Millions of websites link to their “privacy policies” from their homepages. Most people are not aware of the policy, and a majority of those who do notice it think it means their privacy is protected while browsing.

Of course, in reality, the so-called “privacy policy” is merely a disclosure of some or all of the ways the website operator collects, retains, and shares with third parties personally identifiable information (PII). In other words, it’s actually a list of ways the user’s personal data are not private and not under their control.

Click here to do something about it

Our Plan

Join us for a revolution in the way we engage people on privacy issues.

Civic Hall and Privacy International are recruiting a coalition of organizations that are committed to relabelling their “privacy policies” as “data usage policies,” or something in that vein.

Here’s who’s already joined:


accessnow_logo_transparent_large

Sticker_BetaNYC_long_white_letters


boing-boing-logo




Civic Hall logo

Common_Cause_logo

DWX-Logo-Blue-RGB





di_logo


fftf

The_Guardian_Project_logo


Privacy International logo



WITNESS_Logo_05_highres-4f74ddffa64cd

Will you add your org?

Sign the statement

We care about your privacy.

That’s why we are changing how we describe the policy on our website that explains how we collect and use your personal information.

It is not a “privacy policy.” That’s because, in fact, we do collect and use your personal information.

Today, literally millions of websites have links from their home pages pointing to their “privacy policies” because the law requires them to make their policies pertaining to the collection of personally identifiable information available, and calls for that link to be “conspicuously” posted. For years, websites have chosen to label that link a “privacy policy” because the law suggests that approach as one way to make the policy conspicuous. It does not require it, and in our view, using the word “privacy” actually misleads you.

To be clear, this doesn’t mean that we are changing any of our policies in regard to your data.

But it does mean we want you to know that if a site collects and uses your personal data, even just for internal uses, that’s not privacy.

Your organization (enter info below)

Your Name (required)

Your Email (required)

Your Organization

Will you join us? (required)
 Yes No

Questions? Comments?

Read our memo

We need a revolution in the way we engage people on privacy issues. We are somehow stuck in the 1990s where a privacy policy on a website is supposed to be the way to assure people that we care about privacy. With new technologies and services soon to be generating and collecting vast amounts of information, and analytics able to identify and discern great amounts of information on us, we need to get out of this rut.

In December of 2014, the Pew Research Center released a study revealing that 52 percent of online Americans don’t know what a privacy policy is.[1] A majority of respondents believed that “[w]hen a company posts a privacy policy, it ensures that the company keeps confidential all the information it collects on users.” In reality it is merely a disclosure of some or all of the ways a company collects, retains, and shares with third parties personally identifiable information (PII). In other words, it’s a list of ways the user’s personal data are not private and not under their control.

At the same time, however, internet users are not entirely naïve: they know their personal information is being collected. Another recent survey found that 91 percent of American adults think “consumers have lost control over how personal information is collected and used by companies.”[2] So it is clear that while Americans are keenly aware about their lack of real privacy online, they incorrectly believe that so-called “privacy policies” constitute an effort to protect them and their personally identifiable information.

Joseph Turow, professor at the University of Pennsylvania’s Annenberg School for Communication, believes two main factors contribute to the confusion surrounding privacy policies:

  1. “Many people don’t actually read privacy policies; they simply look at the label. And the intuitive understanding—the cultural understanding—of the label is that when something says ‘privacy policy,’ it protects your privacy.”[3]
  2. “Privacy policies are often difficult to interpret, even to the small number of consumers who do try to read them.”[4]

There are existing efforts aimed at addressing Turow’s second concern. Most recently, in August, TIME magazine partnered with the Center for Plain Language to “assess, exalt and shame some of the world’s leading tech companies for how they’ve presented privacy information to millions of users,”[5] and the companies were rated on “how well they follow plain-language guidelines.”[6] In addition, there have been numerous attempts to develop privacy policy best practices, examples, and templates, all focused on making them more readable and understandable.[7]

But that still leaves the problem of consumers’ mistaken faith in anything labeled a “privacy policy.” We believe the time is ripe to begin a truth-in-labeling initiative. Policies that truly protect privacy are going to become even more important in the future of the Internet of Things, where we don’t necessarily interact with a company and share information through a website but rather through hardware and other services. We may not actually even know what information is being generated by our technologies. It will become even more important for us to help people understand these important issues and companies and governments will have to reconsider how they communicate with the public. A first step is to get this old problem fixed. Then we can start having genuine and real conversations about the policies and practices companies and governments needs to have to protect our privacy.

