

Why Privacy Policies Suck - Facens
http://www.iubenda.com/blog/2011/09/06/a-new-generation-of-privacy-policies/

======
wisty
The article is assuming that the ToS and privacy statement is meant to be
informative. It's not.

If you give people a good overview of what you are doing with their data, a
significant portion will get pissed off. If you bore them with legalese, 99.9%
of them will just sign, rather than wade through the terms.

It's broken, but it's broken by design.

~~~
Facens
Look a the Facebook's example shown in the post. Facebook could have replaced
that popup with a text broth, but it didn't, and this payed. The main privacy
policy of Facebook is another example. They redesigned it with the help of
TRUSTe, when they realized all that people want is to keep control of what
they share (and my opinion is cleared in the article). Furthermore, TRUSTe
bases its business on the assumption that well written privacy policies
increase conversions, because when people have to provide their credit card
(an example), they get scared by a broth-like privacy policy.

Also think about Creative Commons: many people use it and many people rely on
it when needing to know how to share content. The world is a better place with
Creative Commons, and I think it will be a better place with simpler Privacy
Policies and TOS :)

~~~
shabble
The Facebook popup is quite nice, but I can see two ways in which it could be
improved (from a cursory observation - I don't really use Facebook much any
more).

Firstly, "[...] and any other information I've shared with anyone" could quite
easily result in people accidentally permitting access to data they didn't
mean to. In contrast to it being viewed by anyone, there is a good chance that
data will be stored elsewhere and stashed, regardless of whether the user
later notices and removes it.

Having some mechanism to fully disclose what your "any other information" is,
from that popup, might help people to notice accidentally shared data sooner,
and prevent them sharing it with people who are storing it. The UI might take
a little work, but afaik they've already got "view my profile as $foo"
abilities, but that's tied to the account privacy settings pages, and not
directly accessible from this sort of popup.

Secondly, and maybe not nearly as practically, but it'd be nice to see
actually optional disclosure settings for apps like this. Android has a
similar problem with its apps, it tells you what (coarse-grained) permissions
it requires, but you only get a choice of all or nothing.

Granted, it doesn't make much sense to install your GPS-map application
without giving it access to your GPS data, but in the Facebook realm, there
can definitely be data or services which you want to consider optional.

There's probably even a business model in charging users (more) if they wish
to disclose less about themselves, making them less attractive from your
advertising revenue. The major problems I can foresee are (a)
microtransactions, and (b) actually making your user aware you're effectively
selling their personal details in exchange for providing them with whatever
service.

~~~
Facens
The tradeoff sounds scaring: \- Extremely accurate Privacy Policies nobody
read; \- Simplified Privacy Policies everybody read, but missing something.

Facebook has probably reasons for not including too much detail on that page,
but Facebook also uses users' data like nobody else. For the average website
this problem is much simpler, even for the average SaaS startup which is not a
social network (or a simple one like Quora). Probably that kind of website can
really have a privacy policy covering every personal data use within a
simplified popup, without missing relevant information.

The Facebook's popup surely has issues, but I still love it since it's
something people read, and it helps people take better choices. This is what,
to me, is really important of Privacy Policies.

------
dcaylor
As long as we have a sue-happy society, companies will use privacy policies to
limit liability. That means they will continue to be documents with more text
than most of us are likely to read. Icons and diagrams won't work without the
text behind them. However, I do agree that just because a document has legal
significance does not mean it needs to be full of legalese. We tried to keep
our privacy policy as short and light as possible and write it in plain
language. <http://nodeping.com/PrivacyPolicy>

~~~
Facens
There's probably still need of a legalese document behind, but we are working
on cutting that part too :P Even with the need of having a strictly law-
compliant page, having a first page which is simple and readable at a glance
is always a good idea. Consider that we are seriously working on bringing that
model to the mass (read end of the article :) )

------
fractalcat
Yes. Just yes.

I recently wrote a privacy policy for my new startup; I think it complies with
all but two of those guidelines (lightbox and standardised). Any feedback
would be appreciated: <https://theescortcompanion.com/privacy/>

~~~
fractalcat
I hope you're not thinking of charging for privacy policies though. I have an
deep aversion to paying for something I can write in twenty minutes.

~~~
Facens
Most people don't know what to put on a privacy policy, and we built a service
with lawyers behind, assuring compliance and top quality service. Since yours
is of course a good point, consider that our product will be very cheap, and
I'd seriously pay a cheap price instad of spending those 20 minutes. Also
consider that your privacy policy currently lacks the parties involved, and
it's not "completely compliant". Our goal is to save your time on this side,
for a reasonable price and giving something very polished in change :)

What do you think?

~~~
fractalcat
Point taken - I can't see myself using such a service personally, but my
startup's not at a stage where my twenty minutes is worth that much. :)

You're right about the parties involved - I also forgot to mention our
location/jurisdiction. Thanks for the feedback!

------
flyswatter
Would like to see some notion of how long data is retained. Period of time,
til account deletion, forever, etc.

I agree with 'broken by design' in many cases, but first step is at least
having a non-broken design.

------
dcosson
Looked at facebook just now, and sure enough there in the footer (if you're
fast enough to click on it before the infinite scroll kicks in) they have this
<http://www.facebook.com/full_data_use_policy>, which reaffirms my suspicion
that using only what the author suggests probably isn't quite as safe legally.

That said, I definitely agree that putting a simpler layer on top of it so
non-lawyers can get the gist of your policy quickly is a great idea - now item
1,000,001 on my startup's to-do list!

~~~
Facens
The best part is that we are making it automatic, just check our main website,
our goal is to help website owners to get rid of the hassle of writing a
privacy policy :)

------
snarktacular
I'd be happier to use Iubenda if its beta-access system didn't make me feel so
violated, by requiring me to literally share it on every social media I can in
multiple ways.

~~~
Facens
You are not required to do it. Only if you want early access :)

------
thwarted
Does the machine readable P3P format have any use still?

~~~
Facens
I think that it's too complex to work on a scale. Maybe our service will embed
it in the future, maybe we'll rethink a new standard (since p3p is a bit
outdated) :)

~~~
thwarted
Privacy policies have not changed that much. I agree that P3P does not provide
a scale of privacy, but that seems by design, since privacy, and the things
described in privacy policies, don't map to a linear scale.

------
evertonfuller
Simple. Just don't have one. Nobody reads them anyway.

~~~
Facens
So far, nobody tried. I think that Creative Commons can teach a lesson :)

