Proposed Law: Privacy Policies Must Be Less Than 100 Words (Says 336 Word Bill)
from the lawyers-are-not-good-at-being-brief dept
I’ve stated in the past, that the whole concept of “privacy policies” is a failed concept. No one reads them, those who do read them don’t understand them, and most people incorrectly think that if you have a privacy policy, it means you keep information private. That’s not the case. Since the only way you get into legal trouble is by violating your privacy policy, the incentives are totally screwed up: sites have the incentive to make their privacy policies as broad as possible, allowing them to do as much as possible. Since users think any privacy policy means they’re safe, then the “ideal” privacy policy is one that says “we don’t care about your privacy, we give away or sell all your data, and we laugh all the way to the bank” (more or less). The user thinks their data is secure, while the site has nothing to worry about since they won’t “violate” the policy.
And, yet, politicians still seem to focus on privacy policies, as if they’re a legitimate replacement for actually doing something to protect privacy. In pointing out how silly privacy policies are, a year ago, we noted that you’d need to take a month off from work each year to actually read all the privacy policies you encounter on a normal basis. It appears that California Assemblymember Ed Chau has a solution to all of this (as pointed out by Eric Goldman): just pass a law that requires all privacy policies to be less than 100 words. Seriously.
This bill would require the privacy policy to be no more than 100 words, be written in clear and concise language, be written at no greater than an 8th grade reading level, and to include a statement indicating whether the personally identifiable information may be sold or shared with others, and if so, how and with whom the information may be shared.
While I’m all for having things like terms of service and privacy policies be more simplified, I still don’t see how it’s particularly useful to legislate this. Also, lawyers aren’t exactly known for their ability to be pithy. Having worked on a couple of privacy policies with lawyers in the past, finding someone who can get such a policy under 100 words would be very, very tricky.
And, not to be snarky or anything, but the text of the law itself (removing the digest explanation and preamble) clocks in at 336 words. So… if your law saying that all privacy policies must be under 100 words can’t be written in under 100 words, perhaps you’ve highlighted the problem with your own law.
Filed Under: 100 words, california, privacy, privacy policies
Comments on “Proposed Law: Privacy Policies Must Be Less Than 100 Words (Says 336 Word Bill)”
suddenly...
A thought…
“Mr. Website, come up to the front of the class and explain your privacy policy in under 100 words.”
“But, teacher, I can’t do that.”
“Then you get an F, now go stand in the corner until lunch time.”
Re: suddenly...
You can’t tell people they fail it might hurt their feelings.
Re: Re: suddenly...
Bullshit.
I got Fs in elementary school, Jr High and High School, all it did was motivate me to do better and learn from my mistakes.
Re: Re: Re: suddenly...
I got an F once. And the F certainly didn’t motivate me to improve. The threat of another belt across my ass is what motivated me. 🙂
Re: Re: Re:2 suddenly...
Sounds like your parents and teachers are being bullies to you. Would like like to press charged?
Re: Re: Re: suddenly...
I got Fs all the way through school too. And I didn’t give an F.
Re: Re: Re:2 suddenly...
Eh!
The problem with a 100 word limit being 336 is that our language has too many words. If we just remove 70% of the English language then this problem will be solved!
Re: Re:
Maybe we could just eliminate the letter “e”.
Re: Re: Re:
Mr. Burns: All right, let’s make this sporting, Leonard. If you can tell me why I shouldn’t fire you without using the letter “e,” you can keep your job.
Lenny: Uh, okay. I’m a good… work… guy…
Mr. Burns: You’re fired.
Lenny: But I didn’t say it.
Mr. Burns: You will.
[He pulls a lever, dropping Lenny down a trapdoor]
Lenny: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE.
This clearly falls into the camp of “doing nothing is better than doing something” 😉
I’d understnd somewhere between 300 and 500 words, but 100? I figured at best, 200. That’s just insane.
I can see it now “No your stuff isn’t private. Yes we will sell your email and pictures, but you’ll still use us and hate that you love the experience”
OR count on companies creating some new very creative words.
Hmm 68 word comment. This might not be so bad.
change the format
like on an Android app, or a menu at some restaurants – have a check-box type of system, and show the necessary items. Only allow one “other” and 100 words on that.
[ ] – we will respect your privacy
[ ] – we will encrypt your password using a quality password tactic (bcrypt, etc)
[x] – we will hash your password using MD5
[x] – we will silently gather all of the data on your device
[x] – we will store all of your data in secret
[x] – we are allowed to sell your data to others for you
[ ] – other: ___
I’d rather have privacy policies that are standardized and every business must follow, but I fear that would get so complex so fast that nobody but lawyers would understand what they are.
Re: Re:
Too late.
I’ve always had a rule of thumb. If the privacy policy is more than one page it tells me they need some fine print to hide whatever it is they are worried about. Don’t have to read a privacy policy to figure that out.
Privacy policies aren’t about your privacy. What you think privacy means aren’t what businesses think it means. You think it means to protect your data. Businesses think it’s a way to justify invading that data.
If they can’t just come out in a couple of sentences to say they don’t use your data then that pretty much says it all.
