• ebrewste 6 days ago

    Pretty well written piece for a an intro to this issue. Same issue with cookie acknowledgements. Some important quotes:

    “These are documents created by lawyers, for lawyers. They were never created as a consumer tool,” Dr. King said.

    "The BBC has an unusually readable privacy policy. It’s written in short, declarative sentences, using plain language. "

    The BBC example shows that it is possible to write a readable policy, if a company cares to.

  • danShumway 6 days ago

    Agreed on all fronts.

    > These are documents created by lawyers, for lawyers.

    Except they bind normal consumers, not lawyers.

    This is the law's version of the old softare forum 'RTFM' dismissal when people asked technical questions.

    It is not acceptable to have a privacy policy intended for ordinary people if it's not also intended to be understood by ordinary people. If a normal consumer needs to consult a lawyer before they sign up for Facebook, something has gone horribly wrong.

  • avmich 6 days ago

    > It is not acceptable to have a privacy policy intended for ordinary people if it's not also intended to be understood by ordinary people.

    I agree, but by extension this is also true for all laws and legal documents. The fact that world still works with this situation (the laws which people are supposed to abide by are not really understandable to those same people) doesn't mean we don't have a problem to solve here.

  • SkyBelow 6 days ago

    >The fact that world still works with this situation

    Depends upon what you mean by works? We have clear favoritism, nepotism, racism, sexism, etc. in how the existing system works. It isn't complete anarchy, but by that standard the most kafka-esque regimes still work.

    I think we have massive room for improvements in both laws and contracts.

  • lrem 6 days ago

    When reading your argument, I can't help but think about a stat a Polish journalist computed. At that point, reading the law at the pace it came out would take about four (or was it six) hours per day. That's assuming you read law as fast as prose and don't need to read the preexisting acts.

  • eitland 6 days ago

    >> These are documents created by lawyers, for lawyers.

    > Except they bind normal consumers, not lawyers.

    > This is the law's version of the old softare forum 'RTFM' dismissal when people asked technical questions.

    Thanks for pointing this out.

    > It is not acceptable to have a privacy policy intended for ordinary people if it's not also intended to be understood by ordinary people. If a normal consumer needs to consult a lawyer before they sign up for Facebook, something has gone horribly wrong.

    Here's my secret hope that articles like this will force the opinion - and courts - to realize that these documents are worthless and shouldn't protect any company that abuses customer data from lawsuits.

    Also for us Europeans I still look forward to seing consumer protection agencies here finally getting annoyed and starting to use their new GDPR claws.

  • marcinzm 6 days ago

    It's to many for-profit companies benefit that consumers not understand or read their privacy policies.

  • lmkg 6 days ago

    > These are documents created by lawyers, for lawyers. They were never created as a consumer tool

    This, I think, is the core issue. The Privacy Policy is seen as the same type of thing as the Terms of Service. Of course, this begs the question of why does there need to be two different documents.

    GDPR has pretty explicitly tried to reverse this. The Terms of Service can be as legal-y as you want, but there must be a plain-language Privacy Policy for the data subject. We'll see how much that happens in practice... the regulators probably have much bigger fish to fry than unclear PP documents, but a fine for a separate issue could include "no one could understand this, so it doesn't count" as a way to side-step technical loopholes.

  • fmajid 6 days ago

    More importantly GDPR grants statutory rights that cannot be waived by a shrinkwrap agreement. Its only real weakness is that is does not grant a right of private enforcement, and national regulatory agencies are too understaffed to address even a small portion of abuses today.

  • tzs 6 days ago

    > Its only real weakness is that is does not grant a right of private enforcement, and national regulatory agencies are too understaffed to address even a small portion of abuses today

    Article 79, Right to an effective judicial remedy against a controller or processor

    1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.

    2. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.

  • kazen44 6 days ago

    Non waivable rights are pretty common in european law, both of member states aswell as union law itself.

  • icebraining 6 days ago

    > "no one could understand this, so it doesn't count" as a way to side-step technical loopholes.

    In fact, the GDPR explicitly says any declaration that isn't intelligible and using clear and plain language "shall not be binding". Which means the service doesn't actually have consent.

