Sunday, September 7, 2008

Perception of Privacy Policies

Here's some shocking news I learned via Bruce Schneier, apparently:

California consumers overvalue the mere fact that a website has a privacy policy, and assume that websites carrying the label have strong, default rules to protect personal data. In a way, consumers interpret "privacy policy" as a quality seal that denotes adherence to some set of standards.

(Bruce's blog post here).

The above quotation was taken from a paperentitled "What Californians Understand about Privacy Online." Because of the understanding which consumers (at least in California) have regarding the meaning of a "privacy policy," the authors conclude that "its use should be limited to contexts where
businesses provide a set of protections that meet consumers╩╝ expectations." The vehicle for that limitation could be section 5 of the FTC act, which prohibits unfair or deceptive trade practices, the argument being that, if consumers believe that "privacy policy" has a certain meaning, that it is deceptive/unfair for a web site to say that it has a privacy policy if the web site's privacy policy doesn't conform to consumers' preconceptions.

My opinion is that, while the impulse to prevent people from being deceived by the label "privacy policy" is certainly understandable, limiting the use of the term "privacy policy" to situations which conform to consumers' preconceptions isn't a workable solution. The biggest problem is that consumers' ideas of a "privacy policy" aren't necessarily uniform. The paper is based on a survey of California consumers, but California is known for being at the forefront of privacy protection in the United States. What should the FTC do about differences between the consumer understandings between California and the rest of the country? Since the FTC act is nationwide, it would seem most logical to have a nationwide standard. However, if that nationwide standard is lower than the standard expected by consumers in California, wouldn't those consumers still be deceived by the label "privacy policy"? To me it seems that a better idea would be to allow businesses flexibility to define their own policies. Businesses which wanted consumers to be aware of specific privacy protective practices (e.g., not selling to third parties, not storing personally identifiable data, etc) could advertise them, while businesses which didn't care could put their policies behind a "privacy policy" link. While that might not protect consumers who don't take the time to read a web site's privacy policy, it would allow privacy policies to be tailored as appropriate to particular situations (e.g., banks might have more stringent policies than search engines) and it wouldn't put the FTC in an untenable position of trying to find a standard which is both applicable and appropriate nationwide.

No comments: