Something that wasn't mentioned in the abstract is whether the privacy policies were sufficient to actually protect somebody's privacy. It touches on there being no explicitly detrimental practices in the studies, but doesn't state whether they actually protect privacy, or merely codify existing business practices.
To use their metaphor of bulletproof glass, suppose a company pointed a sheet of cardboard as a safety measure. Strictly speaking, a bullet will be moving slower after going through the cardboard, so it is t detrimental on its own. However, if a company lists it as a safety measure without listing anything else, I'd be more worried. Where before there was uncertainty about whether their practices were sufficient, after there was certainty that they are insufficient.
In the same way, any privacy policy that includes "We only share your data with our trusted business partners." decreases my overall trust. Because that is already an admission of data changing hands, being used for further aggregation. Saying that you'll only share data about me when provided money in a business relationship is strictly better that sharing it publicly at all times, but isn't sufficient to give me any comfort.
I like your analogy, but is it not more like having a sign telling you how the bullet-proof glass works without any evidence of actual bullet-proof glass.
And on the analogy of the bullet-proof glass. The bullet-proof glass is never there to protect you the customer. it is only there to protect the company.
Exactly. A so-called "privacy policy" may instead be a "you-have-no-privacy policy". That both are described in the same terminology is part of the problem.
Privacy Policies are as useless as cookie banners. Companies feed you page after page of confusing legalese so you give up and click “I accept.” There should be a simplified plain-language form created by the FTC with checkboxes—-check off any statements that are true about your company’s privacy practices. Then they could be easily understood and compared.
It would be better if it disallowed taking data for a legit reason and then using it for another less scrupulous reason. Point 5 may mitigate this concern substantially however.
You can probably guess at the meaning, but here's an excerpt from the abstract defining "the bulletproof-glass effect" and its relevance:
> A privacy notice, by placing legally enforceable limits on a firm's data practices, communicating safeguards, and signaling transparency, might be expected to promote confidence that personal data will not be misused. Indeed, most managers expected a privacy notice to make customers feel more secure (Study 1). Yet, consistent with the analogy that bulletproof glass can increase feelings of vulnerability despite the protection offered, formal privacy notices undermined consumer trust and decreased purchase interest even when they emphasized objective protection (Studies 2, 3, and 5) or omitted any mention of potentially concerning data practices (Study 6).
I see long winded policies as cover-your-ass for the business.
The language and format isn’t any different from EULAs and lends zero confidence because I have no way of verifying misbehavior, short of doing things like one-off email accounts.
Not dissimilar to business whistle-blower “protection” and HR’s mandatory “ethics” and other legal courses.
Most things in this world are the opposite of what the say...
The C.A.R.E.S. Act had nothing to do with caring.
"Lifetime warranty" has a very specific meaning.
"Organic" isn't what you think it means.
Love. (Feel free to add your own interpretation on this one ;) )
Startup idea: a policy policy provider with a set of standard terms, or pro version for more money where it evaluates and grades and verifies the absence of anything crazy or unexpected in a custom privacy policy.
I was so disappointed when USA was going after TikTok instead of codifying proper data protection for all citizens.
Having gone through several GDPR implementation process in Europe, it’s what the citizens of USA need, but not what American companies or government agencies want. So from my perspective, American citizens will never fully be protected. Sadly.
To use their metaphor of bulletproof glass, suppose a company pointed a sheet of cardboard as a safety measure. Strictly speaking, a bullet will be moving slower after going through the cardboard, so it is t detrimental on its own. However, if a company lists it as a safety measure without listing anything else, I'd be more worried. Where before there was uncertainty about whether their practices were sufficient, after there was certainty that they are insufficient.
In the same way, any privacy policy that includes "We only share your data with our trusted business partners." decreases my overall trust. Because that is already an admission of data changing hands, being used for further aggregation. Saying that you'll only share data about me when provided money in a business relationship is strictly better that sharing it publicly at all times, but isn't sufficient to give me any comfort.