Challenges of Implementing Policy
I want to take a slightly different tack today. Some aspects of privacy are difficult to address in the real world, and I want to acknowledge some of the difficulties. I have two points.
First, consider the privacy notices that banks and other financial institutions sent out this year. Every one of you probably received a dozen or more of them. For the most part, the notices are long and incomprehensible. The privacy community, the press and Congress noted the shortcomings.
The Privacy Rights Clearinghouse in San Diego did some of the best work in tracking notices. The clearinghouse focused attention on the readability of the notices using several objective standards. The results were depressingly predictable.
Using one of the clearinghouse standards, a readability analysis found the average notice was written at a third- or fourth-year college reading level. That is way too hard for the average consumer, with too many words per sentence and too many uncommon words. You can find the results of the clearinghouse's review at its Web site, www.privacyrights.org, under financial privacy.
I accept the findings of the clearinghouse. Too often, lawyers wrote the privacy notices, and few lawyers are able or willing to write in clear, simple sentences. Congress also is at fault for the way in which it wrote the Gramm-Leach-Bliley law that mandated the notices. While we are passing out blame, let's acknowledge the agencies that wrote the regulations. The Federal Trade Commission and the banking agencies did little to simplify consumer notices. They did not standardize the disclosures. Every notice is different and more confusing than the last.
Here comes the balancing comment. As a veteran drafter of privacy notices for Web sites and others, I can testify to the difficulty of drafting simple, easy-to-understand notices. Privacy notices often discuss complex matters unfamiliar to the average consumer. Writing what is essentially a legal notice at a high school level is a challenge. Some privacy notices are necessarily long. They cannot always be written at the 10th-grade level.
Still, we need to do better. I wonder whether we should find ways to standardize parts of the notices. For example, if the banking notices summarized key points in a chart, perhaps more people would understand.
My second point comes from my experience in working on privacy for a multinational, information-intensive company. The company works at doing the right thing about privacy. It has privacy notices, a privacy officer and policies that protect the interests of data subjects.
One thing I learned from this company is that doing privacy in a large enterprise is a constant challenge. Drafting and coordinating privacy notices in different languages involves many offices, people and time zones. Keeping a dozen or more privacy notices current is not simple. While the same basic policies work in most countries, the notices must reflect each nationality. You cannot tell French customers to file complaints with the company's German privacy officer.
Another practical problem is getting the attention of the people who maintain the Web sites. Web sites change all the time. Coders and designers have plenty of work to do. Even at a company committed to privacy, the privacy officer must wait in the queue until the coders can put new privacy text in the company Web pages.
With so many things going on at once, the privacy officer functions like a juggler. Each aspect of the privacy operation needs attention. However, only so much time and so many resources are available. Coordinating things to keep privacy policies and operations current is nearly impossible. The bigger the enterprise, the tougher the challenge.
I had the same experience working with federal agencies on privacy. The bureaucratic aspects of both private companies and government agencies make it hard to proceed directly toward an objective. It is not surprising that federal agencies did not implement all of President Clinton's orders about privacy. Some things just take time even when you act in good faith.
So the message here is that while privacy may not be conceptually difficult, implementing the goals of privacy in the real world takes time and attention. Privacy is not exempt from the pressures and constraints of life. We need to consider this when setting deadlines and demanding accountability.
However, do not go away thinking that it is impossible to do things appropriately. For example, my word processor rates this column below the 10th-grade reading level. I worked hard to reach this result, but I did it. Good written materials for bank privacy also take effort. But better results are possible.