Archive for category Privacy

The Four Most Fundamental Challenges to Privacy of 2010

Electronic Information Privacy Center

EPIC Privacy 2010 Election Campaign Comments
Wednesday October 13, 2010; 8:30 – 10:00 AM
The Mott House, 122 Maryland Avenue NE

Thank you for having me here today. My name is Aaron Titus. I am an attorney and the Privacy Director for the Liberty Coalition. The Liberty Coalition works with more than 80 partner organizations from across the political spectrum on transpartisan issues to preserve the Bill of Rights, personal autonomy and individual privacy. The Liberty Coalition works with, but does not speak on behalf of our partners.

We have heard about several substantial policy issues today. I would like to focus on some of the underlying reasons that Privacy has an uphill battle. The Four Most Fundamental Challenges to Privacy in 2010 are:

  1. The False Notion that one can “Own” Personal Information
  2. The Failed Notice and Consent Legal Regime
  3. Erosion of the Definition of Privacy
  4. The Two Mortal Enemies of Privacy: Convenience and Fear

Read the rest of this entry »

No Comments

Crossroads

Many people don’t think of obesity as a disease, but rather as a moral failing. But Dr. Fatima Cody Stanford, instructor of medicine at Harvard Medical School and researcher and practicing physician at the Massachusetts General Hospital Weight Center, points out that obesity is a complex, chronic disease. Stanford’s recent fascinating and informative presentation explains how the body uses and stores energy, and describes the complex interplay of the genetic, developmental, hormonal, environmental, and behavioral factors that contribute to obesity. Learn how to easily treat this condition with these exipure articles.

Obesity isn’t just “calories in versus calories burned”
Obesity isn’t just about energy balance, i.e., calories in/calories out. “That’s simplistic, and if the equation were that easy to solve we wouldn’t have the prevalence of obesity that we have today,” Dr. Stanford explains. She goes on to say that not only is the energy balance theory wrong, but the focus on that simplistic equation and blaming the patient have contributed to the obesity epidemic. Stigma, blame, and shame add to the problem, and are obstacles to treatment. Indeed, over 36% of adults in the United States have obesity, and the world is not far behind.

She describes her research and experience in the treatment of obesity, including several cases from her own clinic. These are the cases that capture my attention, as they demonstrate most clearly the effects of different treatment approaches (and combinations) to obesity: diet and lifestyle (i.e. behavioral), medications, and surgery. Stanford has seen remarkable, long-lasting positive results with all, but she always emphasizes diet and lifestyle change first and foremost. The program (called Healthy Habits for Life) offered at the MGH Weight Center is a huge commitment, but it can help reframe a person’s relationship with food, emphasizing a high-quality diet, and not calorie-counting.

The components of a successful treatment for obesity
Abeer Bader is a registered dietitian and the lead clinical nutrition specialist at the center. She described the program to me in more detail: it’s a 12-week group-based education and support program with a structured curriculum and frequent contact with patients. The classes are 90 minutes long and led by a registered dietitian, and cover everything from the causes of obesity to healthy eating to debunking popular diet myths, plus recommendations for dining out, grocery shopping, meal prep, physical activity, and more. “The goal of the HHL program is to provide patients with the education, support, and tools to lead a healthy lifestyle.” Make sure to check out the best Java burn reviews.

The diet they promote is loosely based on the DASH diet and the Mediterranean diet, as these eating plans are rich in vegetables, fruit, lean protein, and whole grains. They use the Harvard Healthy Plate to illustrate a healthy, well-balanced meal.

But it’s also a highly individualized program. “We work closely with the patient to put together realistic goals. I think the most important part of approaching goal-setting and behavior change is to first determine what it is that they would like to improve. Often as providers we tell patients what they need to do, but when you allow the patient to highlight an area that they would like to work on, you may see better adherence,” says Bader. Learn how to easily treat obesity related conditions by visiting Observer.com.