The idea

Our idea is simple: we will build a coalition of participating organizations who currently have “privacy policies” on their websites, that will commit to relabeling those policies as either “data usage policies” or (even clearer) “data usage and protection policies” or “how we use your information” all on the same day. In addition, these companies will sign a short statement, written by Civic Hall and Privacy International, explaining their actions. The statements will be collected on a new website, ThatsNotPrivacy.com, to be launched with a press release and conference call that garner attention to the cause.

To be clear, we are not asking companies to change the content of their existing policies. There is a greater debate going on as to what level of privacy is necessary online, now and in the future, what data should be generated and collected, how they should be used, and so on. That conversation is currently limited to the group of security experts, academics, and commercial and government entities that are party to it. Our hope is that this exercise in transparency and truth-in-labeling will help bring a much larger constituency—the public—into the fold. Then we can start asking the institutions we interact with: how are we genuinely protecting privacy, rather than merely articulating some standard text at the bottom of your website?

Legal requirements

Many people with whom we have already spoken have expressed apprehension about the labeling change, and are under the impression that the term “privacy policy” is required by law. However, that is not the case, even under the strictest statutes, those of California and Europe.

California law

The California Online Privacy Protection Act of 2003 (CalOPPA) requires that any “operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing[8] in California … shall conspicuously post its privacy policy on its Web site.”[9] The law also lists what information must be included in the policy (e.g., the categories of PII the operator collects and third-parties with which it may share the data, etc.).[10] Notably, though, it says nothing about what such a policy need be titled. Indeed, the privacy policy recommendations provided by the Attorney General of California suggest “[mak[ing] the policy recognizable by giving it a descriptive title.”[11]

What the statute does require is that the policy be conspicuously available. Because most websites don’t post their privacy policies on their homepage, they must link to the page wherein it is contained. This can either be done with an image or hypertext, and CalOPPA is clear on what those links must look like.

If the link is an image, it has to contain the word “privacy,” period.[12] If it’s text, however, there’s a little more leeway. In fact, the link must only do one of the of the following:

  • Include[] the word “privacy.”
  • [Be] written in capital letters equal to or greater in size than the surrounding text.
  • [Be] written in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language.[13]

According to the statute, as long as formatting distinguishes the link from surrounding text, or even more broadly, if the link is “so displayed that a reasonable person would notice it,”[14] it satisfies the conspicuity requirement.[15]

Finally, in addition to not being statutorily required, the label of “privacy policy” is less within the spirit of the law than “data use policy,” or something in that vein, as the stated purpose of a policy is to notify users of how their data are being collected and used, not to lull them into a false sense of “privacy” protection.

European law

Under European law, everyone has a right to the protection of their personal data, which can only be gathered legally under strict conditions, and for a legitimate purpose.[16] However, in addition to being outdated, the 1995 E.U. data protection rules were implemented differently in the 27 member states, so a reform process began in 2012.[17] That process is ongoing, so there may be imminent changes to the rules.

As of today, though, the European law says even less than U.S. law about what a purported “privacy notice” must be named. In fact, the description of what information must be given to a “data subject” does not prescribe at all how the information must be presented to him or her, only that the “data controller” must provide the following:

The identity of the controller and of his [or her] representative, the purposes of the processing for which the data are intended, and any further information such as the recipients or categories of recipients of the data, whether replies to the questions are obligatory or voluntary, as well as the possible consequences of failure to reply, or the existence of the right of access to and the right to rectify the data concerning him [or her].[18]

Moreover, the Information Commissioner’s Office in the UK[19] calls the “privacy notice” term overly technical, and even suggests titling such a disclosure, required by the UK’s implementation of the 1995 EU rules discussed above, “how we use your information.”[20]

Why should you take part?

