The article is assuming that the ToS and privacy statement is meant to be informative. It's not.
If you give people a good overview of what you are doing with their data, a significant portion will get pissed off. If you bore them with legalese, 99.9% of them will just sign, rather than wade through the terms.
The broken by design thing is something that's always bothered me. I posted a draft of our company's Privacy Policy to github a while back as an experiment.
Look a the Facebook's example shown in the post. Facebook could have replaced that popup with a text broth, but it didn't, and this payed.
The main privacy policy of Facebook is another example. They redesigned it with the help of TRUSTe, when they realized all that people want is to keep control of what they share (and my opinion is cleared in the article).
Furthermore, TRUSTe bases its business on the assumption that well written privacy policies increase conversions, because when people have to provide their credit card (an example), they get scared by a broth-like privacy policy.
Also think about Creative Commons: many people use it and many people rely on it when needing to know how to share content. The world is a better place with Creative Commons, and I think it will be a better place with simpler Privacy Policies and TOS :)
The Facebook popup is quite nice, but I can see two ways in which it could be improved (from a cursory observation - I don't really use Facebook much any more).
Firstly, "[...] and any other information I've shared with anyone" could quite easily result in people accidentally permitting access to data they didn't mean to. In contrast to it being viewed by anyone, there is a good chance that data will be stored elsewhere and stashed, regardless of whether the user later notices and removes it.
Having some mechanism to fully disclose what your "any other information" is, from that popup, might help people to notice accidentally shared data sooner, and prevent them sharing it with people who are storing it. The UI might take a little work, but afaik they've already got "view my profile as $foo" abilities, but that's tied to the account privacy settings pages, and not directly accessible from this sort of popup.
Secondly, and maybe not nearly as practically, but it'd be nice to see actually optional disclosure settings for apps like this. Android has a similar problem with its apps, it tells you what (coarse-grained) permissions it requires, but you only get a choice of all or nothing.
Granted, it doesn't make much sense to install your GPS-map application without giving it access to your GPS data, but in the Facebook realm, there can definitely be data or services which you want to consider optional.
There's probably even a business model in charging users (more) if they wish to disclose less about themselves, making them less attractive from your advertising revenue.
The major problems I can foresee are (a) microtransactions, and (b) actually making your user aware you're effectively selling their personal details in exchange for providing them with whatever service.
The tradeoff sounds scaring:
- Extremely accurate Privacy Policies nobody read;
- Simplified Privacy Policies everybody read, but missing something.
Facebook has probably reasons for not including too much detail on that page, but Facebook also uses users' data like nobody else. For the average website this problem is much simpler, even for the average SaaS startup which is not a social network (or a simple one like Quora). Probably that kind of website can really have a privacy policy covering every personal data use within a simplified popup, without missing relevant information.
The Facebook's popup surely has issues, but I still love it since it's something people read, and it helps people take better choices. This is what, to me, is really important of Privacy Policies.
I am a fan of simple privacy policies, but the Facebook popup is not a privacy policy; it's an access policy. It tells you what Facebook data an application gets access to. It does not tell you what the app does with that information.
As long as we have a sue-happy society, companies will use privacy policies to limit liability. That means they will continue to be documents with more text than most of us are likely to read. Icons and diagrams won't work without the text behind them. However, I do agree that just because a document has legal significance does not mean it needs to be full of legalese. We tried to keep our privacy policy as short and light as possible and write it in plain language. http://nodeping.com/PrivacyPolicy
Some people say the U.S. has a sue-happy society. Others say that we don't; that the whole sue-happy idea is an invention of large companies that want tort reform.
Yesterday I observed that companies still sell products in that hard-to-open plastic packaging that has injured a lot of people. That this packaging is still common indicates to me that we do not in fact live in a sue-happy society.
There's probably still need of a legalese document behind, but we are working on cutting that part too :P
Even with the need of having a strictly law-compliant page, having a first page which is simple and readable at a glance is always a good idea.
Consider that we are seriously working on bringing that model to the mass (read end of the article :) )
Thanks! That's a very good question, and the honest answer is because we're geeks and design is much harder work for us than building functionality. I guess that's another argument in favor of something like iubenda.com is doing.
I recently wrote a privacy policy for my new startup; I think it complies with all but two of those guidelines (lightbox and standardised). Any feedback would be appreciated: https://theescortcompanion.com/privacy/
Most people don't know what to put on a privacy policy, and we built a service with lawyers behind, assuring compliance and top quality service.
Since yours is of course a good point, consider that our product will be very cheap, and I'd seriously pay a cheap price instad of spending those 20 minutes.
Also consider that your privacy policy currently lacks the parties involved, and it's not "completely compliant". Our goal is to save your time on this side, for a reasonable price and giving something very polished in change :)
Looked at facebook just now, and sure enough there in the footer (if you're fast enough to click on it before the infinite scroll kicks in) they have this http://www.facebook.com/full_data_use_policy, which reaffirms my suspicion that using only what the author suggests probably isn't quite as safe legally.
That said, I definitely agree that putting a simpler layer on top of it so non-lawyers can get the gist of your policy quickly is a great idea - now item 1,000,001 on my startup's to-do list!
The best part is that we are making it automatic, just check our main website, our goal is to help website owners to get rid of the hassle of writing a privacy policy :)
I'd be happier to use Iubenda if its beta-access system didn't make me feel so violated, by requiring me to literally share it on every social media I can in multiple ways.
I think that it's too complex to work on a scale. Maybe our service will embed it in the future, maybe we'll rethink a new standard (since p3p is a bit outdated) :)
Privacy policies have not changed that much. I agree that P3P does not provide a scale of privacy, but that seems by design, since privacy, and the things described in privacy policies, don't map to a linear scale.
If you give people a good overview of what you are doing with their data, a significant portion will get pissed off. If you bore them with legalese, 99.9% of them will just sign, rather than wade through the terms.
It's broken, but it's broken by design.