100 Words?????
This is a fairly short Techdirt post. I was going to show how unrealistic the law was by counting the words in the post, but when I got to 156 in the first paragraph I changed my mind.
Sorry Mike, this article cannot pass. It is 376 words long, not counting the headline and the exerpt. You have to remove 276 words for it to be within the limits of this law.
Another lying Hypocritical Politician.
That bill does not define nor reference how to count words. Excessive litigation will result.
Maybe laws should be treated this way
Why can’t we have laws that have a word limit (100 might be a tad low but maybe we could set a page limit and font size)? Why aren’t laws crafted so that the average person of an 8th grade reading level can comprehend them? Because they couldn’t hide shit in them, that’s why. And that’s why they can’t do that to privacy policies. People will understand what is being done, assuming they actually look over it.
C’mon, we’re talking about lawyers.
They could get the word limit down to 100, but there would be a series of increasing “*’s” at the end of each sentence, pointing to an Addendum with several subsections.
Re: Re:
I think it is even more likely that you get junk laws with extremely broad categories for who and what the law covers! Interestingly exceptions would be too space-consuming, so it could actually serve as a good formula for reducing the number of pages in the laws, to start with finding the formulation needing the fewest exceptions.
It’s under 100 words. If that’s what privacy policies boil down to, corporate lawyers shouldn’t be allowed to conceal it under 50 pages of legalese.
Maybe a word-count is a ludicrously precise limitation, but some kind of rules are needed to avoid the walls of text nobody reads.
Wellwhatitwouldreallydoisresultinlongsentencesofwordsstrungtogetherwithoutanyspacesorotherdiscrenablebreaksinthewordsthuscreatingaprivacypolicythatconformstothelawbybeing1longmessedupword.
And everyone would have copyright on their ‘creative one word’ privacy policy… but I’m sure that’s not what will happen
That might just run afoul of the first amendment. But since that’s never stopped the government before…
New privacy policy: “Fuck You”
And the winner is:
We will not sell your data to anyone. (1)
In the fine print “exceptions” which are not part of the “policy” and limited to 100 words:
1: We will sell the data to partners with similar policies, otherwise, we just give it to everyone.
And the other 10k words of exceptions, limitations and other footnotes which just move the BS out of the 100 word limit.
Plain Language is more useful
Wouldn’t it be easier to mandate that all contractual terms, policies and other legal devices by private companies be actually written in Plain English (Language) not unlike your Plain Writing Act (Federal) instead of mandating 100 words or less which will result in more legalese and latin
Re: Plain Language is more useful
It does say “eighth grade reading level”, but everyone’s having so much fun with the number 100 that they didn’t notice.
follow the license model
I like what G Thompson says above about plain language. Certainly a great place to start.
I’d take it a step further – Follow the CC model of licenses, so that you can take one quick glance and know how your data will be used/abused. Also requirements for opt-in on all cases. For example:
Privacy-Complete: We will never store your data and/or use it for any reason except account management.
Privacy-1st Party: We will store your data and use it to contact you, this may or may not include opt-in/out promotions from us.
Privacy-3rd Paty/Commercial: We will use your data however we wish and you can’t do squat about it, crybaby.
Might be some more distinct variations possible on this, but you get the idea.
There is no such thing as plain language
When a corporation can be sued for not following their privacy policy there will be no ‘plain language’ policy.
Also, who will be the judge of if a policy is ‘plain language’?
Who will enforce that the policy is ‘plain language’?
who will decide what words are acceptable for plain language?
Sounds to me like you will need to set up judicial, executive and legislative entities to ensure how “Plain Language” is decided, judged and enforced.
My Privacy Policy
“I will take any data you give me and do whatever the heck I want with it, but I’ll try not to be an arse about it. Thanks for visiting my site. I would give you more details, but the law currently prohibits me from going into details. Cheers!”
100 words
It’s just as easy to get these things right. The bill doesn’t say “less than” or “under” 100 words. It says no more than. Honestly I don’t understand why people find the idea so hilarious. If 100 words are insufficient to tell me what you plan to do with my data, then maybe you don’t need my data.
Re: 100 words
Yes exactly! Thank you for not being an idiot like some others commenting on here…or the person that wrote the article. How does it change the fact that privacy policies should be under 100 words just because the actual law is over 300? There is no reason for the law to follow the same standards, especially since that one law should cover as many loopholes and exceptions as it can to further prevent companies from abusing privacy policies
33 words
“Effective upon the signing of this bill into law, any privacy policy to apply within the United States will be not more than 100 words in length, else it is null and void.”
What about a limit on the length of a bill
I think there should be a reasonable limit on the length of a bill in congress. Maybe 10 pages? 100? Certainly something shorter than the Obamacare text, which is quoted as being anywhere from 900 to 2700 pages long. If you can’t tell me for sure how long it is, it’s too long.
336 words is still shockingly short, and I think this is a step in the right direction, but congress needs to work on policing themselves before they start throwing arbitrary limits at other people.
Unprivacy policies
Most are basically “You have none. We can do what we want. Sue us but you won’t win.” which can easily be done in 100 words.
An actual privacy policy would show the ways in which your information WON’T be used. That is privacy, not the ways it can be used!
The law should maybe call them “Unprivacy Policies”.