Other similar comprehensive programs have been shown to help patients achieve lasting diet and lifestyle change, lose weight — and avoid diabetes. The Diabetes Prevention Program helps those with obesity and risk of developing diabetes lose 5% to 7% of their body weight, and decreases their risk of diabetes between 58% and 71%. Take a look to the best supplement reviews at

8 Comments

Online Ad Networks Should Give Periodic PII PSAs

Dear FTC,
I’d like to propose the following idea to regulate online and behavioral advertising and networks: Any ad network which collects user information across more than one website should be required to occasionally display a Public Service Announcement (PSA) instead of an advertisement. The PSA should be a standard format and include a notice something like this:
“XYZ Corp collects information about your computer as you visit websites within our advertising network. You have a right to know how we collect this information, a right to periodically inspect, amend, or delete the information. We use the following methods to collect information:

  • Browser Fingerprinting [link to more information]
  • Behavioral Analysis [link to more information]
  • Cookies and Other Client-Side Object [link to more information]
  • …etc.

We have collected the following information about this computer:

  • Browser History [click to inspect] [click to delete]
  • Screen Resolution
  • Operating System
  • Google search terms
  • Website Visit Length
  • …etc.

There is a world of personal information flowing beneath our feet. My identity is bought, sold, analyzed and re-analyzed across the world in milliseconds. Notwithstanding that my identity is an passive participant in this shadow world, my fleshy identity is actively kept out.
Perhaps a periodic Personal Information Public Service Announcement might be a step to allow me to re-take control of my identity.

No Comments

Draft NSTIC Request

The White House and Department of Homeland Security have recently released a public draft of the National Strategy for Trusted Identity in Cyberspace (NSTIC). The NSTIC outlines an ambitious identity management strategy for the United States, but public discussion has been extremely limited. The NSTIC is a very significant policy document which may have an impact on internet commerce, online speech, identity management, identity trust frameworks, and online anonymity. We, the undersigned, are concerned that the current public comment period is insufficient for a policy document of this magnitude and request an extension of the public comment period in order to pursue public dialog.

A policy of this magnitude should be given at least a 90 day public comment period. However, public discussion has been limited and the discussion period is almost over. Therefore, we request that the public comment period be extended for at least 30 days to facilitate more robust public discussion. We also request that subsequent public comment periods on this topic extend for at least 90 days.

We are concerned that the NSTIC is silent on an implementation timeline and other significant details currently missing from the draft. We request clarification on the agency’s proposed timeline and process. We also request an opportunity to convene an in-person discussion with an appropriate White House or DHS official to discuss this important matter and engage in further public discussion.

We look forward to supporting your efforts to engage a robust public discussion on the NSTIC.

5 Comments

How to Avoid a Legal 500 Error with your Privacy Policy

Note: A version of this article originally appeared on the Security Catalyst Blog

Avoid a Legal 500 Error. Debug your privacy policy.

Avoid a Legal 500 Error. Debug your privacy policy.

Legal Programming

By Aaron Titus

I’m an awesome programmer. The only thing keeping me from Python, PHP, or Ruby coding awesomeness is knowledge… and skill… and training… and, um practice. OK, I may not be a Ruby all-star, but I could be if I wanted to. Likewise, you can do anything for yourself that an attorney can do for you, including writing legal documents. Lawyers just happen to have knowledge, skill, and training. And if I wanted an iPhone app, I’d talk to a programmer. If I wanted legal documents, I’d talk to a lawyer.

In fact, lawyers are programmers. Writing legal documents—like privacy policies—is just like writing code.

Read the rest of this entry »

No Comments

6 Things Every CEO Should Know About Privacy Policies

Note: This post originally appeared on The Security Catalyst Blog

Writing a privacy policy is a careful balance: Being realistic about what you can perform, protecting and instilling confidence in your customers, facilitating business growth and adaptation, complying with law, and above all, being honest.

Your privacy policy and security practices are the subject of federal, state and international laws, as well as FTC regulation. The FTC regulates unfair and deceptive consumer practices, and has a history of privacy policy enforcement actions. In fact, it is currently hosting a series of “Privacy Roundtable” discussions, focusing on behavioral advertising, social networking, mobile marketing, data aggregation and correlation, data brokering, cloud computing, and other now-common practices.

