On Mandating “Simplified” Privacy Policies

by on February 8, 2013 · 624 comments

Via a Twitter post this morning, privacy lawyer Stephen Kline (@steph3n) brings to my attention this new California bill that “would require the privacy policy [of a commercial Web site or online
service] to be no more than 100 words, be written in clear and concise language, be written at no greater than an 8th grade reading level, and to include a statement indicating whether the personally identifiable information may be sold or shared with others, and if so, how and with whom the information may be shared.”

I’ve always been interested in efforts — both on the online safety and digital privacy fronts — to push for “simplified” disclosure policies and empowerment tools. Generally speaking, increased notice and simplified transparency in these and others contexts is a good norm that companies should be following. However, as I point out in a forthcoming law review article in the Harvard Journal of Law & Public Policy, we need to ask ourselves whether the highly litigious nature of America’s legal culture will allow for truly “simplified” privacy policies. As I note in the article, by its very nature, “simplification” likely entails less specificity about the legal duties and obligations of either party. Consequently, some companies will rightly fear that a move toward more simplified privacy policies could open them up to greater legal liability. If policymakers persist in the effort to force the simplification of privacy policies, therefore, they may need to extend some sort of safe harbor provision to site operators for a clearly worded privacy policy that is later subject to litigation because of its lack of specificity. If not, site operators will find themselves in a “damned if you do, damned if you don’t” position: Satisfying regulators’ desire for simplicity will open them up to attacks by those eager to exploit the lack of specificity inherent in a simplified privacy policy.

Another issue to consider comes down to simple bureaucratic sloth: Mandatory “simplification” efforts means a team of bureaucrats somewhere in this world — in this case in Sacramento, California, I guess — will have to become code cops. Websites and apps will suddenly become subject to a new regulatory regime and all that it entails. So, even if those enterprising trial lawyers don’t get online innovators first, the bureaucrats could make their lives miserable with reams of red tape over time (especially because it would be silly to think that this sort of meddling with end with “simplification” mandates.) That could mean a lot less “permissionless innovation” and many more “Mother May, I?” permissioned proceedings instead.

Further, do we really want such Internet mandates to spring from the state-level? As I noted in my recent essay on “The Perils of Parochial Privacy Policies,” such state-based Internet meddling — even when well-intentioned — could quickly become a confusing morass of over-lapping, contradictory rules. Fifty different state Internet Bureaus aren’t likely to help the digital economy or serve the long-term interests of consumers. It could also open the door to potential Net-meddling on other fronts (online free speech, copyright, cybersecurity, online authentication, etc.) If “simplified” policies can be mandated at the state level for privacy, why not everything else? So, some degree of preemption may be in order here. If the movement of digitized bits across the Net isn’t “interstate commerce,” then I don’t know what is.

Just as an aside, it’s worth pointing out that simply because consumers do not necessarily read or understand every word of a company’s privacy policy does not mean that “market failure” exists. In my forthcoming Harvard Journal piece I discuss how disclosure policies or labeling systems work in other contexts and note that it is highly unlikely that consumers read or fully understand every proviso contained in the stacks of paper placed in front of them when they sign home mortgages, life insurance policies, or car loans and warranties. Such documents are full of incomprehensible provisions and stipulations, even though regulations govern many of these contracts. In these cases, I could argue that consumers face far more “risk” than they face by not fully comprehending online privacy policies. But life goes on. Consumers will never be perfectly informed in these or other contexts because they are busy with other things. In a similar way, a certain amount of “rational ignorance” about privacy policies should be expected.

Let me close by reiterating that increased notice and transparency in privacy and data collection/use policies is generally a good operational norm. But not every smart norm makes a smart law, and in this case there are some thorny unintended consequences that must be considered when policymakers propose “simplifying” privacy policies via state-based regulatory mandates.

[On a related note, my colleague Jerry Brito brought to my attention this interesting 2011 NPR piece on "Why Are Credit Card Agreements So Long?]

Previous post:

Next post: