This morning I got an email like this:
Hi [customer],
If your inbox is anything like ours, it’s recently been filled with emails like this one: a company updating its policies. You’re probably going to receive many more before May 25 because of a new European privacy law called the General Data Protection Regulation (or GDPR). Companies are updating their policies to meet GDPR requirements, and are sending their customers notices about the changes. Today, we are releasing our own updated Privacy Policy, which provides greater clarity and detail about the information we collect, how we use it, and how we comply with GDPR. […]
Our new Privacy Policy has added some detail around what you can do with data we collect about you, and how you can exercise your privacy rights. It also provides increased transparency around the different purposes for which we use this data. […].
I don’t appreciate the meta comment about getting lots of emails like this. Its only a reminder of something I despise, hardly welcome.
Though it got me thinking: What’s so wrong with this? Isn’t it nice that companies are updating their privacy policies to the benefit of consumers?
The problem I have with this process is the asymmetric power and burden. As a consuming customer, the only leverage I have is to stop using their service. That’s an all-or-nothing game I don’t want to play. For example, I despise many things about Facebook, but I’m not yet taking the only leave-completely option, since there’s still too many things that I don’t want to miss out on.
Given that its a good thing for companies to pay attention to their data use and make their policies public, how could we remove the current burden from customers, and shift it somewhere else?
Here’s some ideas:
- Companies have to provide a fact sheet, like insurance or investment products. On a single, well-formatted and readable page, list what data the company gathering, who its being shared with, how long its stored it and similar details. Optimize this for a quick read, in a standardized format (e.g., retention policy always in the upper-right box).
- Companies have to submit their updated policies to a 3rd party, that they need to pay to have their documents reviewed. The contact details and review date are then added to the full public policy, so that consumers with doubts about the companies policies can contact the reviewer and have them confirm the review. This 3rd party could use a low-effort support system like Intercom (you can handle a lot of requests with chat), to provide free answers, with a paid phone support in addition.
- Companies have to use standardized policy templates. ALL UPPERCASE LEGALESE IS STRICTLY FORBIDDEN. A clear and predictable structure makes it easy to find specific details.
- Companies have to provide diffs when updating their policies. To keep the diff simple, the updates need to be kept under control, too.
- Companies have to provide a machine readable version of the privacy policy, that your browser or a plugin can read and evaulate according to your preferences. The result could be displayed with an icon similar to the SSL-lock.
What I expect to happen instead:
- Many more emails like the one quoted above, with unstandardized, garbly long legalse policies, each unique as a snowflake, with most consumers never reading any of them; related German article on t3n.de
- An upcoming e-privacy law that ends up with even worse usability than the current cookie notification bullshit; further material in German
- More bad GDPR notifications