“Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.
Today’s column is written by Gary Kibel, a partner in the digital media, technology and privacy practice group at Davis + Gilbert.
Since the early days of the internet, when federal regulators expressed concern that consumers did not understand what data was being collected about them online and how it was being used, companies have been drafting privacy policies.
The guiding principle for these privacy policies has always been the Federal Trade Commission’s (FTC) prohibition on “unfair or deceptive acts or practices.” That meant drafting a policy that was thorough and comprehensive, yet clear and easy for a consumer to digest. An early California law and behavioral advertising self-regulatory principles required certain specific disclosures, but overall, the FTC standard was vague enough to give publishers flexibility in how they structured their disclosures.
But then more regional regulations emerged, leaving consumers more confused and forcing companies to address multiple regulations simultaneously.
In the EU, those subject to the General Data Protection Regulation (GDPR) quickly learned that their existing privacy policies did not comply with the law and required new and specific disclosures. Then the California Consumer Privacy Act (CCPA) burst onto the scene, with wannabes the Virginia Consumer Data Protection Act and Colorado Privacy Act close behind. As a result, drafting a privacy policy that complies with all of these laws requires a good deal of new language. How does this mess benefit consumers? It doesn’t.
We therefore now find ourselves in a catch-22. How can one draft a clear and concise privacy policy when all of these various laws have specific disclosure requirements and the requirements do not line up with one another? The unintended consequence of these new laws is that publishers are legally required to make their privacy policies much, much longer than before. As a result, these laws may be self-defeating in their efforts to help consumers better understand and manage the processing of their own personal information.
The US Constitution is only 4,543 words. Most privacy policies from large portals dwarf that already. It would take a consumer quite some time, perhaps more than an hour, to read some of these privacy policies. And imagine trying to read a lengthy policy on a mobile phone. The reality is that no consumer will read these disclosures. The only parties likely to read such lengthy privacy policies are regulators and class action plaintiff lawyers.
Both the industry and consumers are eager for a more manageable approach. Companies would like the process of drafting and updating a privacy policy to not be a herculean task. Consumers would like to be able to read a disclosure in less time than it takes to watch a new episode of their favorite streaming series. However, the industry is becoming legally obligated to confuse consumers.
To resolve this legally required mess, the federal government needs to step in, step up and establish a consistent and reasonable standard that all publishers can use. Allowing each state (and, in some instances, local jurisdictions) to dictate their own standards will just push us toward the 10,000-word privacy policy. That will benefit no one.
Follow Gary Kibel (@GaryKibel), Davis + Gilbert LLP (@dglaw) and AdExchanger (@adexchanger) on Twitter.