  • ryandrake 6 days ago

    Companies that think of their Privacy Policy as a “Legal” or “Compliance” function will have their lawyers write it, and it will be incomprehensible to users. That’s Legal’s job: to write documents for judges and other lawyers to read.

    I’d argue that companies should think of their privacy policy as not a legal document but as a product feature, and let product managers (or whoever is responsible for feature ideas) write them. The audience then would be the user and the wording would more likely be understandable. Most companies’ product teams are better equipped to articulate the benefits and trade-offs to end users.

  • spunker540 6 days ago

    The problem is when product managers use language that is understandable to most people but leaves a lot of loopholes and results in lawsuits.

    Writing legal documents is a lot like writing code— you are trying to leave no room for ambiguity (or bugs), need to cover all the edge cases, and the code is inevitably at least as complex as the domain in which it operates.

  • guitarbill 5 days ago

    Depends on your legal system. It doesn't have to be letter of the law, which is how the US operates, leading to abominations of phrasing like "damages including but not limited to foo, bar, baz" etc. In other jurisdictions, spirit of the law is good enough, so you can just write "damages" and something like a reasonable person test is applied.

    Example: In the US, rent agreements can be dense, 30 page affairs and still be legally binding. In Europe or Australia, 5 pages or less usually suffices, and longer documents may simply be ruled unreasonable.

  • mtgx 6 days ago

    I think there should be a law that puts the burden of proof that the user understood the privacy policy on the company. This way the company would have an incentive to make it as easy to understand as possible and to ensure every user understands what they're doing -- otherwise, if any user sues them over a privacy breach, the company has a high-risk of losing that lawsuit if the judge/jury determines it wasn't easy for the user to comprehend the privacy policy, as per the mentioned law.

    GDPR sorts of does this, but I think it's only half-way there.

    It's always about incentives. Companies have all the incentives in the world to make the privacy policies as complicated and obfuscated as possible, while also putting in there that basically the user gives up all rights and data the moment they see the company's website, so that they remove any responsibility they might have otherwise.

  • skybrian 6 days ago

    I don't think most users want to spend any time understanding privacy policies. If you made people take a quiz showing the understand what they're getting into (like when getting a driver's license), user signups would go down dramatically.

    Plus this would probably be considered free labor and/or discrimination, like some people complain about captchas.

  • icebraining 6 days ago

    I think the GDPR is quite good, just not actually being applied. In fact, I'd say most or all of these are plainly invalid, since they don't present the request for consent "in a manner which is clearly distinguishable from the other matters", and they don't allow consenting separately for each purpose.

  • stcredzero 6 days ago

    Pretty well written piece for a an intro to this issue.

    The graphic which shows the trajectory of the Google privacy policy is particularly effective.

  • ziddoap 6 days ago

    "For comparison, here are the scores for some classic texts. Only Immanuel Kant’s famously difficult “Critique of Pure Reason” registers a more challenging readability score than Facebook’s privacy policy. (To calculate their reading time, I measured the first chapter of each text.) "

    I'm feeling an interesting mix of laughter and sadness. How can you not laugh at the ridiculousness of a privacy policy being less legible than "Criqiue of Pure Reason"? How can you not feel a tinge of sadness at the state of the world when this is not only acceptable, but expected?

    Yet, it doesn't surprise me that privacy policies are generally hot garbage. And that's sad too.

  • testplzignore 6 days ago

    The real measuring stick of readability should be The Silmarillion :)

    There are plenty of ways privacy policies are bad, but I think the reading scores NYT is using from Lexile are a bogus criticism. From a reading length and vocabulary perspective, I don't see anything in the Facebook privacy policy that I wouldn't expect a high school student to be able to comprehend.

    My main criticism of privacy policies is that, after reading them, you realize that there is practically no upper bound on how your data can actually be used. You give the company a key to your house, and it is up to them to decide if they want to trash the place.

  • ziddoap 6 days ago

    >I don't see anything in the Facebook privacy policy that I wouldn't expect a high school student to be able to comprehend.

    I think, vocabulary wise, yes. High school students should be able to read each word.

    The problem is context and impact. Can the reader not only read the words, but understand them in the context of the entire document as well as in the context of their usage?

