Privacy policies are still far too long

The privacy policies of Facebook, Google, Apple and Twitter all exceed 4,000 words. Microsoft’s privacy overview runs to 3,000 words alone and each block of it can be expanded to give you yet more words, at least doubling the size of the overview.

This is simply ludicrous and completely at odds with what people really want to know about their privacy protection. Most people never read such policies and it’s at least partly because they’re just too damn long.

When you first visit a website you’ll often be faced with a pop-up box that asks you to confirm you’re happy to take cookies and/or agree to the site’s privacy policy. There’s generally a link to the policy itself but I’d guess fewer than 1% of people ever click on that link and read all the policies. In fact, I suspect it’s fewer than 0.1% of people who’ll read the policies.

It’s sometimes deliberately like this because sites want you to visit and they want you to give them complete freedom with your data so they can make money off it. They certainly don’t want to give you a clear way to opt out of anything at the outset. I’m not necessarily blaming sites for this — I’m just stating a fact.

What do people really need to know?

Random privacy policy image.

They don’t need to know that any data a site does store is held in encrypted format and will be protected with veracity. That should be a given and it should only be mentioned if that’s not the case.

I’d argue they don’t really need to now how or where data is stored because most people don’t care.

They don’t need to know a privacy policy complies with the law because that’s obviously another given.

They don’t need to know a site will collect and store personal details if you register with that site and enter such information (by which I mean your name, address, email etc.). You’ve entered it so of course it’s saved somewhere, although a brief reminder on a registration or contact form is probably in order.

They do need to know if a site is collecting information on the sly that you haven’t manually entered. They certainly need to know if a site is collecting IP addresses or storing cookies in non-anonymised format, which means you can be individually identified even if not by actual name.

They do need to know how long a site will keep any data it does collect.

Perhaps most importantly, they do need to know what a site will do with the data that has been collected. Will it be used to tailor advertising? Will it be sold or given to third parties?

They do need to know how they can delete any data that is held about them.

The thing is, users should really have to see and agree to this sort of stuff specifically. The current catch-all statement delivered by websites when you first visit just isn’t good enough. What it’s really saying is:

Do you agree we can do what we like or do you want to read our 4,000 word+ privacy policy and then trawl through more nonsense to try and find our opt-out switches?

The pop-up ‘consent’ should really contain all you need to know so you can supply your (informed) consent at the outset. I’d suggest that’s perfectly possible to do via a pop-up that’s smaller than a screen. Once you get to the crux of what people are concerned about, it can all be handled with maybe half a dozen short sentences with a yes/no tick box next to each.

This is not entirely the fault of the websites in question. The privacy laws themselves can often make the process over-complicated by placing too many complex demands on companies and website owners. It seems when we make something like privacy ‘better’, we also make it more complicated whereas I think we should instead be associating ‘better’ with ‘simpler’ in these matters.

The upshot is that I think a lot of the extra privacy protections governments are giving us just aren’t being utilised. People almost always just tick ‘Yes’ without reading anything further. It might be compliant with the letter of the law but that’s neither here nor there in my opinion. Privacy’s job should be to clearly and concisely inform users and give them simple upfront choices regarding their consents.

No privacy policies should ever be 4,000 words long. 400 words should be the absolute maximum (or thereabouts) and I think we’d all be better informed if the various national laws insisted on that.