Wanted: Privacy Policies Written for Human Beings

You know the biggest problem with online privacy? Online privacy policies.

As a concept, privacy isn't difficult to grok. People should have control over their personal information and how it is used. If they don't want it used, there should be a simple and permanent way to prevent that from happening. Period, full stop.

But reading the average privacy policy - and I've read literally hundreds -- makes you want to lie down with a cool towel over your head until the pain passes. They are written by lawyers for lawyers, with little regard for what users can and can't understand. They can also be beasts.

Facebook's current privacy policy is a 5,888 word monster - or 1,404 words longer than the US Constitution. (Though, to be fair, Facebook has plenty of FAQs and other pages explaining its privacy policies that are a little less dense.) I guarantee you the only people who've ever read it are Facebook's attorneys and privacy wonks with a migraine.

If you want people to understand privacy - and maybe not be either so blasé or so paranoid about how their data is being used - we need privacy policies that human beings can understand.

[ See also: The first truly honest privacy policy. ]

I started thinking about this after I was recently contacted by the general counsel for StickK, a site that uses social networking techniques to help people "stickk" to goals, like losing weight or quitting smoking. I had written about StickK for in a previous blog for Computerworld more than two years ago. I liked the service but hated the privacy policy, which gave StickK full rights to use your photos and videos as it wished, and reserved the right to share your information with third parties on an opt-out basis.

StickK: Guilting thousands toward self improvement since 2009.
StickK: Guilting thousands toward self improvement since 2009.
StickK: Guilting thousands toward self improvement since 2009.

(Remember, this is a site where people confess to being overweight, addicted to drugs or alcohol, adultery, failure to floss, or any number of other personal shortcomings. Not the kind of thing you'd necessarily want buttered all over the InterWebs with your photo attached, or entered into a background check database.)

Shortly after my post appeared I got a response from StickK, which quickly changed its privacy policy and removed most of the language I objected to. It's rare to get that kind of response from any company, let alone such a rapid one, and I applauded them for it.

Fast forward two years. Through the magic of Google, my blog post on StickK is now the fourth hit on any search for "Stickk." And even though there's a comment at the end from StickK noting that it had changed its policies post facto, the company wanted to add a disclaimer to the top of the piece.

So Computerworld added a disclaimer. No big.

But along the way I revisited StickK's privacy policy and found more things that disturbed and confused me. That lead to another email conversation with StickK General Counsel Scott Goldberg.

Here's one example: StickK's Terms of Use still give it the right to use members' photographs and other information in advertisements, provided the use doesn't violate the site's privacy policy. StickK's Privacy Policy says nothing about any of that. So does StickK have the right to use my photos in ads or not?

Per Goldberg:

The rule for privacy policy interpretation is that unlisted methods of sharing are not permitted because a user cannot give consent to our sharing their information via a particular method when that user has not been asked or told about sharing via that method. Our privacy sets forth a specific, limited, list of ways that the information can be shared and advertising is not listed. Since advertising is not listed, use of PII in advertising is not permitted.

He went on for a bit after that, but that's the simplest, clearest explanation he provided to any of my questions.

Privacy policies like this are fine, if you happen to have a lawyer in your pocket at all times -- and then maybe another lawyer to translate what the first lawyer said.

Otherwise they're not so fine. They're effectively useless. So here's what I propose. Keep the legalese for the lawyers, if you must, but boil it down to the essentials for the rest of us mere mortals.

The first time you visit a site or log into it, the site should display a pop up window with four bullet points listing:

* The personal identifiable information the site gathers. Name and address? Credit card? IP and location? A simple list would suffice.

* What the site does with your PII. Will third parties have access to your data? Will advertisers?

* The ability to opt out on the spot. Don't like what the site is doing with your info? Click this link to remove your data or limit sharing.

* Want to dig into the minutiae? Here's a link to the longer legalese.

Simple, easy, effective, and no migraines. Is that really so difficult? I don't think so. What do you think?

UPDATE: After I first posted this, StickK's general counsel sent me an official response. Here it is:

We (and other responsible companies) take privacy issues very seriously and as a result we try to do all that we can to make our privacy policy as clear and as comprehensive as possible. In that vein we work with TRUSTe, the leading and most trusted privacy policy certification service on the web, to ensure compliance with standards and practices in the area; our privacy policy proudly displays the TRUSTe certification seal. Moreover, we have included our contact information right in our privacy policy-because we stand ready to answer and explain any question a user might have about how their information is retained and used.

But in short, and to be clear, stickK takes privacy issues very seriously and has not had a user issue to date.

ITworld TY4NS blogger Dan Tynan writes privacy policies while he sleeps -- which may be why he always wakes up with a migraine. Visit his eHumor site eSarcasm or follow him on Twitter: @tynan_on_tech.

Thumbnail image courtesy rpongsaj/Flickr

Subscribe to the Security Watch Newsletter

Comments