Share/E-mail This Story

Email This



Proposed Law: Privacy Policies Must Be Less Than 100 Words (Says 336 Word Bill)

from the lawyers-are-not-good-at-being-brief dept

I've stated in the past, that the whole concept of "privacy policies" is a failed concept. No one reads them, those who do read them don't understand them, and most people incorrectly think that if you have a privacy policy, it means you keep information private. That's not the case. Since the only way you get into legal trouble is by violating your privacy policy, the incentives are totally screwed up: sites have the incentive to make their privacy policies as broad as possible, allowing them to do as much as possible. Since users think any privacy policy means they're safe, then the "ideal" privacy policy is one that says "we don't care about your privacy, we give away or sell all your data, and we laugh all the way to the bank" (more or less). The user thinks their data is secure, while the site has nothing to worry about since they won't "violate" the policy.

And, yet, politicians still seem to focus on privacy policies, as if they're a legitimate replacement for actually doing something to protect privacy. In pointing out how silly privacy policies are, a year ago, we noted that you'd need to take a month off from work each year to actually read all the privacy policies you encounter on a normal basis. It appears that California Assemblymember Ed Chau has a solution to all of this (as pointed out by Eric Goldman): just pass a law that requires all privacy policies to be less than 100 words. Seriously.
This bill would require the privacy policy to be no more than 100 words, be written in clear and concise language, be written at no greater than an 8th grade reading level, and to include a statement indicating whether the personally identifiable information may be sold or shared with others, and if so, how and with whom the information may be shared.
While I'm all for having things like terms of service and privacy policies be more simplified, I still don't see how it's particularly useful to legislate this. Also, lawyers aren't exactly known for their ability to be pithy. Having worked on a couple of privacy policies with lawyers in the past, finding someone who can get such a policy under 100 words would be very, very tricky.

And, not to be snarky or anything, but the text of the law itself (removing the digest explanation and preamble) clocks in at 336 words. So... if your law saying that all privacy policies must be under 100 words can't be written in under 100 words, perhaps you've highlighted the problem with your own law.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    silverscarcat (profile), Feb 11th, 2013 @ 11:18am

    suddenly...

    A thought...

    "Mr. Website, come up to the front of the class and explain your privacy policy in under 100 words."

    "But, teacher, I can't do that."

    "Then you get an F, now go stand in the corner until lunch time."

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    Atkray (profile), Feb 11th, 2013 @ 11:47am

    Re: suddenly...

    You can't tell people they fail it might hurt their feelings.

     

    reply to this | link to this | view in thread ]

  3.  
    icon
    silverscarcat (profile), Feb 11th, 2013 @ 12:03pm

    Re: Re: suddenly...

    Bullshit.

    I got Fs in elementary school, Jr High and High School, all it did was motivate me to do better and learn from my mistakes.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Feb 11th, 2013 @ 1:04pm

    Re: Re: Re: suddenly...

    I got an F once. And the F certainly didn't motivate me to improve. The threat of another belt across my ass is what motivated me. :)

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Feb 11th, 2013 @ 1:05pm

    The problem with a 100 word limit being 336 is that our language has too many words. If we just remove 70% of the English language then this problem will be solved!

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Buster, Feb 11th, 2013 @ 1:10pm

    Re: Re: Re: Re: suddenly...

    Sounds like your parents and teachers are being bullies to you. Would like like to press charged?

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    VMax, Feb 11th, 2013 @ 1:14pm

    Re:

    Maybe we could just eliminate the letter "e".

     

    reply to this | link to this | view in thread ]

  8.  
    icon
    PW (profile), Feb 11th, 2013 @ 1:14pm

    This clearly falls into the camp of "doing nothing is better than doing something" ;)

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Buster, Feb 11th, 2013 @ 1:15pm

    I'd understnd somewhere between 300 and 500 words, but 100? I figured at best, 200. That's just insane.

    I can see it now "No your stuff isn't private. Yes we will sell your email and pictures, but you'll still use us and hate that you love the experience"
    OR count on companies creating some new very creative words.

    Hmm 68 word comment. This might not be so bad.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Anonymous Coward, Feb 11th, 2013 @ 1:19pm

    change the format

    like on an Android app, or a menu at some restaurants - have a check-box type of system, and show the necessary items. Only allow one "other" and 100 words on that.

