Searching for the Holy Grail of Privacy NoticesThe 1999 Gramm-Leach-Bliley financial modernization law required banks and other financial institutions to send consumers privacy notices. Ever since, a debate has raged over the content and effectiveness of the notices.
Everyone seems to agree that GLB notices were legalistic, unreadable and ineffective. The search has been on for a better way to communicate privacy policies and options to consumers. This is the privacy equivalent of the search for the Holy Grail. I don't think anyone disagrees that a short, understandable notice would be a good thing.
Emerging as a leading idea is a short notice that serves as a front end to a longer notice. A standardized short notice would tell consumers in simple language what they really want to know. Food labels are a commonly cited model.
An effort from the business community is spearheaded by Marty Abrams from the Center for Information Policy Leadership at Hunton & Williams. You can learn more at www.hunton.com/info_policy/annual_reports/CPOSolutions40.pdf.
There also is an informal effort by some consumer and privacy organizations and some academics to think about alternative approaches to a short notice. I am involved with that effort, which is led by the Center for Democracy and Technology at www.cdt.org.
Abrams is a longtime and knowledgeable player on privacy from the business side. His project is well-intentioned, but it has shortcomings.
My first problem is that the Abrams project is one-sided. Only those companies that financially support the effort have a say. No one from the consumer or privacy community is directly involved. The lack of consumer participation undermines the credibility of the proposal and, especially, the research on which it is based.
Over the years, we have seen several business-only privacy projects come and go, failing in part because the activities were one-sided and without broad-based support. To develop a consensus about short notices, all sides need to be represented. Otherwise, we are merely opening new fronts in the privacy wars rather than converging on a broadly acceptable solution.
A second problem is that the Abrams project includes a still-undefined liability exemption for short notices. It is apparent that a short notice cannot include everything that belongs in a long notice. If a liability waiver is a core element of short notices, I worry that notice writers will use the opportunity to misrepresent their practices and not be accountable. Anyone who writes a short notice must take responsibility for it.
A third problem involves the substance of the notice itself. It admittedly is hard to boil down the essentials of a privacy notice into one page or one screen. However, if we are going to have short notices, it is imperative that they be express. My biggest concern is that a short notice will continue the use of hoary, misleading statements like: "We only share your information with other fine companies who will offer you products and services that will interest you."
If we are going to have a short notice, it needs to tell people what they really want to know. It cannot rely on copywritten puffery designed to obscure what happens to personal information. Here are examples of what a short notice might tell consumers:
· We will send you advertising mail.
· We will send you electronic mail.
· We will call you on the telephone to sell you products and services.
· We will send your information to cooperative databases to be shared with other marketers.
· We will install spyware on your PC.
How to frame the statements and the answers needs work. In some instances, there might be YES/NO boxes. In other cases, the boxes might be marked WITH CONSENT/WITHOUT CONSENT. There might be a range of answers to some questions, such as "We give you access to ALL, SOME, NONE of the information that we maintain about you."
Another element of a short-notice project is attention to long notices. Because not everything will fit in a short notice, the long notice needs to be more express and more detailed. For example, a long notice could include a full list of the categories of personal information collected from the consumer or from other sources. This might include address, e-mail address, phone number, Social Security number, financial account number, types of products/services bought or looked at, age, gender, marital status, income level, home ownership, etc. More details belong in long notices.
I have a general test for determining whether a short notice is adequate. Whether people read only the short notice or whether they read only the long notice, they should walk away about as reassured or as outraged in each case. The necessary incompleteness of short notices cannot be used to hide obnoxious privacy practices.
Everyone I know likes the idea of a short privacy notice. It remains to be seen whether agreement can be reached on anything else about a short notice. Rumor has it that several federal agencies, including the Federal Trade Commission, will hold a rulemaking on short notices, so we may find out soon whether any agreement exists on this front.