Internet users throughout the European Union — and, in some cases, in the rest of the world as well — are starting to get gently pushed toward accepting various companies’ new service and privacy terms that comply with the EU’s General Data Protection Regulation, which is going into effect on 25 May. Trying to deal with it has convinced me that the tech industry is still determined to get privacy wrong, and the GDPR as applied by them doesn’t prevent it.
The GDPR-related reminders are coming from stores, electronics manufacturers, social networks, even non-profits. One needs to be intensely privacy-minded to go through the legal documents updated by Facebook, Twitter, Fitbit, Sonos, an e-commerce site you may have visited a few years ago or a local theatre company and not get confused about which disclosures you saw in which statement. Though most firms have made an attempt to write the new terms in plain language, as the GDPR requires, these are still lengthy documents crafted for legal compliance first and understanding second.
The standard approach is to hit the user with thousands of words explaining what data is collected and how it is used and, within the text, provide links to settings pages where one can opt in and out of the data harvesting and processing. Here’s how Fitbit handles it:
We give you account settings and tools to control our data use. For example, through your privacy settings, you can limit how your information is visible to other users of the services; using your notification settings, you can limit the notifications you receive from us; and under your application settings, you can revoke the access of third-party applications that you previously connected to your Fitbit account.
Now, which link will you click? Perhaps all four? Will you do it and then go back to the text (there’s still plenty of it), or will you get lost in the first set of preferences, curse and look for the “I agree” button? This is what I’d call obfuscation through confusion.
Facebook, by the way, has a big blue button for consent, but a mere hyperlink for deleting your account if you disagree with the new rules — even though deletion is the more momentous decision. We all know the trick that sends us looking frantically for the “X” we need to click to close an ad. The way Facebook has laid out its new policy pages is a subtler version of that intentional annoyance, a form of mild psychological pressure to sign on the dotted line and be done with it. Most people will: there’s no way to reject specific parts of the rules except indirectly, through tweaking certain settings, and then not in every case — even though very little data collection is actually required to provide the basic Facebook service. That’s unfair to users whose data is coming to Facebook from a multitude of hard-to-track sources, some of which they’d surely like to cut off.
Verbosity
Twitter’s updated privacy policy runs to more than 8 800 words, and it’s distinct from its terms of service and Twitter rules. I know some people — lawyers and reporters — capable of getting through all three documents with a magnifying glass, but most users aren’t like that. There’s no reason for the multiple documents and the verbosity except to induce boredom.
The GDPR rules aren’t complicated. They mainly require organisations that collect and process data to ask Internet users in clear language whether they’re okay with it. But what users get is, as ever, a lengthy legal text — no, three of them and wait, there’s also this linked page and that one, and a separate privacy policy for children, and another one for pets (okay, I made that last one up).
There is a right way to do it. Among all the organisations whose updated policies I’ve seen in recent days, the unlikeliest one came the closest to it — London’s recently renamed Kiln Theatre, which sent a policy change notification to my London-based editor. Its new privacy policy is, of course, another morass of legal verbiage — but it contains a handy table that lists the purposes for which data are collected and matches them with specific data types used.
That’s what I want to see from each of the data harvesters who want my personal information. A simple three-column table. First column: Purpose of data collection (for example: “To personalise ads” or “To enable academic research.”) Second column: Types of data collected or processed (for example, “Web browsing history” or “information about previous purchases provided by advertisers”). Third column: Consent (two checkboxes opposite every data type: “I agree” and “I object.”) In cases where the company considers consent obligatory for the service it provides — and only in those rare cases — checking the “object” box should result in a pop-up explaining why the company can’t live without this and providing a link to the local privacy watchdog’s complaint form.
First step
This would be true GDPR compliance — with the regulation’s spirit, not just its letter. But dealing with the consent part in an honest way would only be the first step. Companies then would have to live up to other requirements such as data portability (Facebook, for example, only allows you to download your contacts in text format, so you can’t really move your online friendships to another service).
I hope the EU objects to how its regulation is being applied, but somehow I doubt it: the lawyers who wrote the new policies know their job. It has little to do with earning trust and everything with minimising litigation. So, whether users feel cheated or not (I do), the new policies tell them that by continuing to use the services past 25 May, they consent to the rules as the lawyers rewrote them.
This is a business opportunity waiting for a classic disruptor. Honest GDPR compliance can be marketed. Can anyone get up the courage to do it? — (c) 2018 Bloomberg LP
