Micah Sifry is the Co-Founder and Executive Director of Civic Hall, one of the driving forces behind the That’s Not Privacy campaign to bring transparency to online data use policies and practices.
Before you read this blog post, I need to ask: when was the last time you read a website’s “privacy policy?” I bet you never have.
I wouldn’t blame you—who does read those things? The answer is almost no one. And, to be frank, it would be a real problem if they did. If the average American read every “privacy policy” she encountered online in a year, she would spend about 30 full working days doing it, and would lose ~$3,534 in wages (in 2005 dollars).
Yet there they are—go look at the bottom of this very page (though please come back to finish reading!), and you’ll find a link to this website’s “privacy policy.” If you read it, you’ll likely discover that it really doesn’t have much to do with your privacy! In fact, it’s much the opposite; the “privacy policy” is merely a disclosure, required by law, of how this site collects information about you, how it’s stored, and with whom it may be shared. It’s important to know those things, but none of them amount to privacy, do they?
Again, if you’re surprised at what the policy actually covers, you are not alone. The majority of online Americans believe that the mere existence of a “privacy policy” on a website ensures that it keeps confidential all personally identifiable information (PII) it collects about its users. That’s the intuitive understanding: when something says “privacy policy,” it protects your privacy.
If these so-called “privacy policies” are so infrequently read (and often hard to read!), and misleadingly labeled, why are they so ubiquitous? In the United States, at least, it’s largely due to an obscure California law, called the California Online Privacy Protection Act of 2003 (CalOPPA). While the FTC began worrying about trans-border flows of personal data in the 1970s, it largely depended upon industry self-regulation into the 90s, during the advent of the internet. It was this California law of the 00s that spurred the spread of the mislabeled “privacy policy.”
Just like the “privacy policy,” the law is mistitled. It doesn’t actually require any protection of privacy online: websites can use whatever personally identifiable information they want, however they want, they just have to disclose the ways in which they do so. And the disclosure has to be “conspicuously available.” Throughout the statute, the disclosure is referred to as a “privacy policy”—and we believe that’s the reason everybody decides to call them that—but it doesn’t require that it be so called. While many attorneys we consulted were under the impression the term was mandatory, we actually found that the California Attorney General’s official guidance on these disclosures recommends making them “recognizable by giving [them] a descriptive title.”
So, today we say: let’s not call these disclosures “privacy policies.” Let’s call them what they are! We agree that the disclosure is very necessary, and that every user of every website deserves to know how his personal information is being exploited, if it is. But we think that the internet at-large needs to undergo a truth-in-labeling revolution, with every “privacy policy” being renamed a “data use policy.”
Under the auspices of Omidyar Network, Privacy International and Civic Hall have organized a campaign we call That’s Not Privacy. We are building a coalition of organizations who had “privacy policies” on their websites, but have relabeled those policies as “data use policies” or something similar. Our hope is that the attention this campaign garners can jumpstart a larger discussion about most internet users’ lack of real privacy online. Then we can start asking the institutions we interact with: how are we genuinely protecting privacy, rather than merely articulating some standard text at the bottom of a website?
So, check your website’s privacy policy. Should it really be called that? If not, join us! Read more about That’s Not Privacy and our current coalition at thatsnotprivacy.com.
To learn more about the That’s Not Privacy initiative, visit the coalition website here.
To stay up to date with the latest Markets For Good articles and news, sign up for our newsletter and follow us on Twitter.