Millions of websites link to their “privacy policies” from their homepages. Most people are not aware of the policy, and a majority of those who do notice it think it means their privacy is protected while browsing.
Sign the statement
We care about your privacy.
That’s why we are changing how we describe the policy on our website that explains how we collect and use your personal information.
To be clear, this doesn’t mean that we are changing any of our policies in regard to your data.
But it does mean we want you to know that if a site collects and uses your personal data, even just for internal uses, that’s not privacy.
– Your organization (enter info below)
Read our memo
At the same time, however, internet users are not entirely naïve: they know their personal information is being collected. Another recent survey found that 91 percent of American adults think “consumers have lost control over how personal information is collected and used by companies.” So it is clear that while Americans are keenly aware about their lack of real privacy online, they incorrectly believe that so-called “privacy policies” constitute an effort to protect them and their personally identifiable information.
Joseph Turow, professor at the University of Pennsylvania’s Annenberg School for Communication, believes two main factors contribute to the confusion surrounding privacy policies:
- “Privacy policies are often difficult to interpret, even to the small number of consumers who do try to read them.”
Our idea is simple: we will build a coalition of participating organizations who currently have “privacy policies” on their websites, that will commit to relabeling those policies as either “data usage policies” or (even clearer) “data usage and protection policies” or “how we use your information” all on the same day. In addition, these companies will sign a short statement, written by Civic Hall and Privacy International, explaining their actions. The statements will be collected on a new website, ThatsNotPrivacy.com, to be launched with a press release and conference call that garner attention to the cause.
To be clear, we are not asking companies to change the content of their existing policies. There is a greater debate going on as to what level of privacy is necessary online, now and in the future, what data should be generated and collected, how they should be used, and so on. That conversation is currently limited to the group of security experts, academics, and commercial and government entities that are party to it. Our hope is that this exercise in transparency and truth-in-labeling will help bring a much larger constituency—the public—into the fold. Then we can start asking the institutions we interact with: how are we genuinely protecting privacy, rather than merely articulating some standard text at the bottom of your website?
What the statute does require is that the policy be conspicuously available. Because most websites don’t post their privacy policies on their homepage, they must link to the page wherein it is contained. This can either be done with an image or hypertext, and CalOPPA is clear on what those links must look like.
If the link is an image, it has to contain the word “privacy,” period. If it’s text, however, there’s a little more leeway. In fact, the link must only do one of the of the following:
- Include the word “privacy.”
- [Be] written in capital letters equal to or greater in size than the surrounding text.
- [Be] written in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language.
According to the statute, as long as formatting distinguishes the link from surrounding text, or even more broadly, if the link is “so displayed that a reasonable person would notice it,” it satisfies the conspicuity requirement.
Under European law, everyone has a right to the protection of their personal data, which can only be gathered legally under strict conditions, and for a legitimate purpose. However, in addition to being outdated, the 1995 E.U. data protection rules were implemented differently in the 27 member states, so a reform process began in 2012. That process is ongoing, so there may be imminent changes to the rules.
As of today, though, the European law says even less than U.S. law about what a purported “privacy notice” must be named. In fact, the description of what information must be given to a “data subject” does not prescribe at all how the information must be presented to him or her, only that the “data controller” must provide the following:
The identity of the controller and of his [or her] representative, the purposes of the processing for which the data are intended, and any further information such as the recipients or categories of recipients of the data, whether replies to the questions are obligatory or voluntary, as well as the possible consequences of failure to reply, or the existence of the right of access to and the right to rectify the data concerning him [or her].
Moreover, the Information Commissioner’s Office in the UK calls the “privacy notice” term overly technical, and even suggests titling such a disclosure, required by the UK’s implementation of the 1995 EU rules discussed above, “how we use your information.”
Why should you take part?
What they genuinely want to know is how their privacy is being protected, and how they may maintain control of their personal information in modern life.
There’s no reason for keeping the misleading label around. Increased transparency will not only harmonize concerns over real privacy around the world, allowing for increased international commerce, but has also been shown to be a key factor that builds consumer trust in a company.
So, join us for That’s Not Privacy! day! Be transparent about your data usage—show that you care about keeping your customers informed. We want to help you build a long-lasting relationship based on trust.
For this project, we consulted:
Fernando A. Bohorquez, Jr., Partner, Baker & Hostetler LLP
Geff Brown, Assistant General Counsel (privacy, data protection), Microsoft
John Frank, VP & Deputy General Counsel, Microsoft
Maria-Martina Yalamova, Associate, Covington & Burling LLP
 Mary Madden, et al, Public Perceptions of Privacy and Security in the Post-Snowden Era (Pew Research Center, Nov 12, 2014), online at http://www.pewinternet.org/files/2014/11/PI_ PublicPerceptionsofPrivacy_111214.pdf (visited Dec 16, 2015).
 Smith, Half of Online Americans quoting Turow (cited in note 1).
 Katy Steinmetz, These Companies Have the Best (And Worst) Privacy Policies, TIME Magazine (Time, Inc. Aug 6, 2015), online at http://time.com/3986016/google-facebook-twitter-privacy-policies/ (visited Dec 16, 2015).
 Julie Clement, ed, Privacy-policy analysis (Center for Plain Language Aug 5, 2015), online at http:// centerforplainlanguage.org/wp-content/uploads/2015/09/TIME-privacy-policy-analysis-report.pdf (visited Dec 16, 2015).
 See Information Commissioner’s Office, Privacy notices code of practice (Dec, 2010), online at https://ico.org.uk/media/for-organisations/documents/1610/privacy_notices_cop.pdf (visited Dec 16, 2015); Center for Information Policy Research, Ten steps to develop a multilayer privacy notice (Mar, 2007), online at https://www.informationpolicycentre.com/files/Uploads/Documents/Centre/ Ten_Steps_whitepaper.pdf (visited Dec 16, 2015).
 Emphasis added—the economic importance of California and the borderless nature of internet commerce extends the range of this statute globally.
 California Business & Professional Code § 22575(a). For convenience, the Act in its codified entirety is included in Appendix A.
 Id at § 22575(b).
 Cal. Bus. & Prof. Code § 22577(b)(2).
 Id at §§ 22577(b)(3)(A)–(3)(C).
 Id at § 22577(b)(4).
 We concede, and our lawyers agree with her opinion, that the California Attorney General recommends using the word “privacy” in the link and making it even more conspicuous with formatting to ensure compliance with the law.
 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (O.J. L 158, 1995), ¶ 1.
 European Directorate General for Justice and Consumers, Reform of the data protection legal framework in the EU (Nov, 2015), online at http://ec.europa.eu/justice/data-protection/reform/ index_en.htm (visited Dec 17, 2015).
 Directive 95/46/EC at Art. 10 (cited in note 14).
 An independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
 Information Commissioner’s Office, Privacy notices code of practice at 4 (cited in note 7).
 California Attorney General, Making Your Privacy Practices Public at 3 (cited in note 10).
 Id at 4.