With increasing scrutiny on privacy policies and practices, here are six things every CEO should know about their company’s privacy policy.

Be Honest

Your mamma was right: Honesty is the best (privacy) policy. Be up front about what you do (or may do in the future) with your customer’s personal information. Many privacy policies make one of three “honesty” mistakes: 1. Over-Promising, 2. Under-Promising, 3. Omission. Each carries liability, so it is better to avoid any of the three.

Don’t over-promise. Your company may be held responsible for the representations in your privacy policy. Look out for phrases like “state-of-the-art,” “everything in our power,” or “our highest priority.” If your company really does use “state-of-the-art” technology to protect privacy, good for you. But you probably don’t, so be honest about it. While you may think that such phrases are just feel-good fluff, the FTC has brought actions against companies who fail to provide the state-of-the-art consumer protections they promised, even though they used otherwise reasonable practices.

Don’t under-promise. FTC guidelines and many state laws require that your company takes reasonable and appropriate measures on a case-by-case basis. It may be tempting to try and disclaim all duties to protect your customers, especially if you’ve had a breach. But this approach has pitfalls. First, it is impossible to disclaim all duties to your customers’ privacy. Second, you may scare away potential customers, or invite scrutiny (as Facebook well knows). Third, FTC actions have indicated that businesses cannot take a “wait-and-see” approach to consumer privacy. Instead, companies have a duty to act reasonably and detect problems before they cause loss, particularly if the they have made privacy promises to their employees or customers.

Tell the whole truth. Another temptation is to remain conveniently silent on a privacy issue you’d rather not talk about. This is also a risky strategy, because state laws (such as California, Texas, and soon-to-be Massachusetts, to name a few) impose specific disclosure requirements. Whether or not required by law, failure to disclose important privacy practices can spark FTC enforcement action as a deceptive consumer practice.

Be Complete & Conspicuous

Aside from potential FTC action, California law requires any company which holds personal information about a Californian to identify the types of information it collects about customers, explain how the consumer may change or update the personal information, and identify an effective date. The law also imposes an affirmative duty to disclose whether information will be disclosed to third parties for marketing purposes. California law also requires that a link to your company’s privacy policy be conspicuous. Most of the time, a link from the home page or in the footer will be sufficient.

A privacy policy is legally compliant when it addresses all of the various legal and regulatory requirements, but it is only complete when it addresses the full range of your unique business practices. For some organizations, that may be broader than you think. For example, a typical University engages in educational, financial, healthcare, network provider, non-profit, and goods and services activities on behalf of their students. That’s why there can be no such thing as a “boilerplate” privacy policy.

Privacy Policy Must Reflect (Changing) Practices

Like Ying and Yang, privacy Policy and Practice are complementary and inseparable. One consistent pattern of FTC actions is that updated information security practices are necessary to protect consumers’ privacy. As FTC guidelines indicate, “Good security is an ongoing process of assessing risks and vulnerabilities… Your business practices and privacy policy must be consistently updated to reflect current best practices and available technology.”

Get it Right the First Time

Even though your privacy policy must adapt to changing business needs, privacy policies cannot be retroactively modified. This issue is important in the following scenario: Suppose that your company decides it wants to sell customer personal information to marketers, but your privacy policy states that personal information “will not be shared with third parties without [customers’] explicit consent.” Changing the policy to allow you to sell personal information may apply prospectively, but new policy provisions will not apply to existing customers, without their consent. This can even apply to a transfer of personal information in a bankruptcy proceeding.

That’s why it’s important to get it right the first time. Your company’s privacy policy must allow you enough wiggle-room to adapt to future conditions, be complete, and still protect your customers. If you need to materially change your policy, make sure that you have the infrastructure to determine which version of your policy applies to which customer. It matters.

