Examination Of Privacy Policies Shows A Few Troubling Trends

A superficial comparison of privacy policies around the web by privacy service company TRUSTe has produced a few interesting statistics. Of course the most interesting bits are usually buried deep in the agreements and authorize things like the use of your child’s likeness for doll faces. Nothing sinister like that was discovered, but the standout stats should cause a bit of head-shaking.

Only 2% of sites have a mobile-optimized privacy policy, for instance. There are surely separate considerations to be made when, say, location data can be determined from your access point or IP, or separate protections that need to be acknowledged because your data may not be as secured. Granted, many of these sites will be making such changes through native apps instead of mobile web apps, but still, 2% is probably a number that should be raised.

7% of sites explain how long they store your data for (and presumably what data is stored), and 32% tell you how to go about deleting your account and data for good. This information is probably available on request, but it seems to be a natural fit for entry into the privacy policy. Just as apps must declare what data they need access to (Carrier IQ excepted, of course) on Android, shouldn’t websites declare what data they’ll access, record, store locally, and so on?

And of course there’s the length of the policies, which like the average EULA exceeds the attention span of the average internet-goer by orders of magnitude. TRUSTe found the average length was 2464 words. That’s 200 words longer than my rant against SOPA, though to be fair the privacy policies are probably a lot more fun to read.

It’s not a new or original suggestion, but we really do need to take these enormous documents and reduce them to something intelligible to the average user. An analogous real-world situation, say a building that had a 2500-word behavior policy posted in small type near the door, wouldn’t stand up in court, though of course people are expected to adhere to simple posted regulations like “No Smoking” or “Employees must wash hands before leaving restroom.”

Can a privacy policy or EULA really be boiled down to that size? Some do already, of course. I’ve seen policies as short as a few sentences. Hopefully we will see some precedents set over the next few years that discourage the impenetrable documents we sign so frequently and ensure a standard level of legibility.

You can download the full infographic here (PDF).