    For example:

    >"[...]we collect information from and about the computers, phones, connected TVs and other web-connected devices you use that integrate with our Products, and we combine this information across different devices that you use."

    The words are easy to read. The meaning, however, is not. Most people don't take the time to learn how severe of an impact aggregating data has. It seems harmless to share two pieces of non-PII, until you learn that two pieces of non-PII may become PII when aggregated.

    The test by Lexile claims to measure complexity, not just the legibility. However, I haven't looked into the test that much and don't have an opinion on its accuracy. That said, I don't think the average person can _understand_ the documents, even if they can read the words - which is the same conclusion reached in the parent article:

    >"Even policies that are shorter and easier to read can be impenetrable, given the amount of background knowledge required to understand how things like cookies and IP addresses play a role in data collection."

  • fmajid 6 days ago

    I read the Silmarillion when I was 11. It's hardly challenging reading like dense and opaque German philosophy texts tend to be (I am looking at you, Wittgenstein).

  • danaris 5 days ago

    Agreed. The Silmarillion's language isn't simple, but it is lyrical, and is intended to evoke great epics in its style.

    I think the most uncharitable thing you can say about it is that it reads somewhat like the King James Bible.

  • fmajid 4 days ago

    Right, and unlike those philosophy texts, there is actually a payoff for the reader.

  • gnicholas 6 days ago

    > The BBC has an unusually readable privacy policy. It’s written in short, declarative sentences, using plain language.

    This is good to know. Startups often adapt language for their own privacy policies from those of big companies (on the assumption that such policies are good/vetted).

    Hopefully founders who read this article will turn to the BBC's policy when figuring out how to fashion their own.

  • ceejayoz 6 days ago

    I was pretty impressed with Basecamp's. https://basecamp.com/about/policies/privacy

  • rosterface 6 days ago

    The New York Times is as bad at privacy as anyone. Here is their policy:


    They make extremely illegitimate claims about "needing" to collect your personal information to provide their "services". Which is absolutely untrue since they're a newspaper you could read completely anonymously with zero degradation to experience (except where they've deliberately hobbled that option).

  • tzs 6 days ago

    > The New York Times is as bad at privacy as anyone

    ...and its dot in the charts in the article reflects that. Go diagonally up to the right from the Facebook dot until you are just about to leave the "college" reading level region, and you'll find the dot for the Times.

  • toby- 6 days ago

    Do you suppose the author of this opinion piece wrote the New York Times' privacy policy?

    Edit: some fair counterpoints to me, below. But publishing an opinion piece does not necessarily imply endorsement, and nor does it diminish the author's point(s) one iota.

  • arkades 6 days ago

    I keep hearing this. Every time the NYT writes an article on X, while being a hypocrite on X, "Do you think the guy who wrote this was also in charge of X at the NYT?"

    It's a valid counterpoint. The guy who wrote about X is not, usually, in charge of X. Agreed. The criticism, however, is not about the author - it's about the organization that endorses both the action X, and the criticism of X.

    The NYT is an opinionated organization, not a public wall open to whoever wants to throw things at it. They have an editorial stance. When they write criticisms of X, they are implicitly - as an organization - criticizing X. When they do X themselves, they are - as an organization - implicitly endorsing X. When they wish to distance themselves from a criticism in an article, they explicitly point out - hey, this is an Op-Ed from such-and-such author, and doesn't represent the views of the NYT. When it's not an Op-Ed, and/or when it's not disavowed, they are saying: this article represents the views of the NYT.

    The writer is not a hypocrite. The organization, however, is.

    There's nothing illogical or invalid about holding the organization accountable for doing bad things, and for pointing out that the organization is trying to earn goodwill from the public by being "against X" while perpetrating the act themselves.

  • antientropic 6 days ago

    The linked article is in the Opinion section, so no, it does not necessarily reflect the stance of the NYT and accusations of hypocrisy are therefore unfounded in this case.

  • inscionent 6 days ago

    > The writer is not a hypocrite. The organization, however, is.

    This is not how how a functioning news room works. That's not how any of this works. You don't check your individuality at the door. A good publication can and should promote well reasoned work, especially if it conflicts with the status quo or view points of other writes in the org.

  • AstralStorm 5 days ago

    Can and should, yet so didn't and still acts contrary? Sounds almost exactly like hypocrisy to me.

