service has a "plain english" version in a right hand column, along with the legalese in the right:
I'm not sure I see the benefit of that. If the plain English version is good enough to be legally binding and fully explanatory, they could just use it. If it's not good enough, but is still presented as part of the ToS, then it has the potential to introduce ambiguity that could override the legalese version. Either way, it makes the ToS somewhere between 25% and 50% longer than the legalese version alone.
But it is still maddeningly long. Even with the plain English version, who would ever read and digest that before signing up for Twilio (other than a lawyer)?
I'd hope who is about to build their business around the service and sign a contract in the name of their business to use it could take some time to read it... if not they shouldn't be signing their company up for it.
At the bottom it says, "By clicking the button, you agree to our legal policies."
Ignoring the ambiguity of that statement, it seems that someone can't even sign up for a free trial without agreeing to the full set of terms. Does that mean a business needs to make a complete legal review of the policies before an employee can sign up to _test_ the service and decide if they want to use it? How often does that actually happen?
If it's not going to be used in production, which a free trial presumably wouldn't be, then you probably don't need a full review of the terms although it would be a good idea to take care of it.
Working in healthcare, we have a privacy department that is adjunct to the legal department. It did an audit of all of my web sites last year and I was surprised to find out that they recommended that the privacy policies be removed from some of them.
The reason was simple: The sites in question didn't do any tracking. So if you're not gathering information, there's no need to warn.
If you do not track any user activity on your site, then perhaps there is not need to have a pop-up warning in your face.
But the fact that you willingly do NOT track user activity IS your privacy policy. The policy does not go away. As a user visiting a site, I would much rather have the policy accessible, even if it says that the website does not have any tracking enabled.
Edit:
And I'm surprised that a legal advisor would recommend to remove the policy entirely. Isn't it generally better to be explicit and forthcoming, rather than say nothing at all?
It's not that hard to read most EULAs and privacy policies, because they're usually plagarized from someone else's documents, and contain much the same clauses.
...Overreaching indemnification clause, bleah...disputes must be resolved in courts of Northern California, OK (Outer Nowhere, not so OK, offshore tax haven island, very bad) ... arbitration required under AAA consumer rules, not too bad (National Arbitration Forum was very bad) ... no class actions, all too common ... "sole discretion" termination, run away in a B2B context ... vagueness in what can be done with your data, all too common, and often where privacy rights go away ... mention of "affilates" having access, not good ... limitation of liability, common for ordinary websites but inappropriate for anybody you keep money with ....
After you read about ten of these things, a pattern emerges.
This really raises the question of what it means to "consent" to something. If you don't actually understand what you are consenting too, is it legally binding?
A meeting of the minds is no longer really a requirement in American contract law. You do not have to understand what you're being legally bound to. You don't even have to understand if your human rights are being signed away either.
The idea is that you have a meeting of the minds that the document you are signing contains the terms. If you could later argue that you didn't understand it and therefore shouldn't be bound, it would make contracts impossible to uphold.
Though I do think there should be some sort of loosening of the requirements for a contract to be found unconscionable or deceptive.
Not a lawyer, but I seem to remember reading somewhere that a lot of these user agreements aren't legally binding specifically because no one reads them and most people don't understand what they're agreeing to anyway.
I am not so sure about it. The contract might contain something substantially adverse to you and still be enforceable. For example, in some EULAs I saw a paragraphs completely forbidding you to compete with any products of the company.
I don't think it's really fair to compare a privacy policy to A Critique of Pure Reason. One is hard to read because it references laws and has a lot of boilerplate stuff that you can skip over, the other involves abstract philosophical questions that are difficult to consider in terms of the subject matter itself.
All or nearly all privacy policies are incomprehensible. The main exceptions appear to be European, or non-profit's.
Does this uniform incomprehensibility come from an identifiable root cause, or is it just emergent because of a variety of factors, not all of which afflict every company?
> These are documents created by lawyers, for lawyers. They were never created as a consumer tool
They are generally treated as the responsibility of the legal team, so they are written as legal documents. Companies treat them as a way to pro-actively defend against lawsuits (much like the Terms of Service), and not as a way to inform or educate users.