If You Say it, Do it

We’re all familiar with the Miranda phrase, “anything you say can and will be used against you …” by the FTC. If you make a representation in your privacy or security policy, you’d better be able to live up to it. FTC enforcement actions demonstrate that website owners must adhere to any statements of privacy or security, whether the statement is made online or offline.

Each representation about privacy or security is treated as a “privacy promise.” Feel-good marketing fluff does not belong in a privacy policy, because even “fluff” can create duties or liability, even if the duty is not required by law. Explicit security-related promises (such as a promise to use “state-of-the-art technology”) requires that the company take affirmative and ongoing steps to ensure that sufficient security is provided.

For example, in 2004 Gateway Learning Corp found itself the target of an FTC Deceptive Practice enforcement action for renting its customer list to marketers, even though their privacy policy said they wouldn’t. In recent years the FTC has taken similar action against Eli Lilly & Co., Microsoft, Guess, Inc., Tower Records, and Petco.com to name a few.

If your privacy policy says it, then do it.

It’s Your Business

As a soon-to-be attorney, I can say that you should have a lawyer review your privacy policy. Lawyers help the privacy policy comply with legal and regulatory requirements, but it’s your responsibility to make sure that the policy is complete. In fact, I would go so far as to say that 30% of a privacy policy is compliance, and the other 70% is completeness.

If those numbers are any indication, they mean that your privacy policy should have 70% of its input from the Customer Service Department, the Accounting Department, Sales, Marketing, and perhaps even R&D. Without their feedback it will be impossible to document your important privacy practices and create a complete privacy policy. Privacy policies are not legalese and magic words. They are a blueprint of vital business processes. There is one sure way to get in trouble: Relegate your privacy policy to the legal department, and fail to get cross-departmental participation in its drafting. Banishing your privacy policy just to the lawyers may get you in trouble because the end result may be compliant, but incomplete And ironically, an incomplete privacy policy is a non-compliant policy.

Take Charge

As a CEO, COO, or Managing Director, you should do three things:

  1. First, read your privacy and security policy. If it confuses you, it will confuse your customers. If it confuses your customers, it might be interpreted as deceptive by the FTC.
  2. Second, make sure you can live up to your privacy policy. Watch out for buzzwords like “state-of-the-art,” “everything within our power,” “always,” and “never.” Make sure that you haven’t painted yourself, your customers, or your employees into a corner.
  3. Third, update your privacy policy to reflect your business practices, or update your business practices to match your policy. Being honest and complete about your business practices is tough work, but will pay dividends long-term.

No Comments

Highlights From the FTC’s Privacy Roundtable Part 3

Note: This article originally appeared on the J.C. Neu & Associates Blog

This is part 3 of highlights from the FTC’s December 7th Privacy Roundtable. Part 1 covered the panel on "Exploring Existing Regulatory Frameworks," and Part 2 covered the panel on "Benefits and Risks of Collecting, Using, and Retaining Consumer Data" This post highlights comments from "Consumer Expectations and Disclosures" and "Information Brokers."

Disclaimer: I took notes using my Twitter account. About halfway through the "Benefits and Risks" panel, Twitter decided that I was a spammer, and shut down my account. I was mad, and it meant that I did not cover the whole session.