  • deogeo 6 days ago

    Even assuming the New York Times or the author are hypocrites, that does not diminish their point.

    I follow the news to get informed, not to measure the moral virtue of the media (except as it relates to the accuracy and representativeness of their reporting).

  • patrickmcnamara 6 days ago

    > It's a valid counterpoint.

    It's not at all. It is a valid attack on the NYT, but it's not a counterpoint. I.e. ad hominem.

  • SilasX 6 days ago

    It's not relevant.

    I think accusations of hypocrisy usually map to an insightful argument: "Hey, there's a reason people do that thing you object to, and it's usually a good reason, as demonstrated by the fact that, given all the options, you find yourself resorting to it. So, maybe instead of shaming people, you should be helping to isolate the reason and find a way to obviate it instead of just throwing stones."

  • nickv 6 days ago

    To be fair, the New York Times' privacy policy actually is represented as one of those dots in the image (and it's not in a particularly good spot ... it's pretty close to the top):


  • rosterface 6 days ago

    I think this piece is about making people aware of privacy and pointing out that the platform you’re reading it on is one of the worst offenders is worth doing. As another commenter pointed out that the New York Times policy contains the entire Google privacy policy within it:


  • danShumway 6 days ago

    This is such a bad argument.

    I don't suppose the author of this opinion piece wrote or controls any of the privacy policies they reported on. But they chose which privacy policies they were going to report on, and which ones they were willing to highlight in their article. Is it really an unreasonable ask of a reporter who is focused on privacy to also be willing to research the practices of the website that hosts them?

    To be fair, of all the news organizations I have beefs with on privacy, the NYT has been doing a lot better in their reporting than their competition:

    - They have a disclaimer at the bottom of this article linking to their own policy. They also include several news organizations (including themselves) in this dataset.

    - Reporters have been willing to publish articles that talk about and link to (good) ad blockers like Ublock Origin, and acknowledge that they're an effective way to increase privacy.

    - Their editorial staff has been (relatively) self aware about the NYT's privacy practices and appears to be talking about it internally.

    Could they be better? Yes. Is it a weird omission that in an article that specifically calls out Google, the reporter doesn't mention that the current NYT privacy policy is both more complicated and longer than Google's current version? Yes. But comparatively, if I was going to call out any set of reporters on this, I wouldn't start with anyone working for the NYT. I think they're moving in the right direction here. This is a well written article.

    In general though, it's not unreasonable to call out reporters for failing to look at or refusing to talk about the privacy policies of their employers in their articles. I don't expect them to force their tech teams to change things, I don't expect them to walk away from their jobs, and I don't expect them to lobby their bosses on my behalf. I just expect them not to ignore important, relevant parts of the stories they report on -- because shifts in privacy regulation are going to have huge impacts on things like news funding, and we need to talk about that.

  • toby- 6 days ago

    > Is it really an unreasonable ask of a reporter who is focused on privacy to also be willing to research the practices of the website that hosts them?

    While not mentioned in the article's text, the New York Times does feature as a data point: https://i.imgur.com/uaOqPod.png

    And the article ends with the NYT's own message: "Like other media companies, The Times collects data on its visitors when they read stories like this one. For more detail please see our privacy policy and our publisher's description of The Times's practices and continued steps to increase transparency and protections."

  • danShumway 6 days ago

    Yep, I mention that - of the reporters/organizations that need to be called out on this, the NYT is low on my list.

    In general though, I disagree that reporters lacking control over the platforms they use means that they're immune from this type of criticism. News organizations are a part of this conversation whether they like it or not, and there are no resolutions (legal or technical) that won't affect news sites. It's irresponsible for a reporter to ignore that.

    When people call out the hypocrisy in articles like this, they're not blaming the reporter for their employer's data policies, they're blaming them for ignoring that those data policies exist.

    It doesn't mean the reporter's points aren't valid, it does mean there's a dimension of the story they're ignoring, either through ignorance or through choice.

  • wutbrodo 6 days ago

    This wasn't published on Kevinlitmannavarro.com, and it's not his name on the big top-of-the-page header: it's an opinion column written by him but published by the New York Times under their banner. It's a pretty basic expectation for journalistic entities to address potential conflicts or hypocrisy. It's not a requirement, but is a reasonable complaint, and dismissals like asking if the opinion author wrote the privacy policy are beyond nonsensical.