The reason why many readable privacy policies come from Europe is because GDPR makes it literally a legal requirement that they are written "using clear and plain language." Source: GDPR Article 12 https://gdpr-info.eu/art-12-gdpr/
I don't see why they can't just follow the example of open source licenses. GPL is powerful and complicated, but when you see something is GPL you know what you're getting into because you've seen it before. There are a handful of well-known policies that have varying levels of generosity, and anyone can always make up a new one -- but if they do it's a bit of a red flag and people will dig in to find out what it's about.
The problem with current policies is only partly that they're complicated, it also has a lot to do with them being snowflakes too.
Just by visiting your site, you are collecting my personal information (after all, GDPR says IP address is PII). So what are you doing with it, and how long are you keeping it?
GDPR does not say that IP address is PII. Among other objections, GDPR does not mention IP address, nor does it mention PII.
The current guidance on IP addresses is ambiguous, but my understanding is that an IP address on its own does not count as personal data. It can become personal data when it's used to create a profile. So if you only have the full IP fleetingly to serve web pages, and all logging wipes the last octet, there's no point where the data that you process counts as personal data.
GDPR doesn't get that specific, but the judges in the courts do.
In Breyer v. Bundesrepublik Deutschland, E.C.J., No. C-582/14, 10/19/16, it was ruled that internet protocol addresses relating to visitors' use of websites constitutes "protected data" according to European Union laws.
My reading of that, and online commentary that I've found, seem to indicate that the IP address is not personal data across the board, but rather only in a specific context. I'm a little over my head in whether that specific context is "basically all the time" or not. It sounds like it only applies when you have the legal right to make the ISP give you subscriber info related to an IP address?
From that document and other reading, I think it's also when combination of information results in being able to identify a person. For example, dynamic IP address + timestamp is not enough for anybody but the ISP. But add in other information, for example HTTP headers, it might be unique enough.
Also, what they're saying is some things trump privacy. Legal requirements to keep logs. Legitimate interest, e.g. billing. Defending against cyber attacks. Using that information for other purposes is still a no-no.
TL;DR: IP address + other info often becomes PII, and there are some exceptional cases where it's legitimate to store PII despite privacy concerns.
Graphs done right! I can't imagine how this article could be better.
I wish they would make their privacy analysis tools available to the public. So you could plug in the URL of your favorite policy and see how it ranks.
Meanwhile, the New York Times privacy policy is also enormously long and unreadable. It even links to the Google privacy policies, saying that by reading the NYT you also have to be aware of the Google privacy policies, because the NYT uses both Google Ads and Google Analytics.
> It even links to the Google privacy policies, saying that by reading the NYT you also have to be aware of the Google privacy policies, because the NYT uses both Google Ads and Google Analytics.
In order to build apps on Google APIs, your end users are required to agree to Google's API terms. In this case I'm not sure they were required to do this, but it's pretty normal to have your users agree to third-party terms as part of your terms.
I spent a ton of time on making my site's privacy policy easy to read, while also discussing philosophy and some technical aspects, meant to be read by anyone who can understand simple English.
I did a similar, deeper review of less policies for my course work in Privacy Protection and Freedom of Information with some of the same conclusions around length & required reading level. It's worse than this though; Orgs like Facebook have dozens of documents that deal with what data they collect and how they will use it. Even identifying what comprises their "privacy policy" is a huge task.
Another massive issue: unilateral, largely uncommunicated changes. Stack Exchange used to have a very handy regular (read: legalese) policy and a parallel "plain language" version that I can't find anymore. They still have a relatively decent policy but that's only because the average quality is so low.
for context I was using Canada's The Personal Information Protection and Electronic Documents Act (PIPEDA) and Alberta's PIPA which is a scope similar to GDPR in many ways. PIPEDA is an interesting document; it's based on a set of expectations or statements that are decidedly "non legal" in nature which makes it very different from most laws
My understanding of the GDPR in Europe is that these policies inform consumers but do not bind them. There is a widespread practice to let consumers sign them everywhere but this piece of paper does not change much the requirements for the company under the law.
“These are documents created by lawyers, for lawyers. They were never created as a consumer tool,” Dr. King said.
"The BBC has an unusually readable privacy policy. It’s written in short, declarative sentences, using plain language. "
The BBC example shows that it is possible to write a readable policy, if a company cares to.