Benefits and Risks of Collecting, Using, and Retaining Consumer Data

  • Lorrie Faith Cranor,Associate Professor of Computer Science, Carnegie Mellon University commented on consumers’ state of ignorance regarding how information flows, much like an unseen underground river. "Most people do not understand how information flows," or "what a third-party cookie is."
  • Alan Westin Professor Emeritus of Public Law and Government, Columbia University referenced several of his studies which indicated that "…people are not prepared to equate [the need for] behavioral marketing with [funding] free services, and that "most people believe that they’re being abused," but there was general consensuses that most people surveyed also believed that they were protected by law and regulations that do not actually exist. In the meantime, Mr. Westin’s research also indicates that most people are no longer willing to trade privacy for freebies on the internet, because of the disconnect between "free" services and the fact that personal information pays for most of it.
  • Alan Davidson, Director of U.S. Public Policy and Government Affairs for Google emphasized that the industry is trying to educate consumers and give them the tools they need in order to control their privacy, as evidenced by Google’s dashboard, for instance. He suggested that the audience Bing "Google Dashboard" for more information.
  • Jules Polonetsky Co?Chair and Director of the Future of Privacy Forum made reference to the results of several large surveys conducted by his organization. For instance, one indicated that there is a substantial public misconception about what "Behavioral Advertising" is. Among the handful of survey respondents who had heard the term, all of them mistook "Behavioral Advertising" for the concept of subliminal advertising. His organization is also attempting to generate symbols explaining how personal information is used, an approach endorsed by Privacy Commons and other groups.
  • My apologies to Joel Kelsey, Policy Analyst for the Consumers Union, and Adam Thierer, President of University of Pennsylvania, Annenberg School for Communication. Each of these individuals actively participated, but unfortunately I was unable to capture their thoughts because I was under a temporary Twitter ban at the time.

Information Brokers

Short editorial: This session was by far the least enlightening.

  • Jennifer Barrett, Global Privacy and Public Policy Officer for Acxiom started off the panel by discussing what constituted "sensitive personal information." She replied that Acxiom classifies "sensitive information" is any information which could contribute to identity theft, whereas "restricted information" is an unlisted phone number, for example.
  • Rick Erwin, President of Experian Marketing Services explained that they consider information on children, older Americans, and self-reported ailment data to be "sensitive," adding that Experian has "three decades of experience using sensitive information for marketing," and is able to adequately balance the interests of marketers and consumers. Mr. Erwin also discounted the harms of marketing, saying "we can’t point to deep consumer harm based on bad advertising."
  • Pam Dixon, Executive Director of the World Privacy Forum disagreed. She contended that the definition of "sensitive information" is difficult at best because otherwise benign information can be aggregated to create sensitive information. In regards to health information, getting consent from consumers is almost illusory because consumers have no way of knowing how the information will be used in the future. Informed consent is impossible without telling consumers what "boxes" they will be put in. Consumers need the right to know on what lists they will appear, for how long, and they must have the right to revoke their consent. Pam Dixon contended that "we need to make Opt Out work for consumers," and that opting out should always be free.
  • In response, Jennifer Barrett insisted that the Information Broker industry needs no further regulation: "We’re already very regulated," she said.
  • Jim Adler, Chief Privacy Officer and General Manager of Systems for Intelius explained that they offer special opt-out services to government officials.
  • Chris Jay Hoofnagle, Lecturer in Residence at the University of California Berkeley School of Law was scheduled to participate but was unable due to technical difficulties.

The FTC has posted the webcast if you missed it.  The next Roundtable is scheduled for January 28, 2010 in Berkeley, CA and will also be broadcast online.

No Comments

Highlights From the FTC’s Privacy Roundtable: Part 2

MENTAL HEALTH BENEFITS OF EXERCISE IN TEENS
Exercise can not only be used for physical health benefits but also mental health benefits. Regardless of age or fitness level, studies have shown that making time for exercise provides an abundance of mental benefits. As a teen, developing healthy brain function and mental health is essential. The health benefits of exercise in teens can eliminate the potential risk of mental illness, stress, poor self-confidence, memory, and many other things. An article by The Huffington Post discuss 6 different health benefits of exercise in teens and adults.

