In Defense of the Long Privacy Statement
42 Pages Posted: 4 Feb 2017 Last revised: 18 Aug 2017
Date Written: February 8, 2017
Size matters. In fact, when it comes to privacy statements, there is an obsession with size. Much scholarship and commentary on privacy statements bemoans the fact that consumers rarely read them and places the blame on the length of those statements. The solution? Shorten and simplify!
Proposals for standardized short-form notices, “nutrition label” notices, icons, and other attempts to replace long privacy statements abound. But none have proven to be a satisfactory substitute for a full, detailed description of what data an organization collects and how it is used, shared, retained, and protected. These short-form approaches inevitably leave out important details, gloss over critical nuances, and simplify technical information in a way that dramatically reduces transparency and accountability.
This article discusses the multiple purposes of privacy statements, including the legal obligations they are designed to fulfil. It recognizes that there are many audiences for privacy statements, including consumers, regulators, policy makers, academics, researchers, investors, advocates, and journalists. And it argues that efforts to make privacy statements significantly shorter and simpler are optimizing for the one audience least likely to read them – consumers – rather than the audiences in the best position to police privacy statements and the practices they describe.
Whatever the audience, having a detailed (long) privacy statement provides a single place where an interested reader can find the “full story” of the organization’s privacy practices. Unlike many alternate methods of providing notice, the detailed privacy statement makes the full range of privacy information available at any time, and to any person Privacy, Notice, Policy, Disclosurebefore, during or after the time an individual may be using the organization’s products or services.
Long privacy statements also create organizational accountability. The exercise of drafting them requires organizations to do the detailed investigation to understand and document what data is being collected and how it is processed. And although few consumers other than a small number of highly-motivated individuals will read the statements, those who act on behalf of consumers do – including advocates, regulators, and journalists. It is mainly those individuals who ask the hard questions and are in a position to raise public awareness and create consequences for inadequate or problematic practices. And it is that kind of accountability that leads to positive change.
To be clear, this article is not defending poorly-drafted privacy statements. Writing that is unclear, poorly organized, or needlessly complex or legalistic has no place in a privacy statement. Nor is this article suggesting that a privacy statement should be long simply for the sake of being long. A statement for a simple app that collects one type of information and uses it for one purpose can be quite short. But a privacy statement for an organization that offers a range of more complex, interrelated, and data-intensive services often must be quite long in order to provide all the relevant details. How long should a privacy statement be? A privacy statement should be as long as it needs to be in order to meet legal requirements and provide full descriptions of the pertinent data practices.
Long privacy statements are often essential to achieving true transparency. But given that most consumers will not read them (regardless of the length), if we want to achieve transparency for all audiences, long privacy statements alone are not sufficient. This article should not be taken to suggest detailed privacy statements are the only way of creating transparency. And we should not write off consumers because they rarely read these privacy statements. Efforts should still be made to help consumers understand what is being done with their data and to give them meaningful control. Doing that well often involves measures in addition to a privacy statement, such as contextual privacy disclosures. But those measures almost always will be inadequate and incomplete unless provided in conjunction with a full, detailed privacy statement.
Keywords: Privacy, Notice, Policy, Disclosure
Suggested Citation: Suggested Citation