view

Tech Is Getting EU Privacy Rules All Wrong

Users get legal verbiage and obfuscation instead of honesty and clarity.

Privacy policy still written to confuse.

Photographer: Bethany Clarke/Getty Images Europe

Internet users throughout the European Union — and, in some cases, in the rest of the world as well — are starting to get gently pushed toward accepting various companies’ new service and privacy terms that comply with the EU’s General Data Protection Regulation, which is going into effect on May 25. Trying to deal with it has convinced me that the tech industry is still determined to get privacy wrong, and the GDPR as applied by them doesn’t prevent it.

The GDPR-related reminders are coming from stores, electronics manufacturers, social networks, even nonprofits. One needs to be intensely privacy-minded to go through the legal documents updated by Facebook, Twitter, Fitbit, Sonos, an e-commerce site you may have visited a few years ago or a local theater company and not get confused about which disclosures you saw in which statement. Though most firms have made an attempt to write the new terms in plain language, as the GDPR requires, these are still lengthy documents crafted for legal compliance first and understanding second.

The standard approach is to hit the user with thousands of words explaining what data is collected and how it is used and, within the text, provide links to settings pages where one can opt in and out of the data harvesting and processing. Here’s how Fitbit handles it:

We give you account settings and tools to control our data use. For example, through your privacy settings, you can limit how your information is visible to other users of the Services; using your notification settings, you can limit the notifications you receive from us; and under your application settings, you can revoke the access of third-party applications that you previously connected to your Fitbit account. 

Now, which link will you click? Perhaps all four? Will you do it and then go back to the text (there’s still plenty of it), or will you get lost in the first set of preferences, curse and look for the “I agree” button? This is what I’d call obfuscation through confusion.

QuicktakeWhy Privacy Will Be Stronger in Europe than the U.S.

Facebook, by the way, has a big blue button for consent, but a mere hyperlink for deleting your account if you disagree with the new rules — even though deletion is the more momentous decision. We all know the trick that sends us looking frantically for the “X” we need to click to close an ad. The way Facebook has laid out its new policy pages is a subtler version of that intentional annoyance, a form of mild psychological pressure to sign on the dotted line and be done with it. Most people will: There’s no way to reject specific parts of the rules except indirectly, through tweaking certain settings, and then not in every case — even though very little data collection is actually required to provide the basic Facebook service. That’s unfair to users whose data are coming to Facebook from a multitude of hard-to-track sources, some of which they’d surely like to cut off. 

Twitter’s updated privacy policy runs to more than 8,800 words, and it’s distinct from its Terms of Service and Twitter Rules. I know some people — lawyers and reporters — capable of getting through all three documents with a magnifying glass, but most users aren’t like that. There’s no reason for the multiple documents and the verbosity except to induce boredom.

The GDPR rules aren’t complicated. They mainly require organizations that collect and process data to ask internet users in clear language whether they’re OK with it. But what users get is, as ever, a lengthy legal text — no, three of them, and wait, there’s also this linked page and that one, and a separate privacy policy for children, and another one for pets (OK, I made that last one up).

There is a right way to do it. Among all the organizations whose updated policies I’ve seen in recent days, the unlikeliest one came the closest to it — London’s recently renamed Kiln Theater, which sent a policy change notification to my London-based editor. Its new privacy policy is, of course, another morass of legal verbiage — but it contains a handy table that lists the purposes for which data are collected and matches them with specific data types used. 

That’s what I want to see from each of the data harvesters who want my personal information. A simple three-column table. First column: purpose of data collection (for example: “to personalize ads” or “to enable academic research.”) Second column: types of data collected or processed (for example: “web browsing history” or “information about previous purchases provided by advertisers”). Third column: consent (two checkboxes opposite every data type: “I agree” and “I object.”) In cases where the company considers consent obligatory for the service it provides — and only in those rare cases — checking the “object” box should result in a pop-up explaining why the company can’t live without this and providing a link to the local privacy watchdog’s complaint form.

This would be true GDPR compliance — with the regulation’s spirit, not just its letter. But dealing with the consent part in an honest way would only be the first step. Companies then would have to live up to other requirements such as data portability (Facebook, for example, only allows you to download your contacts in text format, so you can’t really move your online friendships to another service).

I hope the EU objects to how its regulation is being applied, but somehow I doubt it: The lawyers who wrote the new policies know their job. It has little to do with earning trust and everything with minimizing litigation. So whether users feel cheated or not (I do), the new policies tell them that by continuing to use the services past May 25, they consent to the rules as the lawyers rewrote them. 

This is a business opportunity waiting for a classic disruptor. Honest GDPR compliance can be marketed. Can anyone get up the courage to do it?

This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.

    To contact the author of this story:
    Leonid Bershidsky at lbershidsky@bloomberg.net

    To contact the editor responsible for this story:
    Therese Raphael at traphael4@bloomberg.net

    Before it's here, it's on the Bloomberg Terminal.
    LEARN MORE
    Comments