You are here: Home » Technology » News » Apps
Business Standard

Nobody reads privacy policies - here's how to fix that

Few privacy policies provide consumers with any choices besides not using the service at all

Florian Schaub | The Conversation 

More Indians paying for apps now, says Google
Google play store apps

Have you ever actually read an app’s policy before clicking to accept the terms? What about reading the policy for the website you visit most often? Have you ever read or even noticed the policy posted in your doctor’s waiting room or your bank’s annual notice when you receive it in the mail?

No? You’re not alone. Most people don’t read them.

People are confronted with terms of service agreements and policies all the time. Regulations requiring these notices aim to ensure that consumers can make informed decisions, but current policies miss the mark. They are surprisingly ineffective at informing consumers, as Rebecca Balebako, Lorrie Cranor and I analyze in a recently published article.

In 2008 a study estimated that it would take 244 hours a year for the typical American internet user to read the policies of all websites he or she visits – and that was before everyone carried smartphones with dozens of apps, before cloud services and before smart home technologies. With our research, my colleagues and I propose a better way to make clearer policies that are easier to follow.

Hard to find, read and comprehend

Even people who do read policies struggle to understand them, because they often require college-level reading skills. Privacy policies frequently cover multiple services offered by a company, resulting in vague statements that make it difficult to find concrete information on what personal information is collected, how it is used and with whom it is shared.

For example, Google’s privacy policy states “We collect information about the services that you use and how you use them, like when you watch a video on YouTube, visit a website that uses our advertising services, or view and interact with our ads and content.” Then it goes on to list examples of information that may be collected. What exactly is collected about users when they use a specific product remains unclear.

policies are also increasingly posted separately from users’ interactions with a system. For instance, websites link to policies at the bottom of pages, mobile link to policies in the app store and the policy of your smart speaker or fitness tracker is likely posted somewhere on the company’s website.

Few policies provide consumers with any choices besides not using the service at all. Companies may also change their privacy policies anytime. Not accepting the updated policy – if consumers are even asked to acknowledge the change – may stop your gadget from working or result in termination of the account.

Different purposes

A fundamental issue is that policies serve different functions for consumers, companies and regulators. Companies use a policy to demonstrate compliance with legal and regulatory notice requirements, and to limit liability. Regulators in turn use policies to investigate and enforce compliance with regulations. Consumers’ need for meaningful information they can use to make choices regarding their is thereby often neglected.

As a result, academics, regulators and governments have called for more usable privacy notices and solutions. For instance, Europe’s General Data Protection Regulation, which takes effect in May 2018, imposes strict requirements on notices. Notices must be in “concise, transparent, intelligible and easily accessible form, using clear and plain language.” Most notices today do not meet these requirements.

Focusing on the consumer

The key to turning notices into something useful for consumers is to rethink their purpose. A company’s policy might show compliance with the regulations the firm is bound to follow, but remains impenetrable to a regular reader.

The starting point for developing consumer-friendly notices is to make them relevant to the user’s activity, understandable and actionable. As part of the Usable Privacy Policy Project, my colleagues and I developed a way to make privacy notices more effective.

The first principle is to break up the documents into smaller chunks and deliver them at times that are appropriate for users. Right now, a single multi-page policy might have many sections and paragraphs, each relevant to different services and activities. Yet people who are just casually browsing a website need only a little bit of information about how the site handles their IP addresses, if what they look at is shared with advertisers and if they can opt out of interest-based ads. Those people doesn’t need to know about many other things listed in all-encompassing policies, like the rules associated with subscribing to the site’s email newsletter, nor how the site handles personal or financial information belonging to people who make purchases or donations on the site.

When a person does decide to sign up for email updates or pay for a service through the site, then an additional short notice could tell her the additional information she needs to know. These shorter documents should also offer users meaningful choices about what they want a company to do – or not do – with their data. For instance, a new subscriber might be allowed to choose whether the company can share his email address or other contact information with outside marketing companies by clicking a check box.

Understanding users’ expectations

Notices can be made even simpler if they focus particularly on unexpected or surprising types of data collection or sharing. For instance, in another study, we learned that most people know their fitness tracker counts steps – so they didn’t really need a privacy notice to tell them that. But they did not expect their data to be collected, aggregated and shared with third parties. Customers should be asked for permission to do this, and allowed to restrict sharing or opt out entirely.

Most importantly, companies should test new notices with users, to ensure final versions are understandable and not misleading, and that offered choices are meaningful.

These shorter consumer-friendly notices can easily coexist with traditional policies. This is already starting to happen on mobile devices. and Google, as the two largest smartphone platform providers, introduced just-in-time permission dialogues in 2008 and 2015, respectively. For instance, when a mobile app wants to access the phone’s location or contacts, the phone gives the user the option to say “No.”

The Conversation logo

Systems like this give consumers usable information and real choices. And they encourage app developers to communicate better with users about privacy. If we can expand this smartphone model to other uses, then everyone could have policies that are clear, easy to understand and with real meaning for both users and software designers.

Florian Schaub, Assistant Professor of Information; Assistant Professor of Electrical Engineering and Computer Science, University of Michigan

This article was originally published on The Conversation. Read the original article.

The Conversation

First Published: Tue, October 10 2017. 08:31 IST