This morning I got an email like this:
I don’t appreciate the meta comment about getting lots of emails like this. Its only a reminder of something I despise, hardly welcome.
Though it got me thinking: What’s so wrong with this? Isn’t it nice that companies are updating their privacy policies to the benefit of consumers?
The problem I have with this process is the asymmetric power and burden. As a consuming customer, the only leverage I have is to stop using their service. That’s an all-or-nothing game I don’t want to play. For example, I despise many things about Facebook, but I’m not yet taking the only leave-completely option, since there’s still too many things that I don’t want to miss out on.
Given that its a good thing for companies to pay attention to their data use and make their policies public, how could we remove the current burden from customers, and shift it somewhere else?
Here’s some ideas:
- Companies have to provide a fact sheet, like insurance or investment products. On a single, well-formatted and readable page, list what data the company gathering, who its being shared with, how long its stored it and similar details. Optimize this for a quick read, in a standardized format (e.g., retention policy always in the upper-right box).
- Companies have to submit their updated policies to a 3rd party, that they need to pay to have their documents reviewed. The contact details and review date are then added to the full public policy, so that consumers with doubts about the companies policies can contact the reviewer and have them confirm the review. This 3rd party could use a low-effort support system like Intercom (you can handle a lot of requests with chat), to provide free answers, with a paid phone support in addition.
- Companies have to use standardized policy templates. ALL UPPERCASE LEGALESE IS STRICTLY FORBIDDEN. A clear and predictable structure makes it easy to find specific details.
- Companies have to provide diffs when updating their policies. To keep the diff simple, the updates need to be kept under control, too.
What I expect to happen instead:
- Many more emails like the one quoted above, with unstandardized, garbly long legalse policies, each unique as a snowflake, with most consumers never reading any of them; related German article on t3n.de
- An upcoming e-privacy law that ends up with even worse usability than the current cookie notification bullshit; further material in German
- More bad GDPR notifications