Tuesday, May 19, 2009

Human-readable privacy policies are good for everyone

I can't believe how many privacy policies are cut from the same tattered cloth and are written by corporate lawyers who are not concerned with people actually understanding them or in actually communicating the information that someone might be looking for in a privacy policy (CYA mode only).  I came across one that gets to the meat of the matters that should be important to anyone using an online service:
  • Who owns my data in your system?
"At drop.io, what’s yours is yours. Period. This Privacy Policy describes what little information we do collect from you (the “User”) as part of our web service (the “Service”), and how that information may be used and/or disclosed."
  • What are you going to collect and what are you going to do with it?
"Very little.  In fact, practically nothing.   You do not need to provide us with any personal information to set up free Drops. .... Although we know very little about you -- Drops are not totally anonymous.  When you visit our Service, some information is automatically collected, such as your computer’s operating system and browser type, version, and capabilities.  We also will track your Internet Protocol (IP) address and the time and date of your visit."
Now that is USEFUL information about data privacy that is understandable and I can get behind!

drop.io privacy policy

The typical corporate privacy policy is typified by:
  • No information on the specific _service data_ that is being collected
  • No information on how the specific _service data_ is being protected
  • No information on how to view or correct or expunge information stored about you.
  • No details on the exact list of information collected about you.
  • Generic platitudes about SSL as the panacea for site security
  • Mostly irrelevant discussions of client-side cookies that are too generic or marketing-specific and not website or service-specific
  • Generic information about marketing data collection and emails
  • Only information about _website_, not software or service security (data is not contextualized; but the lawyers are happy because they have a checkmark in the box next to "Write Privacy Policy")
  • Focus too much on opt-out for marketing.
No wonder people don't care enough about their privacy.  They aren't able to understand what companies are doing with their data.

To be fair, the companies writing the policies (if they are big enough) probably don't really understand very well what is being collected or used so they are forced to write generic policies.  It's hard work to actually catalog and enforce customer data tracking and most companies don't think they need to do this, and customers enable they by not demanding this level of accountability.

No comments:

Post a Comment