A privacy policy is a legal document that discloses some or all of the ways a party gathers, uses, discloses and manages a customer’s data. The exact contents of a privacy policy will depend upon the applicable law and may need to address the requirements of multiple countries or jurisdictions.
In the Internet context, this can be accomplished easily by the posting of an information practice disclosure describing an entity’s information practices on a company’s site on the Web. To be effective, such a disclosure should be clear and conspicuous, posted in a prominent location, and readily accessible from both the site’s home page and any Web page where information is collected from the consumer. It should also be unavoidable and understandable so that it gives consumers meaningful and effective notice of what will happen to the personal information they are asked to divulge.
Many critics have attacked the efficacy and legitimacy of privacy policies found on the Internet. Concerns exist about the effectiveness of industry-regulated privacy policies. For example, a [year] FTC report Privacy Online: Fair Information Practices in the Electronic Marketplace1 found that while the vast majority of website surveyed had some manner of privacy disclosure, most did not meet the standard set in the FTC Principles. In addition, many organizations reserve the express right to unilaterally change the terms of their policies. In [month_year format=”full”] the EFF website TOSback began tracking such changes on 56 popular internet services, including the monitoring the privacy policies of Amazon, Google and Facebook.
There are also questions about whether consumers understand privacy policies and whether they help consumers make more informed decisions. A [year] report from the Stanford Persuasive Technology Lab contended that a website’s visual designs had more influence than the website’s privacy policy when consumers assessed the website’s credibility. A [year] study by Carnegie Mellon University claimed “when not presented with prominent privacy information…” consumers were “…likely to make purchases from the vendor with the lowest price, regardless of that site’s privacy policies.” However, the same study contends where privacy information is clearly presented, consumers prefer retailers who better protect their privacy and may “pay a premium to purchase from more privacy protective websites.” Furthermore, a [year] Berkeley study found that “75% of consumers think as long as a site has a privacy policy it means it won’t share data with third parties,” confusing the existence of a privacy policy with extensive privacy protection.
Critics also question if consumers even read privacy policies or can understand what they read. A [year] study by the Privacy Leadership Initiative claimed only 3% of consumers read privacy policies carefully, and 64% briefly glanced at, or never read, privacy policies. One possible issue is length and complexity of policies. According to a [year] Carnegie Mellon study the average length of a privacy policy is 2,500 words, the research and requires an average 10 minutes to read. The study cited that “Privacy policies are hard to read” and, as a result, “read infrequently”.
While there is no universal guidance for the content of specific privacy policies, a number of organizations provide example forms or online wizards which generate Privacy policies.