Privacy policies that don’t suck

I came across a few intriguing posts by Aza Raskin about privacy policies recently. Raskin was recently appointed the Creative Lead for the Firefox browser and is a design and user interface expert.

Raskin published a series of posts on his blog about privacy policies and an interesting initiative to make them more accessible, intelligible and meaningful for site visitors. As he points out –

Privacy policies are long legalese documents that obfuscate meaning. Nobody reads them because they are indecipherable and obtuse. Yet, these are the documents that tell you what’s going on with your data — how, when, and by whom your information will used. To put it another way, the privacy policy lets you know if some company can make money from information (like selling you email to a spammer).

At the same time privacy policies are essential documents. I’ve written about them and privacy issues generally a number of times on this site and about why they are essential now and going forward as we see new privacy legislation take shape here in South Africa and in other countries and regions. Anyone following the debate about the new Consumer Protection Act here in South Africa will be familiar with the plain language requirements in the Act which require that contracts be drafted in plain language. This is an accessibility requirement. It is practically a cliche that contracts are complex, couched in legalese and largely unintelligible to clients and lawyers alike. This is because the lawyers who draft those contracts are not basing their language choices on improving accessibility.

The same principle should apply to privacy policies. These documents must be intelligible to any person with reasonable intelligence and a grasp of the policy document’s language. The primary reason for this goes beyond accessibility to the something even more important: informed consent.

A privacy policy’s role, as I see it, is to give users/visitors enough information about what personal information is collected from them and what is done with that personal information so those users/visitors can make an informed decision whether they agree to that. A user can hardly be said to have agreed to having her personal information collected and processed if she didn’t understand and agree to what would be collected and what would become of that personal information. I would even go so far as to say that the absence of informed consent could even negate a privacy policy.

Raskin looked to the Creative Commons model which uses a series of icons and symbols to indicate that the content owner has granted a certain license. Why icons and other graphics? As Raskin explains –

The visual schematic language is a descriptive way of explaining a privacy policy and helps us to understand what’s going on underneath the hood. It doesn’t solve the problem of being able to quickly figure out the guarantees a privacy policy is making on your data.

There are four elements which can be used to create six standard licenses, each of which is identified by a badge which identifies its components. This site, for example, uses a Creative Commons Attribution No Derivatives 2.5 ZA license. The badge for that license is as follows:

Its components are the “Attribution” and “No Derivatives” elements. Visitors to this site are greeted with this simple license indicator and if they click on the badge they will be taken to a plain language summary of what the license entails. It is certainly a lot simpler than navigating a custom content license.

The possible solution Raskin offers to address comparable privacy policy complexities is a series of symbols which would highlight certain features of a site’s privacy policy. Just as there are legalese versions of all Creative Commons licenses (no escaping some degree of legalese, unfortunately), sites would still have a privacy policy but it would also make use of a series of icons to point out certain features of that policy. One of the questions he asks is whether these icons should highlight features of a privacy policy like the Creative Commons licenses or whether they should point out certain practices like sharing personal information with third parties or the degree to which users have control over their personal information.

The work towards this sort of privacy iconography is far from complete but it got me thinking again about how to improve accessibility for documents like privacy policies and even website use terms. Although a number of firms and businesses are jumping onto the plain language bandwagon, there are good reasons for the requirement. Thinking a little differently about these sorts of documents could go a long way towards improving accessibility, intelligibility and, ultimately, enforceability. That is the key issue for providers. These documents have little value as collections of words on a page. Their real value lies in how effective they are when the proverbial poo hits the fan.

Image credit: Privacy, health, fears over airport X-ray by publik16, licensed under a Creative Commons Attribution Non-Commercial ShareAlike 2.0 license

Published by Paul Jacobson

Enthusiast, writer, Happiness Engineer at @automattic. I take photos too. Passionate about my wife, Gina and #proudDad.

%d bloggers like this: