Why All Those Privacy Policy Updates Are Essential
...Even If You Don’t Read Privacy Policies.
Burned-out by all the 'updated privacy policies' hitting your inbox as of late? If you've ever been online, ever signed up for the smallest service, network, web application or mailing list, odd are high you've received a more than a few alerts that an organization has made changes to their privacy policy. These emails range from quick updates with an option to unsubscribe to future contact, to outright desperate pleas for your continued patronage, requesting an opt-in to confirm your consent when sending future emails and using your personal data. Whether the company is actually required to re-engage your consent depends on how they've been using your personal data, but regardless, the European Union’s new privacy regulation has certainly placed privacy in the spotlight, even to those whom the law won't apply.
To be fair, the GDPR was never intended to cause spam by a million policy updates, particularly having given businesses two years to get in touch with reality. However, procrastination is the human condition, misinformation abounds, and suddenly a ton of organizations think they need fresh consent to keep in touch as they update their policies (and hopefully, more than just their policies) to comply. Meanwhile, the resulting commentary has hit social media feeds and blogs: from approval, to wisecracking, to outright disdain over the whole process. "I don't care," shout voices from the online networks of Twitter, Facebook, YouTube and other platforms. "Who really wants to read all of these privacy policies anyway?"
Actually, some of us do, and that's the point.
In the age where your information is often treated as a product up for sale, and organizations can make decisions for and about you based on your data, the number of users who want to know what they're getting into before they join on is growing. In Canada alone 41%, well over a third Canadians, do read the privacy policy before downloading a new app, with a whopping 51% refusing to do business with an organization over poor privacy practices. In Europe, where the GDPR originates, the numbers are significantly higher, with over 70% of European Union citizens refusing to sacrifice privacy over convenience or new services. Privacy, in other words, does matter, even if not all individuals or companies agree.
The reason the privacy notice exists is to set the standard for openness, to communicate with customers about data collection and use practices so that they can make an informed decision before handing over personal data. What’s the difference between a privacy notice and a privacy policy? A privacy notice is public-facing, to inform individuals over what happens to the personal information they provide when using a service; a true privacy policy, by contrast, is an internal document that tells staff who is responsible for protecting information, and how to go about doing it. Its commonplace however, for privacy notices to be listed as the ‘privacy policy’ when accessing websites, applications, devices and programs, which is why ‘we’ve updated our privacy policy’ is a common tagline you’ll have seen over the past few months. No harm, no fowl… so long as the organization is aware it also needs an internal document to instruct staff over what they can and cannot do with personal information they access. If the organization has a public facing policy but no such similar documentation on the inside, have I got some bad news on actual compliance to privacy laws.
It’s also important to highlight that because the notice is public-facing, it’s actually not supposed to be pure legal-ease. If the privacy notice looks like a keyboard went to law school and spit out all the course material, someone needs to do a re-write. A privacy notice is not, unlike a Terms of Service agreement, a legal document that protects different parties from harm. Clicking ‘I agree’ to a privacy policy that includes handing over one’s firstborn child in the fine text is not legally enforceable… at least, not to my awareness in Canada or countries within the European Union.
Instead, think of a privacy notice like the list of ingredients on the grocery package label, as mandated by national food inspection agencies. If you want to sell food, you are required by law to include a label that tells the consumer what’s inside. Not everyone will bother to read the ingredients, but many will: it’s hardly uncommon for shoppers to run a quick scan of the ingredients and nutritional information before selecting products. Depending on diets, they may be looking for items higher in protein, specific vitamins, lower in sugar, fat, et etc. Not that consumers always make choices based on health (the instant ramen under my cupboard would argue otherwise), but it does give us more power over what food we put in my body, and the ability to choose trade-offs, such as a low sugar yogurt for breakfast in exchange for a cinnamon bun with the evening tea. Consumers, customers, clients, users, we want choice: the ability to understand what's really going on behind that tasty attractive packaging and know what we're getting into.
The same goes when handing over out personal information.
Privacy notices offer individuals the same understanding and choice. You can choose to use a social network even though it can see your geolocation, you can chose one that does’t see where you are, or you can select one with the ability to shut off the tracking when you're not logged in. This doesn't mean we always pick the best option for our data, but we could if we wanted to. Like offering healthy alternatives, or environmentally friendly options: not everyone will care, and many will sign up or take home the device with the poor privacy reputation anyway, but those who do want better control over their data will go with other options, particularly once aware they are available.
A well done privacy notice should support this: a clear, quick (as possible) easy-to-read head's up on how your person information is used, so an individual can decide if they trust the service or not and go about their marry way.Some good examples of positive privacy notices include Juro, Slack, and of course every tech-geek's favorite webcomic, XKCD. That's one item the GDPR is forcing organizations to step up on, and why the mass of email.
Article 12 specifically reads:
“The controller shall take appropriate measures to provide any information referred to in [Articles] relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child.”
In other words, the customer should be able to understand what you do with their information and how you will protect it, without having gone to law school first. Period.
Incidentally, a reminder that while critical to our understanding of privacy, having organizations establish clear notices on their services and products alone won’t dismiss the need for privacy laws. In order to protect individuals from misuse of their data, the GDPR and other globally changing privacy regulations are starting to dictate specific safeguards, processes and use of personal information, to keep residents safe. To return to the grocery analysis, if Arsenic is an ingredient of packaged food, even if listed in the label, it won’t go over well.
Privacy is personal, no two ways about it: it relates to data about our personal lives and bodies, and depending on background, circumstances and the information itself, some will be comfortable sharing, some will not. If you decide not to read a privacy notice, that's fine, that's your choice. Emphases however, on your choice: someone else who wants to use the service may want a better understanding of what information is collected, how it gets used and who gets to see it, items which should all be laid out in the privacy notice deliberately. With a privacy notice in place, the decision is yours.