Discussion about privacy, especially online privacy, is taking the global center stage. The U.S. and E.U. are engaged in lengthy talks about transmittance of PII across the Atlantic Ocean. Debates about encryption and the mythical “backdoor” grow more fiery every day. The Snowden revelations have brought government snooping to the forefront of public awareness. Yet most people don’t realize what a so-called “privacy policy”—contained on virtually every website—is or does, and one of the reasons for that is simply that the label is misleading.

What they genuinely want to know is how their privacy is being protected, and how they may maintain control of their personal information in modern life.

There’s no reason for keeping the misleading label around. Increased transparency will not only harmonize concerns over real privacy around the world, allowing for increased international commerce,[21] but has also been shown to be a key factor that builds consumer trust in a company.[22]

So, join us for That’s Not Privacy! day! Be transparent about your data usage—show that you care about keeping your customers informed. We want to help you build a long-lasting relationship based on trust.


For this project, we consulted:

Fernando A. Bohorquez, Jr., Partner, Baker & Hostetler LLP
Geff Brown, Assistant General Counsel (privacy, data protection), Microsoft
John Frank, VP & Deputy General Counsel, Microsoft
Maria-Martina Yalamova, Associate, Covington & Burling LLP


References:

[1] Aaron Smith, Half of Online Americans Don’t Know What a Privacy Policy Is, Fact Tank (Pew Research Center Dec 4, 2014), online at http://www.pewresearch.org/fact-tank/2014/12/04/half-of-americans-dont-know-what-a-privacy-policy-is/ (visited Dec 16, 2015).

[2] Mary Madden, et al, Public Perceptions of Privacy and Security in the Post-Snowden Era (Pew Research Center, Nov 12, 2014), online at http://www.pewinternet.org/files/2014/11/PI_ PublicPerceptionsofPrivacy_111214.pdf (visited Dec 16, 2015).

[3] Smith, Half of Online Americans quoting Turow (cited in note 1).

[4] Id.

[5] Katy Steinmetz, These Companies Have the Best (And Worst) Privacy Policies, TIME Magazine (Time, Inc. Aug 6, 2015), online at http://time.com/3986016/google-facebook-twitter-privacy-policies/ (visited Dec 16, 2015).

[6] Julie Clement, ed, Privacy-policy analysis (Center for Plain Language Aug 5, 2015), online at http:// centerforplainlanguage.org/wp-content/uploads/2015/09/TIME-privacy-policy-analysis-report.pdf (visited Dec 16, 2015).

[7] See Information Commissioner’s Office, Privacy notices code of practice (Dec, 2010), online at https://ico.org.uk/media/for-organisations/documents/1610/privacy_notices_cop.pdf (visited Dec 16, 2015); Center for Information Policy Research, Ten steps to develop a multilayer privacy notice (Mar, 2007), online at https://www.informationpolicycentre.com/files/Uploads/Documents/Centre/ Ten_Steps_whitepaper.pdf (visited Dec 16, 2015).

[8] Emphasis added—the economic importance of California and the borderless nature of internet commerce extends the range of this statute globally.

[9] California Business & Professional Code § 22575(a). For convenience, the Act in its codified entirety is included in Appendix A.

[10] Id at § 22575(b).

[11] California Attorney General, Making Your Privacy Policies Public: Recommendations on Developing a Meaningful Privacy Policy 9 (May, 2014).

[12] Cal. Bus. & Prof. Code § 22577(b)(2).

[13] Id at §§ 22577(b)(3)(A)–(3)(C).

[14] Id at § 22577(b)(4).

[15] We concede, and our lawyers agree with her opinion, that the California Attorney General recommends using the word “privacy” in the link and making it even more conspicuous with formatting to ensure compliance with the law.

[16] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (O.J. L 158, 1995), ¶ 1.

[17] European Directorate General for Justice and Consumers, Reform of the data protection legal framework in the EU (Nov, 2015), online at http://ec.europa.eu/justice/data-protection/reform/ index_en.htm (visited Dec 17, 2015).

[18] Directive 95/46/EC at Art. 10 (cited in note 14).

[19] An independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

[20] Information Commissioner’s Office, Privacy notices code of practice at 4 (cited in note 7).

[21] California Attorney General, Making Your Privacy Practices Public at 3 (cited in note 10).

[22] Id at 4.