    [ ] - we will respect your privacy
    [ ] - we will encrypt your password using a quality password tactic (bcrypt, etc)
    [x] - we will hash your password using MD5
    [x] - we will silently gather all of the data on your device
    [x] - we will store all of your data in secret
    [x] - we are allowed to sell your data to others for you
    [ ] - other: ___

     

    reply to this | link to this | view in thread ]

  11.  
    icon
    jupiterkansas (profile), Feb 11th, 2013 @ 1:23pm

    I'd rather have privacy policies that are standardized and every business must follow, but I fear that would get so complex so fast that nobody but lawyers would understand what they are.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Anonymous Coward, Feb 11th, 2013 @ 1:26pm

    I've always had a rule of thumb. If the privacy policy is more than one page it tells me they need some fine print to hide whatever it is they are worried about. Don't have to read a privacy policy to figure that out.

    Privacy policies aren't about your privacy. What you think privacy means aren't what businesses think it means. You think it means to protect your data. Businesses think it's a way to justify invading that data.

    If they can't just come out in a couple of sentences to say they don't use your data then that pretty much says it all.

     

    reply to this | link to this | view in thread ]

  13.  
    icon
    WDS (profile), Feb 11th, 2013 @ 1:28pm

    100 Words?????

    This is a fairly short Techdirt post. I was going to show how unrealistic the law was by counting the words in the post, but when I got to 156 in the first paragraph I changed my mind.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, Feb 11th, 2013 @ 1:29pm

    Sorry Mike, this article cannot pass. It is 376 words long, not counting the headline and the exerpt. You have to remove 276 words for it to be within the limits of this law.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Drew, Feb 11th, 2013 @ 1:38pm

    Re: Re:

    Mr. Burns: All right, let's make this sporting, Leonard. If you can tell me why I shouldn't fire you without using the letter "e," you can keep your job.
    Lenny: Uh, okay. I'm a good... work... guy...
    Mr. Burns: You're fired.
    Lenny: But I didn't say it.
    Mr. Burns: You will.
    [He pulls a lever, dropping Lenny down a trapdoor]
    Lenny: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE.

     

    reply to this | link to this | view in thread ]

  16.  
    icon
    gorehound (profile), Feb 11th, 2013 @ 1:51pm

    Another lying Hypocritical Politician.

     

    reply to this | link to this | view in thread ]

  17.  
    icon
    McCrea (profile), Feb 11th, 2013 @ 2:11pm

    That bill does not define nor reference how to count words. Excessive litigation will result.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Anonymous Coward, Feb 11th, 2013 @ 2:17pm

    Maybe laws should be treated this way

    Why can't we have laws that have a word limit (100 might be a tad low but maybe we could set a page limit and font size)? Why aren't laws crafted so that the average person of an 8th grade reading level can comprehend them? Because they couldn't hide shit in them, that's why. And that's why they can't do that to privacy policies. People will understand what is being done, assuming they actually look over it.

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    ShellMG, Feb 11th, 2013 @ 3:18pm

    C'mon, we're talking about lawyers.

    They could get the word limit down to 100, but there would be a series of increasing "*'s" at the end of each sentence, pointing to an Addendum with several subsections.

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Anonymous Coward, Feb 11th, 2013 @ 3:51pm

    Re:

    I think it is even more likely that you get junk laws with extremely broad categories for who and what the law covers! Interestingly exceptions would be too space-consuming, so it could actually serve as a good formula for reducing the number of pages in the laws, to start with finding the formulation needing the fewest exceptions.

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Anonymous Cowherd, Feb 11th, 2013 @ 4:16pm

    "we don't care about your privacy, we give away or sell all your data, and we laugh all the way to the bank"


    It's under 100 words. If that's what privacy policies boil down to, corporate lawyers shouldn't be allowed to conceal it under 50 pages of legalese.

    Maybe a word-count is a ludicrously precise limitation, but some kind of rules are needed to avoid the walls of text nobody reads.

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Anonymous Coward, Feb 11th, 2013 @ 4:24pm

    Wellwhatitwouldreallydoisresultinlongsentencesofwordsstrungtogetherwithoutanyspacesorotherdiscrenabl ebreaksinthewordsthuscreatingaprivacypolicythatconformstothelawbybeing1longmessedupword.

    And everyone would have copyright on their 'creative one word' privacy policy... but I'm sure that's not what will happen

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Anonymous Coward, Feb 11th, 2013 @ 4:25pm

    That might just run afoul of the first amendment. But since that's never stopped the government before...

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Anonymous Coward, Feb 11th, 2013 @ 4:28pm

    Re: Re: Re: suddenly...

    I got Fs all the way through school too. And I didn't give an F.

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Anonymous Coward, Feb 11th, 2013 @ 5:10pm

    New privacy policy: "Fuck You"

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Anonymous Coward, Feb 11th, 2013 @ 5:14pm

    And the winner is:

    We will not sell your data to anyone. (1)



    In the fine print "exceptions" which are not part of the "policy" and limited to 100 words:

    1: We will sell the data to partners with similar policies, otherwise, we just give it to everyone.

    And the other 10k words of exceptions, limitations and other footnotes which just move the BS out of the 100 word limit.

