computer_lock Title

Privacy Policies

PurposeTop of Page

The main purpose of a privacy policy is to inform a consumer about what kind of information may be collected from them and how this information may be used. In the Federal Trade Commission's 1998 report to Congress on online privacy, they outlined four things that generally need to be done to ensure that companies follow the principle of fair information practice (the following points are quoted from [FTC Privacy Report to Congress]. All emphasis in original.):

  1. Consumers need to be given notice of an entity's information practices
  2. Consumers need to be given choice with respect to the use and dissemination of information collected from or about them
  3. Consumers need to be given access to information about them collected and stored by an entity
  4. The data collector needs to take appropriate steps to ensure the security and integrity of any information collected

Privacy policies aim to address the first requirement by informing consumers of the information practices that are followed by the entity.

Importance Top of Page

Privacy policies are important because they are usually the only way for users to be informed about what information a site collects and how that information may be used. As more and more important services move online every day, it is increasingly important for consumers to be aware of how the information they provide to a site might be used. For example, if a consumer uses an online service to make travel reservations, they must provide a great deal of personal information, including their name, email address, physical contact information and credit card number. Without a privacy policy, a consumer would have no idea (and practically no guarantees) regarding how this data will be used -- presumably, it could be sold or transferred to a third party without the knowledge of the consumer, which many people would find disturbing. Privacy policies inform users of what information will be collected about them and how it will be used. Consumers can hold the companies accountable if they are found to have violated the terms of their privacy agreements. For example, in September 2003, a group of passengers was able to file a lawsuit against JetBlue Airways for violating their own privacy policy by passing on information they collected from their passengers to a Defense Department contractor.

Existence Top of Page

Results of recent studies indicate that many of the most popular web sites do provide privacy policies and that web sites are moving towards being more responsible with information. In 1998, a survey of over 1,400 web sites revealed that upwards of 85% of them collected personal information from consumers, while only 14% provided any notice about their information practices, and only about 2% provided a comprehensive privacy policy. [FTC Privacy Report to Congress] However, a report conducted in 2002 found that only 74% of sites collected personal identifying information from consumers and that, of those sites, 87% had at least one privacy disclosure while 73% provided a privacy policy. [Progress and Freedom Foundation] The 2002 report stated that their observations indicated that online privacy improved in every measure since their last report in 2000 -- web sites were collecting less personal information, making privacy notices more prevalent, prominent and complete, giving consumers more opportunities to choose how their personal information is used and more web sites offer opt-in options rather than opt-out ones. [Progress and Freedom Foundation]

Accessibility Top of Page

The fact that a web site has a privacy policy is not enough to guarantee that it is useful to consumers -- the privacy policy must also be easily accessible. By this, we mean that it should be easy for a consumer to locate the company's privacy policy and that the policy should be written in such a way that the average consumer can reasonably be expected to understand what it means. Currently, most Internet sites seem to be doing a good job at making privacy policies easy to find -- one study found that 94% of sites that provided a privacy policy had a link to it directly on their homepage. [JP] This is a good trend and indicates that most sites recognize the importance of making it easy for their customers to access the privacy policy. However, the readability of these policies is another story entirely. A study that was conducted on online privacy policies concluded that most privacy policies were written at a level that was beyond the comprehension capabilities of most of its readers:

"Of the 64 policies examined, only four (6%) were accessible to the 28.3% of the Internet population with less than or equal to a high school education. Thirty-five policies (54%) were beyond the grasp of 56.6% of the Internet population, requiring the equivalent of more than fourteen years of education. Eight policies (13%) were beyond the grasp of 85.4% of the Internet population, requiring a postgraduate education. Overall, a large segment of the population can only reasonably be expected to understand a small fragment of the policies posted." [JP]

This report is not alone in claiming that privacy policies are hard for the average user to understand -- U.S. Federal Trade Commissioner Sheila Anthony commented, "many privacy policies are beginning to look like complex legal documents that do not give consumers real choice." [ComputerWorld] Some companies such as CitiGroup try to address this issue by offering alternate versions of their policy that is more readable -- CitiGroup, for example, provides a version that outlines their policy in 10 concise points, and has stated that consumers tend to prefer this version to the full legal one. [ComputerWorld] However, these kinds of companies are the exceptions rather than the rule -- as it currently stands, most privacy policies are beyond the comprehension of a majority of readers, and even readers who are capable of comprehending the policy won't necessarily read it.