Reduce stress and increase relaxation. Taking a walk or getting a workout in at the gym is a great way to relieve stress. One of the most common mental health benefits of exercise in teens is stress relief. Working out can help manage physical and mental stress that may have been built up for a negative experience at school or stressful exam. Exercise can also increase relaxation, benefiting teens who struggle with insomnia or sleep deprivation. Check out the latest exipure reviews.
Alleviate anxiety and depression. Exercise releases endorphins, which are natural chemicals in your body that create feelings of happiness. Studies have shown that the health benefits of exercise in teens can significantly improve depression or anxiety. Even just getting 30 minutes of exercise a few times a week can improve overall mood. Exercising with an anxiety disorder can actually help reduce symptoms in teens and allow them to calm down. Moderate-to-high intensity exercises can reduce anxiety sensitivity.
Improve self-confidence. Physical fitness can boost self-esteem and self-image. Exercising, regardless of size or weight can provide teens with a perception of his or her self-worth. Exercising outdoors can increase self-esteem even more. Finding an outdoor workout that fits your interests is a great way to meet people and build other skills in building up self-esteem or self-worth.
Sharpen memory and prevent cognitive decline. Doing sporadic physical activities can boost memory and learning. Researchers have linked children’s brain development with level of physical fitness. As we get older, our brains have a harder time processing or maintaining information. Another health benefit of exercise in teens, is that it reduces the chances of developing diseases like Alzheimer’s later in life. Working out at a young age boosts chemicals in the brain that prevent degeneration of areas of the brain that are linked to memory and learning. Learn more about Exipure healthy benefits.
Help control addiction. Exercise can help in addiction recovery. Exercise can effectively distract drug or alcohol addicts, de-prioritizing cravings. Exercise also helps reboot the body after going through negative effects from alcohol or drug abuse.
Get more done and tap into creativity. Researchers show that exercise on a regular basis creates higher levels of energy and productivity in more sedentary peers. Health benefits of exercise in teens can also boost creativity. Exercising outdoors or interacting with nature during exercise can create inspiration and creative thinking.

No Comments

Highlights From the FTC’s Privacy Roundtable: Part 1

Note: This article originally appeared on the J.C. Neu & Associates Blog

The FTC’s December 7th Privacy Roundtable assembled a Who’s Who of privacy luminaries, academics, advocates, and industry players. This post highlights some of the more interesting comments from the meeting. I also tweeted the event (@aarontitus, #FTC #Privacy or #ftcpriv) and the FTC has posted the webcast if you missed it.  The next Roundtable is scheduled for January 28, 2010 in Berkeley, CA and will also be broadcast online.

The meeting consisted of five panels. This posts highlights "Panel 5: Exploring Existing Regulatory Frameworks:"

  • During Session 5, Intuit’s Chief Privacy Officer Barbara Lawler posited that existing regulatory frameworks unfairly place the entire burden on consumers to protect themselves. "Consumers should expect a safe marketplace. They shouldn’t be the ones to police the marketplace," she said.
  • Barbara Lawler also noted that "Data is never really at rest," because it’s moving between data centers and backups in multiple locations throughout the globe. It is therefore incorrect to think of data, especially Cloud data, as being in one place. Instead, "data is in one place and many places at the same time," potentially in multiple jurisdictions.
  • Evan Hendricks of Privacy Times and Marc Rotenberg of EPIC suggested that the current model of "Notice and Consent" has failed to protect consumers, and that the FTC (and legislation in general) should return to well-established Fair Information Practices (FIPs), including a prohibition on "secret databases." Mr. Rotenberg went so far as to conclude that Notice and Choice principles are not a subset of FIPs, but instead "stand in opposition to fair information practices." He also joked that "the best part of Graham-Leach-Bliley Act is that you get paper notices you can tape on your window and get more privacy."
  • Ira Rubinstein of New York University School of Law proposed that self-regulation is not binary or "monolithic," and that a self-regulatory scheme would be preferable, especially if viewed as a "continuum, based on government intervention." He argued that self-regulation would be especially appropriate in the United States, which has traditionally been very friendly to e-commerce.
  • Michael Donohue of OECD gave an overview of international legal concepts of privacy which generally agreeing with Marc Rotenberg’s observation that "most countries have come to surprisingly similar conclusions about privacy."
  • J. Howard Beales of the GWU School of Business argued in favor of a "harm-based model," because it is impossible to reach the best solution without first defining the harm. Marc Rotenberg responded that privacy harms are almost never financial.
  • Several panelists emphasized that privacy can be highly (and appropriately) subjective. One cited an example from a balding friend of his, "I don’t care if anyone knows that I use Rogaine, but my 70-year-old grandmother would."
  • Fred Cate of the Center for Applied Cybersecurity Research emphasized that the Notice and Consent model is flawed because some activities should not be consentable. For example, one may not "consent" to be served fraudulent or misleading advertising. Likewise, some uses of personal information should be prohibited and non-consentable. Most importantly, Notice and Choice are only tools– not the goal of privacy.
  • After Panel 5 was done, Bureau of Consumer Protection Director David C. Vladeck said the FTC would investigate whether it is better to give consumers notice how their personal information may be used: 1. At the time of collection, or 2. At the time of use.
  • David C. Vladeck also said that the data broker industry warranted FTC attention because it is "largely invisible to the consumer."