     

    reply to this | link to this | view in thread ]

  27.  
    icon
    G Thompson (profile), Feb 11th, 2013 @ 9:26pm

    Plain Language is more useful

    Wouldn't it be easier to mandate that all contractual terms, policies and other legal devices by private companies be actually written in Plain English (Language) not unlike your Plain Writing Act (Federal) instead of mandating 100 words or less which will result in more legalese and latin

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    F!, Feb 12th, 2013 @ 1:54am

    follow the license model

    I like what G Thompson says above about plain language. Certainly a great place to start.

    I'd take it a step further - Follow the CC model of licenses, so that you can take one quick glance and know how your data will be used/abused. Also requirements for opt-in on all cases. For example:

    Privacy-Complete: We will never store your data and/or use it for any reason except account management.
    Privacy-1st Party: We will store your data and use it to contact you, this may or may not include opt-in/out promotions from us.
    Privacy-3rd Paty/Commercial: We will use your data however we wish and you can't do squat about it, crybaby.

    Might be some more distinct variations possible on this, but you get the idea.

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    RyanNerd, Feb 12th, 2013 @ 5:41am

    Re:

    Too late.

     

    reply to this | link to this | view in thread ]

  30.  
    icon
    btrussell (profile), Feb 12th, 2013 @ 5:42am

    Re: Re: Re: Re: suddenly...

    Eh!

     

    reply to this | link to this | view in thread ]

  31.  
    icon
    RyanNerd (profile), Feb 12th, 2013 @ 5:58am

    There is no such thing as plain language

    When a corporation can be sued for not following their privacy policy there will be no 'plain language' policy.
    Also, who will be the judge of if a policy is 'plain language'?
    Who will enforce that the policy is 'plain language'?
    who will decide what words are acceptable for plain language?

    Sounds to me like you will need to set up judicial, executive and legislative entities to ensure how "Plain Language" is decided, judged and enforced.

     

    reply to this | link to this | view in thread ]

  32.  
    identicon
    Jasmine Charter, Feb 12th, 2013 @ 6:18am

    My Privacy Policy

    "I will take any data you give me and do whatever the heck I want with it, but I'll try not to be an arse about it. Thanks for visiting my site. I would give you more details, but the law currently prohibits me from going into details. Cheers!"

     

    reply to this | link to this | view in thread ]

  33.  
    icon
    dennis deems (profile), Feb 12th, 2013 @ 7:04am

    Re: Plain Language is more useful

    It does say "eighth grade reading level", but everyone's having so much fun with the number 100 that they didn't notice.

     

    reply to this | link to this | view in thread ]

  34.  
    icon
    dennis deems (profile), Feb 12th, 2013 @ 7:08am

    100 words

    It's just as easy to get these things right. The bill doesn't say "less than" or "under" 100 words. It says no more than. Honestly I don't understand why people find the idea so hilarious. If 100 words are insufficient to tell me what you plan to do with my data, then maybe you don't need my data.

     

    reply to this | link to this | view in thread ]

  35.  
    identicon
    Jason, Feb 12th, 2013 @ 7:36am

    Re: 100 words

    Yes exactly! Thank you for not being an idiot like some others commenting on here...or the person that wrote the article. How does it change the fact that privacy policies should be under 100 words just because the actual law is over 300? There is no reason for the law to follow the same standards, especially since that one law should cover as many loopholes and exceptions as it can to further prevent companies from abusing privacy policies

     

    reply to this | link to this | view in thread ]

  36.  
    identicon
    Anonymous Coward, Feb 12th, 2013 @ 10:52am

    33 words

    "Effective upon the signing of this bill into law, any privacy policy to apply within the United States will be not more than 100 words in length, else it is null and void."

     

    reply to this | link to this | view in thread ]

  37.  
    identicon
    Anonymous Coward, Feb 12th, 2013 @ 11:01am

    What about a limit on the length of a bill

    I think there should be a reasonable limit on the length of a bill in congress. Maybe 10 pages? 100? Certainly something shorter than the Obamacare text, which is quoted as being anywhere from 900 to 2700 pages long. If you can't tell me for sure how long it is, it's too long.

    336 words is still shockingly short, and I think this is a step in the right direction, but congress needs to work on policing themselves before they start throwing arbitrary limits at other people.

     

    reply to this | link to this | view in thread ]

  38.  
    identicon
    John, Feb 12th, 2013 @ 11:30am

    Unprivacy policies

    Most are basically "You have none. We can do what we want. Sue us but you won't win." which can easily be done in 100 words.

    An actual privacy policy would show the ways in which your information WON'T be used. That is privacy, not the ways it can be used!

    The law should maybe call them "Unprivacy Policies".

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This