I spend most of my free time working on Privacy Commons, and so I was excited to see Christopher’s post and critique on the subject. Thanks as usual, Christopher, for your thought-provoking questions and observations. Likewise, Aza, CUPS, and Ralf Bendrath. Great work—each of you. I want to pick each of your brains sometime. I also want to apologize in advance for any incomplete sentences or thoughts. This is a slapped-up post.

Some Problems With Privacy Policies

As Christopher, myself, and many others have pointed out, the problems with privacy policies are myriad. Here are a few:

• Inaccessible or Unintelligible. many privacy policies are not easily understood or even physically accessible; so complicated and wrapped in legalese that they are “nigh useless” to the average consumer.
• Complicated Solution. Unless we’re careful, a Privacy Commons may end up equally or more complicated than the status quo.
• Non-Standard. Privacy Policies are not standardized, making it impossible to compare apples-to-apples.
• Incomplete. They often fail to address important privacy issues or fail to consider all potential parties
• Unsophisticated. Many boilerplate privacy policies demonstrate a fundamental lack of understanding of how privacy policies translate to privacy and business practices. Some simply don’t address the most salient issues, which may be unique to their industry. Consequently, many of the policies never translate to practice.
• Treated as Only Legal Documents. Privacy policies are often treated as “compliance” documents and relegated to the legal department. Consequently, many fail to address or actually contradict field practices.
• Privacy Waiver. Many privacy policies waive, rather than confer, privacy rights. The medical industry is extremely efficient at this practice.
• Technology-Dependent. Privacy policies which strictly enumerate technologies quickly become outdated in the face of emerging technologies.
• Non-Binding. Most importantly, US courts have consistently interpreted privacy policies to be unbinding notices, rather than contracts. As a result, privacy policies generally create no enforceable rights or enforceable expectations of privacy. In this sense, privacy policies can create a false expectation of confidentiality, privacy, or even fiduciary responsibility.

Some Assumptions About Privacy Policies

Based on my experience in technology, advocacy, and the law, I want to air some of my basic assumptions about Privacy Policies. Of course, I invite challenges to these assumptions:

1. Mitigate Liability. Privacy is the subject of dozens of laws and regulations. The present primary business case for developing, maintaining, and conforming to a privacy policy is to mitigate liability.
2. Inform Data Subjects. Data Subjects include consumers, employees, or any individual about whom information is collected, stored, or aggregated.
3. Empower Data Subjects. Mere information is not enough. A privacy policy which produces information overload without actionable intelligence is counter-productive.
4. Articulate Privacy Practices. For the benefit of both data subjects and the data stewards who must execute the privacy policy, it must explain and reflect real business practices.
5. People Don’t Read. Anything more than about two paragraphs will never be read. That’s why high-level iconography is so appealing (and achievable).
6. Must Be Easy-to Understand. Because people don’t read. Fewer words and easy-to-grasp iconography are better.
7. Short Policies Are Inherently Incomplete. Two paragraphs and pretty pictures may be sufficient to inform consumers on the portions of the privacy policy they find most important, but will always be incomplete. More on this below.
8. Adoption & Enforcement. A Privacy Commons must be optimized for adoption, rather than enforcement. That’s simply because despite the Federal Government, the states and the FTC’s regulation in the area, a privacy commons must be market-driven to be successful.
9. Sector-Specific. Different sectors/activities collect different sets of personal information, are regulated differently. In order to ensure that privacy policies are relevant, they must be taylored to specific activities.
10. Living Documents. A privacy policy which was correct six months ago may not be correct today.
11. Privacy Policies are Complex. Deal with it. Privacy Policies are complex, just like Creative Commons or the Telephone. More on that below.
12. Business Documents. Privacy Policies are business documents with legal, practical, business, and ramifications for corporations, their agents and employees, and data subjects.

Thinkers like Christopher Parsons worry that a Privacy Commons will be unnecessarily complex. Non-attorneys are often (justifiably) baffled at why lawyers take 3,000 words to say what can be said in 300 and a handshake. It turns out that a simple handshake is not as simple as most people think. Behind each handshake there is a wide range of assumptions which are not as standard as one might believe. Many (if not most) disputes arise when there is a misunderstanding about an unspoken assumption—the meaning of a word, or silence on a particular issue. That’s why it takes lawyers so many words to say something so simple; simple things are not as simple as we thought.

To demonstrate this point, we need look no further than Creative Commons. While the human-readable version of the “Attribution Non-Commercial Share Alike” creative commons license consists of 5 images and 286 words, the legal version contains 3,384 words. Clearly the unnecessary work of a verbose lawyer who needed to justify his existence, right?

Not so fast. The full Attribution Non-Commercial Share Alike license covers a whole bunch of other stuff that consumers don’t usually take time to think about, unless of course there is a dispute. It’s only at that point that we’re glad we included it. The legalese version covers essential topics like media and language translation, public performance, DRM, collections of works, waiver of compulsory license fees, preservation of moral rights, representations and warranties, limitation on author’s liability, termination, severability, waiver, and entire agreement, just to name a few. Consumers don’t (and shouldn’t) think about this kind of stuff when they proverbially “shake hands” with a licensee. Creative Commons is simple on the surface, but look under the hood and you’ll see the complexity necessary to create the elegance that most people associate with the CC licenses. Saying that the legalese version of a Creative Commons License (or Privacy Commons Policy) is a “necessary evil” is incorrect and misses the point. It’s not evil at all; it’s just necessary.

It’s like a telephone—an elegant piece of equipment which is exceedingly easy to use. The end-user only cares about a few things: Connectivity, line quality, cost, and accessibility. Yet the infrastructure and technology supporting telephony and networking is extremely robust and complex. Consumers pay the telcos to worry about all of the other stuff so they can focus on the four or five things that consumers care about. The millions of miles of copper, routers, substations and central offices aren’t a “necessary evil,” they’re just necessary.

Some Conclusions About Privacy Policies

We’re just going to have to deal with the fact that privacy policies are complex, and will continue to be complex. The best solution (as I see it) is to do three things: ID c.

• Require Thoroughness. A Privacy Commons-compliant policy is thorough
• Identify Cultural Notions of Privacy. Identify culturally important notions of privacy, and embody them in easy-to-understand iconography. Christopher Parsons suggests these notions might center on Data Collection, Data Sharing, Data Identification, Data Tracking, Data Deletion, and Aggregation, which I think is a good start. And Ralf Bendrath offers these excellent icons, which are more elegant than any I’ve seen.
• Embody the Cultural Notions of Privacy in Iconography. Then let the legalese version fill in the (necessary) gaps.

A privacy policy which conforms to Privacy Commons requirements will be complete, informative, easy to understand, and easy to adopt. Like Creative Commons, Privacy Commons seeks to identify common cultural notions of privacy, and embody them in easy-to-understand policy frameworks, with simple high-level iconography.

Note: I usually blog on securitycatalyst.com and jeffreyneu.com, but this post doesn’t fit very well on either.