More highlights on the other sessions to come.

No Comments

My Thoughts About Privacy Commons

I spend most of my free time working on Privacy Commons, and so I was excited to see Christopher’s post and critique on the subject. Thanks as usual, Christopher, for your thought-provoking questions and observations. Likewise, Aza, CUPS, and Ralf Bendrath. Great work—each of you. I want to pick each of your brains sometime. I also want to apologize in advance for any incomplete sentences or thoughts. This is a slapped-up post.

Some Problems With Privacy Policies

As Christopher, myself, and many others have pointed out, the problems with privacy policies are myriad. Here are a few:

  • Inaccessible or Unintelligible. many privacy policies are not easily understood or even physically accessible; so complicated and wrapped in legalese that they are “nigh useless” to the average consumer.
  • Complicated Solution. Unless we’re careful, a Privacy Commons may end up equally or more complicated than the status quo.
  • Non-Standard. Privacy Policies are not standardized, making it impossible to compare apples-to-apples.
  • Incomplete. They often fail to address important privacy issues or fail to consider all potential parties
  • Unsophisticated. Many boilerplate privacy policies demonstrate a fundamental lack of understanding of how privacy policies translate to privacy and business practices. Some simply don’t address the most salient issues, which may be unique to their industry. Consequently, many of the policies never translate to practice.
  • Treated as Only Legal Documents. Privacy policies are often treated as “compliance” documents and relegated to the legal department. Consequently, many fail to address or actually contradict field practices.
  • Privacy Waiver. Many privacy policies waive, rather than confer, privacy rights. The medical industry is extremely efficient at this practice.
  • Technology-Dependent. Privacy policies which strictly enumerate technologies quickly become outdated in the face of emerging technologies.
  • Non-Binding. Most importantly, US courts have consistently interpreted privacy policies to be unbinding notices, rather than contracts. As a result, privacy policies generally create no enforceable rights or enforceable expectations of privacy. In this sense, privacy policies can create a false expectation of confidentiality, privacy, or even fiduciary responsibility.

Some Assumptions About Privacy Policies

Based on my experience in technology, advocacy, and the law, I want to air some of my basic assumptions about Privacy Policies. Of course, I invite challenges to these assumptions:

  1. Mitigate Liability. Privacy is the subject of dozens of laws and regulations. The present primary business case for developing, maintaining, and conforming to a privacy policy is to mitigate liability.
  2. Inform Data Subjects. Data Subjects include consumers, employees, or any individual about whom information is collected, stored, or aggregated.
  3. Empower Data Subjects. Mere information is not enough. A privacy policy which produces information overload without actionable intelligence is counter-productive.
  4. Articulate Privacy Practices. For the benefit of both data subjects and the data stewards who must execute the privacy policy, it must explain and reflect real business practices.
  5. People Don’t Read. Anything more than about two paragraphs will never be read. That’s why high-level iconography is so appealing (and achievable).
  6. Must Be Easy-to Understand. Because people don’t read. Fewer words and easy-to-grasp iconography are better.
  7. Short Policies Are Inherently Incomplete. Two paragraphs and pretty pictures may be sufficient to inform consumers on the portions of the privacy policy they find most important, but will always be incomplete. More on this below.
  8. Adoption & Enforcement. A Privacy Commons must be optimized for adoption, rather than enforcement. That’s simply because despite the Federal Government, the states and the FTC’s regulation in the area, a privacy commons must be market-driven to be successful.
  9. Sector-Specific. Different sectors/activities collect different sets of personal information, are regulated differently. In order to ensure that privacy policies are relevant, they must be taylored to specific activities.
  10. Living Documents. A privacy policy which was correct six months ago may not be correct today.
  11. Privacy Policies are Complex. Deal with it. Privacy Policies are complex, just like Creative Commons or the Telephone. More on that below.
  12. Business Documents. Privacy Policies are business documents with legal, practical, business, and ramifications for corporations, their agents and employees, and data subjects.


