FTC chair Leibowitz: Apps need simpler privacy statements: "They have to be like a nutrition guide on the side of a cereal box," he said. As a counter-example, he said that he recently saw a mobile privacy policy that required the user to click through 102 times to see the whole thing."Looks like a full-court press from the FTC.
FTC Looks To Update Privacy, Ad Policies For Mobile, Social Era
To be honest, I question the effectiveness of the approach.
First, it fails to realise that people just don't read terms and conditions, statements or agreements. It does not matter how long they are, or whether they are drafted in plain English. Research shows only 7% of Britons read online terms and conditions. As I pointed out in a previous post, gamers have given away their souls, and 3,000 others missed the chance to get US$1,000 from an end user license agreement. Making them shorter will not make a difference. Just think about it, how many of us usually just scroll down to the bottom of the end user agreement, tick the check-box, and click "I agree" without reading the end user agreement. Will the majority of users read a plain English version (did you read Paypal's plain english agreement?) or a shorter version (Blogger's mobile app license agreement is quite short)? I have my doubts.
Second, not many people read nutrition guides either, and even if they read them, they don't read much of it. A study showed that only 26% of people say that they always look at nutrition labels. The study also showed that only 9% of a study group looked at the calorie count on a nutrition label, and only 1% looked at each of the other components. Clearly, the nutrition label is not a good analogy.
Third, when people want something, they will just get it, and terms and conditions don't really get in the way. It is not just small things (like online services or apps) but big ticket items as well (cars, houses, loans). Don't you remember Judge Richard Posner not reading the terms of his home equity loan. Sometimes, it is a function of there being no real choice. If you want the product or service, you have to agree to the terms. So, if you have no choice, you usually will not bother about reading.
Don't get me wrong though. I think some privacy policies can be simpler, and definitely consumers need more transparency. If there is a mobile privacy policy which required Chairman Leibowitz to click 102 times to get to the end, I think that is a bit of overkill (unless it was a really small screen he was using). However, I think having simpler privacy policies won't move the needle much in terms of transparency. Most people will not read them.
My view on this is that it is partially self-correcting. Trust is something which is built up slowly through numerous good and trust engendering experiences. However, trust can be easily broken by one bad experience. Companies who are in the long haul of selling products and services (scammers and criminals are in a separate category by themselves) will soon find out that it is important to be very upfront (by whatever means) with their customers, and not to surprise them in a negative way. Think SceneTap where the CEO acknowledged that "unfortunately, I think I underestimated the controversial aspects of this technology and what the public’s reaction would be". It will take some time to build that trust again, but I am sure they have learnt the lesson.
Also, it would be more effective for customers to have the ability to customise their personal data sharing and interactions throughout the relationship with the company. I raised in a previous post the need for Android OS users to be able to change permission settings after installation of an app instead of the current situation where permission settings cannot be changed after installation. If regulation or jaw-boning is needed, then we need it there.
I have some further thoughts on how to improve transparency for consumers, and hopefully I will be able to share these with you in the near future.
Derek, you're right to point out that privacy policies can't be made effective by making them look like nutrition labels. However, I wouldn't argue that it is because, like privacy policies, people don't read them anyway. It's rather because a privacy policy can't simply be compared to a nutrition statement: the latter enables consumers to make a fully informed choice about food products they want to eat, or not because they contain too much sodium/salt or too many lipids or glucids than their diet allows them to, and then to feel in control of their choice.
ReplyDeleteIn turn, neither a short privacy statement, nor a long one, will enable Internet users to take charge of protecting their own privacy, prevent the disclosures of their data from happening in the first place, or get full access to their personal information, the profile the company created about them and their related meta-data. This is because a privacy policy is not meant to give them that control. And you rightly point it out afterwards about the need to provide mobile users more control on their apps.
Now, the 26% figure you refer to as people looking at nutrition labels seems to me a pretty good one since it refers to people who *always* read the labels and I assume there many more who read them from time to time.
Now, I'd be interested in learning about any difference that might exist between the way consumers in Asia are approaching privacy policies with their European counterparts. Hope to read you soon. :-)
Cedric, thanks for your comments.
ReplyDeleteYes, I agree that privacy policies can't be compared with nutrition labels. I think forcing companies to make them look like nutrition labels will be unwise. Some others have pointed out that nutrition labels are measurable and quantitative in nature (% of fat, % of sodium, sugar, etc), whereas privacy statements are not. It would be hard to say anything useful in a privacy statement which looks like a nutrition label. That is, the danger is that it will be reduced to such a simple state that it no longer provides any useful information. As an aside, from a US perspective, I think the drafting/formulation of a privacy policy is important as straying outside of it may bring about an "unfair or deceptive" charge by the FTC - which may militate against the adoption of overly simplified nutrition labels.
That said, promoting and protecting privacy of individuals requires a holistic view (which is why I like the privacy by design framework). So, I think that privacy policies can play a part (and would contribute to the element of transparency and respect for users in the privacy by design framework) and that they can be simpler (which again aids transparency).
On that point, I believe that companies will find various ways to bring information disclosure/use notices to the attention of users (and it need not be in the shape or form of nutrition labels). For example, Zygna (besides having a long-form privacy statement) uses a simple game on their website to inform people about how the company uses or discloses information. To me, this layered approach is helpful.
Giving control to users is also part of the privacy by design framework (i.e. respect for users), and I fully agree with you that the option of exercising control needs to be provided to the consumer. It remains to be seen however whether that control (or the implementation of that function of granting control) can overwhelm the user. Some people have critiqued the impending iOS v6 privacy functionality (http://www.pcworld.com/businesscenter/article/257928/why_apples_ios_6_privacy_protection_will_backfire.html)
On your question about consumers in Asia. I have checked around and have not been able to find studies in Asia on this (I am still looking though :) ). My gut feel is that I don't think the experience will be any different in that the vast majority of people in Asia do not read privacy policies or contracts. It is human nature in general which cuts across cultures (you can check out my post on "All of these sites are doing their own thing" where I allude to the psychology of it). Though I think in some less-developed Asian countries, the experience may be worse than in the US or Europe as literacy (and more specifically English literacy) rates may not be high, and most terms and conditions and privacy policies are in English.