...Even If You Don’t Read Privacy Policies.
To be fair, the GDPR was never intended to cause spam by a million policy updates, particularly having given businesses two years to get in touch with reality. However, procrastination is the human condition, misinformation abounds, and suddenly a ton of organizations think they need fresh consent to keep in touch as they update their policies (and hopefully, more than just their policies) to comply. Meanwhile, the resulting commentary has hit social media feeds and blogs: from approval, to wisecracking, to outright disdain over the whole process. "I don't care," shout voices from the online networks of Twitter, Facebook, YouTube and other platforms. "Who really wants to read all of these privacy policies anyway?"
Actually, some of us do, and that's the point.
Instead, think of a privacy notice like the list of ingredients on the grocery package label, as mandated by national food inspection agencies. If you want to sell food, you are required by law to include a label that tells the consumer what’s inside. Not everyone will bother to read the ingredients, but many will: it’s hardly uncommon for shoppers to run a quick scan of the ingredients and nutritional information before selecting products. Depending on diets, they may be looking for items higher in protein, specific vitamins, lower in sugar, fat, et etc. Not that consumers always make choices based on health (the instant ramen under my cupboard would argue otherwise), but it does give us more power over what food we put in my body, and the ability to choose trade-offs, such as a low sugar yogurt for breakfast in exchange for a cinnamon bun with the evening tea. Consumers, customers, clients, users, we want choice: the ability to understand what's really going on behind that tasty attractive packaging and know what we're getting into.
The same goes when handing over out personal information.
Privacy notices offer individuals the same understanding and choice. You can choose to use a social network even though it can see your geolocation, you can chose one that does’t see where you are, or you can select one with the ability to shut off the tracking when you're not logged in. This doesn't mean we always pick the best option for our data, but we could if we wanted to. Like offering healthy alternatives, or environmentally friendly options: not everyone will care, and many will sign up or take home the device with the poor privacy reputation anyway, but those who do want better control over their data will go with other options, particularly once aware they are available.
A well done privacy notice should support this: a clear, quick (as possible) easy-to-read head's up on how your person information is used, so an individual can decide if they trust the service or not and go about their marry way.Some good examples of positive privacy notices include Juro, Slack, and of course every tech-geek's favorite webcomic, XKCD. That's one item the GDPR is forcing organizations to step up on, and why the mass of email.
Article 12 specifically reads:
“The controller shall take appropriate measures to provide any information referred to in [Articles] relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child.”
In other words, the customer should be able to understand what you do with their information and how you will protect it, without having gone to law school first. Period.
Incidentally, a reminder that while critical to our understanding of privacy, having organizations establish clear notices on their services and products alone won’t dismiss the need for privacy laws. In order to protect individuals from misuse of their data, the GDPR and other globally changing privacy regulations are starting to dictate specific safeguards, processes and use of personal information, to keep residents safe. To return to the grocery analysis, if Arsenic is an ingredient of packaged food, even if listed in the label, it won’t go over well.
Privacy is personal, no two ways about it: it relates to data about our personal lives and bodies, and depending on background, circumstances and the information itself, some will be comfortable sharing, some will not. If you decide not to read a privacy notice, that's fine, that's your choice. Emphases however, on your choice: someone else who wants to use the service may want a better understanding of what information is collected, how it gets used and who gets to see it, items which should all be laid out in the privacy notice deliberately. With a privacy notice in place, the decision is yours.