> These are documents created by lawyers, for lawyers.
Except they bind normal consumers, not lawyers.
This is the law's version of the old softare forum 'RTFM' dismissal when people asked technical questions.
It is not acceptable to have a privacy policy intended for ordinary people if it's not also intended to be understood by ordinary people. If a normal consumer needs to consult a lawyer before they sign up for Facebook, something has gone horribly wrong.
> It is not acceptable to have a privacy policy intended for ordinary people if it's not also intended to be understood by ordinary people.
I agree, but by extension this is also true for all laws and legal documents. The fact that world still works with this situation (the laws which people are supposed to abide by are not really understandable to those same people) doesn't mean we don't have a problem to solve here.
>The fact that world still works with this situation
Depends upon what you mean by works? We have clear favoritism, nepotism, racism, sexism, etc. in how the existing system works. It isn't complete anarchy, but by that standard the most kafka-esque regimes still work.
I think we have massive room for improvements in both laws and contracts.
When reading your argument, I can't help but think about a stat a Polish journalist computed. At that point, reading the law at the pace it came out would take about four (or was it six) hours per day. That's assuming you read law as fast as prose and don't need to read the preexisting acts.
>> These are documents created by lawyers, for lawyers.
> Except they bind normal consumers, not lawyers.
> This is the law's version of the old softare forum 'RTFM' dismissal when people asked technical questions.
Thanks for pointing this out.
> It is not acceptable to have a privacy policy intended for ordinary people if it's not also intended to be understood by ordinary people. If a normal consumer needs to consult a lawyer before they sign up for Facebook, something has gone horribly wrong.
Here's my secret hope that articles like this will force the opinion - and courts - to realize that these documents are worthless and shouldn't protect any company that abuses customer data from lawsuits.
Also for us Europeans I still look forward to seing consumer protection agencies here finally getting annoyed and starting to use their new GDPR claws.
> These are documents created by lawyers, for lawyers. They were never created as a consumer tool
This, I think, is the core issue. The Privacy Policy is seen as the same type of thing as the Terms of Service. Of course, this begs the question of why does there need to be two different documents.
GDPR has pretty explicitly tried to reverse this. The Terms of Service can be as legal-y as you want, but there must be a plain-language Privacy Policy for the data subject. We'll see how much that happens in practice... the regulators probably have much bigger fish to fry than unclear PP documents, but a fine for a separate issue could include "no one could understand this, so it doesn't count" as a way to side-step technical loopholes.
More importantly GDPR grants statutory rights that cannot be waived by a shrinkwrap agreement. Its only real weakness is that is does not grant a right of private enforcement, and national regulatory agencies are too understaffed to address even a small portion of abuses today.
> Its only real weakness is that is does not grant a right of private enforcement, and national regulatory agencies are too understaffed to address even a small portion of abuses today
Article 79, Right to an effective judicial remedy against a controller or processor
1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.
2. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.
> "no one could understand this, so it doesn't count" as a way to side-step technical loopholes.
In fact, the GDPR explicitly says any declaration that isn't intelligible and using clear and plain language "shall not be binding". Which means the service doesn't actually have consent.
Companies that think of their Privacy Policy as a “Legal” or “Compliance” function will have their lawyers write it, and it will be incomprehensible to users. That’s Legal’s job: to write documents for judges and other lawyers to read.
I’d argue that companies should think of their privacy policy as not a legal document but as a product feature, and let product managers (or whoever is responsible for feature ideas) write them. The audience then would be the user and the wording would more likely be understandable. Most companies’ product teams are better equipped to articulate the benefits and trade-offs to end users.
The problem is when product managers use language that is understandable to most people but leaves a lot of loopholes and results in lawsuits.
Writing legal documents is a lot like writing code— you are trying to leave no room for ambiguity (or bugs), need to cover all the edge cases, and the code is inevitably at least as complex as the domain in which it operates.
Depends on your legal system. It doesn't have to be letter of the law, which is how the US operates, leading to abominations of phrasing like "damages including but not limited to foo, bar, baz" etc. In other jurisdictions, spirit of the law is good enough, so you can just write "damages" and something like a reasonable person test is applied.
Example: In the US, rent agreements can be dense, 30 page affairs and still be legally binding. In Europe or Australia, 5 pages or less usually suffices, and longer documents may simply be ruled unreasonable.
I think there should be a law that puts the burden of proof that the user understood the privacy policy on the company. This way the company would have an incentive to make it as easy to understand as possible and to ensure every user understands what they're doing -- otherwise, if any user sues them over a privacy breach, the company has a high-risk of losing that lawsuit if the judge/jury determines it wasn't easy for the user to comprehend the privacy policy, as per the mentioned law.
GDPR sorts of does this, but I think it's only half-way there.
It's always about incentives. Companies have all the incentives in the world to make the privacy policies as complicated and obfuscated as possible, while also putting in there that basically the user gives up all rights and data the moment they see the company's website, so that they remove any responsibility they might have otherwise.
I don't think most users want to spend any time understanding privacy policies. If you made people take a quiz showing the understand what they're getting into (like when getting a driver's license), user signups would go down dramatically.
Plus this would probably be considered free labor and/or discrimination, like some people complain about captchas.
I think the GDPR is quite good, just not actually being applied. In fact, I'd say most or all of these are plainly invalid, since they don't present the request for consent "in a manner which is clearly distinguishable from the other matters", and they don't allow consenting separately for each purpose.
“These are documents created by lawyers, for lawyers. They were never created as a consumer tool,” Dr. King said.
"The BBC has an unusually readable privacy policy. It’s written in short, declarative sentences, using plain language. "
The BBC example shows that it is possible to write a readable policy, if a company cares to.