    Apart from that, addressing seeming hypocrisies in things that newspapers complain about but engage in is often illuminating: I recall an Atlantic(?) article complaining about deceptive ads that went out of their way to talk about their own likely serving of deceptive ads, describing the difficulty in knowing which ads you'll be serving given the byzantine web of sellers, resellers, exchanges, etc etc that Web publishers deal with.

  • 6 days ago
  • smacktoward 6 days ago

    They're a newspaper that charges customers to read it, which means they need to limit access to their services for people who haven't paid. Which means they need a way to distinguish paying users from non-paying ones. Which means that they have to have some idea who you are when you access their services, so they can tell which services you should have access to and which you shouldn't.

    It's funny, you never see anyone arguing that Netflix is under some kind of obligation to let everyone watch their programming anonymously for free.

  • SomeOldThrow 6 days ago

    And yet, this language is used to collect ad information on paid subscribers. So it’s 100% bullshit still.

  • smacktoward 6 days ago

    When did they ever claim to you that subscribing meant you wouldn't see ads anymore?

    You know that if you subscribe to the print version it has ads in it too, right?

  • SomeOldThrow 6 days ago

    When they claimed it was necessary to support the service. It’s absolutely not. Newspaper ads are not targeted.

    Anyway ads in any form still produce perverse incentives for a supposedly journalistic entity—I don’t know how anyone can read a newspaper that takes ad money and consider it unbiased.

  • Endy 6 days ago

    >It's funny, you never see anyone arguing that Netflix is under some kind of obligation to let everyone watch their programming anonymously for free.

    That's because we don't bother talking about it, it just gets done. Why waste time on a trivial situation? Instead, talk about the NYT which is an important cultural institution. Plus I can read a free copy at my local library, or at NYPL, anonymously.

  • derefr 6 days ago

    > Plus I can read a free copy at my local library, or at NYPL, anonymously.

    Now that would be an innovation: libraries providing access to commercial streaming-media services, through your library membership. Much like they provide access to scientific-journal subscriptions, or e-book services.

    With the proliferation of different streaming services, it almost seems like an inevitability.

  • SomeOldThrow 6 days ago

    To my understanding this is already available at many public libraries.

  • Endy 6 days ago

    Audiobook streaming has become a standard service of local libraries.

  • Scoundreller 6 days ago

    Or through their tor service.

  • arkades 6 days ago

    Netflix never put all their content out on the internet to be accessed anonymously for free.

    It's almost as if the news media created this expectation in their industry.

  • autoexec 6 days ago

    > Collection of personal information is necessary to delivering you the NYT Services or to enhance your customer experience.

    I'll grant them delivery in some cases. They have to collect IP addresses, some browser details, info from HTTP headers etc. but they don't have to keep any of it for any longer than it takes to serve pages (although there are good and sane reasons for keeping some of that stuff for a while at least). What kills me every time is "enhance your customer experience" which I assume means present you with ads, track your usage to help us increase the number of clicks/page views/ad impressions, and sell your data to our "partners" who will spam/advertise to you relentlessly.

  • csomar 6 days ago

    New York Times also abuses advertising, paywalls and page size. But the fact that they write about issues should signal that they still have some journalism integrity.

  • dsr_ 6 days ago

    No, that's not what that means. An ad hominem attack is invalid because the target is simply being insulted or called evil in some way. "You can't believe Bill Smith: all the Smiths are no-good iron-pounding dummkopfs."

    If the NYT calls other organizations out on their privacy policies without pointing out that their own is terrible, the term for that is a hypocritical omission.

  • 6 days ago
  • 0xffff2 6 days ago

    >The vast majority of these privacy policies exceed the college reading level. And according to the most recent literacy survey conducted by the National Center for Education Statistics, over half of Americans may struggle to comprehend dense, lengthy texts. That means a significant chunk of the data collection economy is based on consenting to complicated documents that many Americans can’t understand.

    How is this different to law itself? If we're going to argue that it's problematic for something as (relatively) inconsequential as privacy policies to be unintelligible, shouldn't we start with something more basic?

