Being put on notice about privacy

Toni Sekinah, research analyst and features editor, DataIQ

Up and down the country and probably across the entire continent of Europe, people’s email inboxes are filling up with requests to “review our updated privacy policy.” Despite having come into force almost two years ago, it is only now that we are days away from the deadline to be GDPR-compliant that companies have gotten themselves into gear and whipped their privacy notices into shape.

Privacy policy on a clipboard with hand and pen ready to signSide note. A policy differs from a notice in that a policy is internally-focused. So a privacy policy lets the employees of a certain organisation know what they can and can’t do with personal information. On the other hand, a notice is aimed at external users, telling customers and other stakeholders what the organisation does with their information.

One company emailed to inform me that they want to give me an overview of their updated privacy policy. They said it is "more user-friendly and addresses new regulations including GDPR". Not quite.

Firstly, for the life of me, I cannot remember signing up to or using this company or its four collaboration tools. I think it would be very user-friendly to let me know the first and last time I used that service.

"The full policy is 8,000 words long - more than my undergrad dissertation."

Secondly, the full policy is 8,000 words long. That is longer than my undergrad dissertation. If I read it at the average speed of 250 words per minute, it would take me 32 minutes. So, I’ve been putting it off. It doesn’t feel like the best use of my time for a company that I don’t know from Adam. It turns out that I am not alone. A survey by the Internet Society in 2012 of more than 10,000 people in 20 countries found that less than 20% of people always read privacy notices.

The writers of privacy notices have been renowned for being inconsiderate of their users’ time, by generating reams of legalese to make sense of and agree to or decline. In 2008, the average US privacy notice was 2,500 words long and would take ten minutes to read. They ranged from 144 words to over 7,600 words.

Back in 2013, the Information Commissioner’s Office launched a consultation on the privacy notices published on websites, following complaints that they were so complex and wordy that many users simply ignored them. In 2016, the group manager in the ICO policy delivery department admitted that many privacy notices were still “too long, overly legalistic, uninformative and unhelpful.”

Unfortunately, it seems that some organisations are still short-changing their users with huge privacy notices written in confusing legal jargon. I’ll set aside some time to go through them this week. It’s a good thing the evenings are bright and long.

Please note that blogs are the sole view of the author and that they are not neccesarily the view of IQ ddg Ltd and should not be interpreted as advice. Please read our full disclaimer