Thinkers like Christopher Parsons worry that a Privacy Commons will be unnecessarily complex. Non-attorneys are often (justifiably) baffled at why lawyers take 3,000 words to say what can be said in 300 and a handshake. It turns out that a simple handshake is not as simple as most people think. Behind each handshake there is a wide range of assumptions which are not as standard as one might believe. Many (if not most) disputes arise when there is a misunderstanding about an unspoken assumption—the meaning of a word, or silence on a particular issue. That’s why it takes lawyers so many words to say something so simple; simple things are not as simple as we thought.

To demonstrate this point, we need look no further than Creative Commons. While the human-readable version of the “Attribution Non-Commercial Share Alike” creative commons license consists of 5 images and 286 words, the legal version contains 3,384 words. Clearly the unnecessary work of a verbose lawyer who needed to justify his existence, right?

Not so fast. The full Attribution Non-Commercial Share Alike license covers a whole bunch of other stuff that consumers don’t usually take time to think about, unless of course there is a dispute. It’s only at that point that we’re glad we included it. The legalese version covers essential topics like media and language translation, public performance, DRM, collections of works, waiver of compulsory license fees, preservation of moral rights, representations and warranties, limitation on author’s liability, termination, severability, waiver, and entire agreement, just to name a few. Consumers don’t (and shouldn’t) think about this kind of stuff when they proverbially “shake hands” with a licensee. Creative Commons is simple on the surface, but look under the hood and you’ll see the complexity necessary to create the elegance that most people associate with the CC licenses. Saying that the legalese version of a Creative Commons License (or Privacy Commons Policy) is a “necessary evil” is incorrect and misses the point. It’s not evil at all; it’s just necessary.

It’s like a telephone—an elegant piece of equipment which is exceedingly easy to use. The end-user only cares about a few things: Connectivity, line quality, cost, and accessibility. Yet the infrastructure and technology supporting telephony and networking is extremely robust and complex. Consumers pay the telcos to worry about all of the other stuff so they can focus on the four or five things that consumers care about. The millions of miles of copper, routers, substations and central offices aren’t a “necessary evil,” they’re just necessary.

Some Conclusions About Privacy Policies

We’re just going to have to deal with the fact that privacy policies are complex, and will continue to be complex. The best solution (as I see it) is to do three things: ID c.

  • Require Thoroughness. A Privacy Commons-compliant policy is thorough
  • Identify Cultural Notions of Privacy. Identify culturally important notions of privacy, and embody them in easy-to-understand iconography. Christopher Parsons suggests these notions might center on Data Collection, Data Sharing, Data Identification, Data Tracking, Data Deletion, and Aggregation, which I think is a good start. And Ralf Bendrath offers these excellent icons, which are more elegant than any I’ve seen.
  • Embody the Cultural Notions of Privacy in Iconography. Then let the legalese version fill in the (necessary) gaps.

A privacy policy which conforms to Privacy Commons requirements will be complete, informative, easy to understand, and easy to adopt. Like Creative Commons, Privacy Commons seeks to identify common cultural notions of privacy, and embody them in easy-to-understand policy frameworks, with simple high-level iconography.

Note: I usually blog on securitycatalyst.com and jeffreyneu.com, but this post doesn’t fit very well on either.

1 Comment