You Can Retire the Phrase ‘Privacy Policy’

People assume it means their information will be kept private. Nothing could be further from the truth.

By Joseph Turow  |  Aug. 20, 2018

True or false:

“When a website has a privacy policy, it means the site will not share my information with other websites or companies without my permission.”

According to my research — a nationally representative phone survey conducted in January and February — a majority of Americans think this is true.

It isn’t. Not even close.

Over the past 15 years, I’ve conducted six national surveys with colleagues about how people see and think about their privacy in both the online and offline worlds. In each survey we’ve included a statement roughly like the one above. The picture is consistent: When people see the phrase “privacy policy,” most assume their information is kept private.

It’s a misleading label. In reality, these policies explain how companies will use your information — because they are using it.Related image

To be clear, it is lawful — and common — for websites to trade most types of information about us without asking. The reason “privacy policy” is a ubiquitous phrase is that since 1998, the Federal Trade Commission has strongly suggested that all websites (and, later, all apps) include a disclosure about what they do with visitor data and what choices visitors have regarding those uses. What lies behind these links is a cavalcade of disclosures of how businesses across the internet track us, target us and trade our information.

To be clear, it is lawful — and common — for websites to trade most types of information about us without asking. The reason “privacy policy” is a ubiquitous phrase is that since 1998, the Federal Trade Commission has strongly suggested that all websites (and, later, all apps) include a disclosure about what they do with visitor data and what choices visitors have regarding those uses. What lies behind these links is a cavalcade of disclosures of how businesses across the internet track us, target us and trade our information.

Consider Target’s privacy policy, which is perfectly legal and not at all unusual. Target collects data about you across its website and app, in addition to knowing what you buy. It uses the information for its own marketing purposes. It also allows “third-party companies” to collect “certain information when you visit our websites or use our mobile applications.” In other words, it can share the data it collects with just about anyone.

But Target is not just profiling you based on how you shop with Target. It may also collect what you say on any blogs, chat rooms and social networks you use, and it may obtain “demographic and other information” about you from “third parties.”

You have to assume that Target can purchase any known information about you held by any other company. Not even your body is off limits — cameras in some stores “may use biometrics, including facial recognition,” for theft prevention and security.

Our surveys consistently show that Americans dislike being tracked. Why, then, aren’t Americans more angry and opposed to how often and extensively businesses track them?

One reason: Most Americans don’t read privacy policies, and so they aren’t aware of what is going on.

The words “privacy policy” may well be a big part of the problem. The very fact that a company seems to have a policy on privacy gives consumers a false belief that the company won’t share their information without permission — a reason not to click and learn more.

In addition to the “privacy policy” label defusing public anger against commercial surveillance, it may also distract people from the need for effective privacy laws. Two of our surveys asked people whether they agreed or disagreed that “existing laws and organizational practices provide a reasonable level of protection for consumer privacy today.”

We found that among people who understood the “privacy policy” label’s correct meaning, a majority thought privacy laws needed to be stronger. By contrast, among those who misunderstood what “privacy policy” means, a majority saw no need for organizational and legislative changes in the service of privacy.

It’s hard to avoid the conclusion that the term “privacy policy” benefits data collectors over the public. The label’s phrasing was not a result of research or agency deliberation. In fact, back in 1998 the F.T.C. used the phrase “information practice statement” for the data-disclosure document it wanted. It didn’t take hold, possibly because companies realized that “privacy policy” embodied the ambiguity they wanted.

Fifteen years of research consistently shows that the label is deceptive — depending on the survey, between 54 percent and 73 percent of Americans assume companies won’t share their information without permission.

One solution would be for the F.T.C., which is mandated to police deceptive corporate practices, to rule that only sites and apps that don’t share people’s information without their permission can use that phrase. Otherwise, they should use a more accurate label, such as “how we use your information.”

Companies don’t want people to realize how extensively they use our information and are likely to object to this new, clearer phrasing. Yet it is a struggle worth pursuing in the interest of creating transparency around the name of a document that has been mistitled and misunderstood since its inception.

Joseph Turow is a professor of communication at the Annenberg School for Communication at the University of Pennsylvania.   View article>

11
Leave a Reply

Your name and email are not required to comment.

avatar
5 Comment threads
6 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
0 Comment authors
Recent comment authors
  Subscribe  
newest oldest
Notify of
Anonymous
Guest
Anonymous

Everyone’s info is already compromised. The internet is miraculous and totally awesome! Most people don’t realize how much data collection is going on every day- for years now. Mostly it’s to market products /services. USA consumers… Facebook has been free to all users since it’s origin. Gotta monetize someway… data collection pays. I’ve felt creeped out basically everyday since maybe 2008 every time I looked at any webpage on my iPhone. Heck, since trump won I’m am more than a little scared to read anything or sign potions against him because I don’t want to be on a “list”. But… Read more »

Sandra T.
Guest
Sandra T.

To Annonymous- “It’s too bad rvsd has to resort to a better checks and balances program. But that is what occurs when there are lies and deceit.” Aren’t you a little cavalier in your claim of lies and deceit? Some proof would be in order here, that is if you had any. “…the charter people are so bitter and angry…” Once again a weak and silly remark that possibly says more about the stand element than the Charter folks. In light of your “…Most people don’t realize how much data collection is going on every day…” unnecessarily condescending statement, you… Read more »

Perry D.
Guest
Perry D.

I can’t speak for RVC but I know why I’m worried about data mining and third party use of my family information. When we register and the info goes to the district I’d like it to stay at the district.

Anonymous
Guest
Anonymous

I just finished the online registration for rvsd. It was a breeze. Didn’t feel nefarious at all. Did all the paperwork for emergency contact, hospital preference, residency verification and dental/ medical insurance. Took maybe 10 minutes.

Anonymous
Guest
Anonymous

Do you own your own home? Are you a US or naturalized citizen? Live in same household as your children’s other parent?

-Editor
Guest
-Editor

Read the article again, It’s not about the questions, it’s about who’s doing the collecting and what they do with the information. If your not concerned, great, but don’t presume everyone should be comfortable on your say so.

Anonymous
Guest
Anonymous

I just recently became an American citizen and was renting. I went to community college. I had no qualms giving my information. I needed to be a resident of that city – and I was.

-Editor
Guest
-Editor

I think you missed the point of the article. It’s not about collecting residence information, it’s about who is doing the collecting and their reputation.

Anonymous
Guest
Anonymous

Own a computer, smartphone or tablet? Already your data is collected. Not sure about chrome books. The Thomson Reuters clear connection is only using already collected data from their extensive handle of everyone’s “digital footprint “ If you reside within San Anselmo and fairfax and are attesting to that there is no problem. Don’t need to be a rich home owner or anything else but your bills, car registration, whatever ..will show district residency. No big deal. The service is good to root out false residency. The charter is not helping theirselves “if” they are promoting false residents. If everyone… Read more »

Anonymous
Guest
Anonymous

RVC’s in-district students are legit. They live in FX/SA and would be eligible to go to district schools if they didn’t choose RVC. Lots of paperwork and proof of residency was submitted last year to document it. (The district required RVC families to submit more documentation than their own families last year.) StanDistrict can’t believe that local residents are choosing to send their kids to RVC, despite the fact that these folks have proven that they live in-district. So the district’s response is to make it even more difficult to prove residency–not just for RVC families, but for all district… Read more »

Lisa C
Guest
Lisa C

I guess the NEA (National Education Association) is “biased” also about the deleterious impact of intentional or unintentional barriers. http://neatoday.org/2016/04/22/undocumented-students-public-schools/