  • icebraining 6 days ago

    That the legibility of the law could and should be improved is a fair point. That said, humanity isn't incapable of concurrency - there's no reason to have to wait for the law before tackling privacy policies, which while a lesser issue, are also easier to change.

  • ryandrake 6 days ago

    I’d argue that the vast majority of Americans would struggle to comprehend a basic cell phone contract, auto loan, or mortgage, which we routinely sign. The problem is that people have to pretend to understand/agree with something in order to receive a service. You should not have to agree to a deliberately incomprehensible document as a condition of receiving a service you pay for.

  • the_snooze 6 days ago

    There's an ongoing study whose early results found that even if people read and understood privacy policies (for mobile apps), those policies are incomplete, wrong, or self-contradictory a decent chunk of the time: https://www.ieee-security.org/TC/SPW2019/ConPro/papers/okoyo...

    It's hard to see privacy policies being written in good faith. In my opinion, they're little more than declarations of "I'm going to do all these sketchy things with your data, and it's your responsibility to protect yourself from me."

  • 7402 6 days ago

    Whether or not they are incomprehensible, I worry more that most of them seem to boil down to:

    "We can do whatever we want with any data we have about you. Your only alternative is to not use our services and not use any other business or organization that uses our services."

    Any privacy policy that has the usual clause saying, "We can change this policy at any time by posting an update to our website," is saying essentially the above.

    I suppose it would help if they were forced simply to put their policy in those terms - then more people might push back against it.

  • samdixon 6 days ago

    I have recently been wondering if, instead of a company having a privacy policy, they could instead use a privacy license. This way you could easily discern their stance on privacy from the name of the license. Not sure if anything like this exists or if it would be worth looking into.

  • tomcatfish 6 days ago

    This actually sounds like an interesting deal, as it would make figuring out what a company does with your data easier to understand, but I'm fearful of 2 main things: 1. It's still a battle to explain to non-technically minded people whether an image is Creative Commons or free use or to get them to understand that there are different kinds of CC. 2. It will mean there is less to read through, but many companies will still fit blocks together (ie. General Use+Advertising Third Party+Server Backup in Other Country) or resort to using a license that is more general than they need, but definitely includes the things they want to do.

    It's a _really_ cool idea though, and I'm curious whether anyone has ever tried anything like it before.

  • Dajsvaro 6 days ago

    Twilio does an excellent job with their Terms of Service and Privacy Policies. For example, their Terms of Service has a "plain english" version in a right hand column, along with the legalese in the right:


  • seandougall 6 days ago

    I'm not sure I see the benefit of that. If the plain English version is good enough to be legally binding and fully explanatory, they could just use it. If it's not good enough, but is still presented as part of the ToS, then it has the potential to introduce ambiguity that could override the legalese version. Either way, it makes the ToS somewhere between 25% and 50% longer than the legalese version alone.

  • cdubzzz 6 days ago

    But it is still maddeningly long. Even with the plain English version, who would ever read and digest that before signing up for Twilio (other than a lawyer)?

  • morpheuskafka 6 days ago

    I'd hope who is about to build their business around the service and sign a contract in the name of their business to use it could take some time to read it... if not they shouldn't be signing their company up for it.

  • cdubzzz 6 days ago

    Sure, that is the ideal. I'm more curious about the reality...

    Check out this page --


    At the bottom it says, "By clicking the button, you agree to our legal policies."

    Ignoring the ambiguity of that statement, it seems that someone can't even sign up for a free trial without agreeing to the full set of terms. Does that mean a business needs to make a complete legal review of the policies before an employee can sign up to _test_ the service and decide if they want to use it? How often does that actually happen?

  • morpheuskafka 6 days ago

    If it's not going to be used in production, which a free trial presumably wouldn't be, then you probably don't need a full review of the terms although it would be a good idea to take care of it.

  • reaperducer 6 days ago

    Working in healthcare, we have a privacy department that is adjunct to the legal department. It did an audit of all of my web sites last year and I was surprised to find out that they recommended that the privacy policies be removed from some of them.

    The reason was simple: The sites in question didn't do any tracking. So if you're not gathering information, there's no need to warn.

  • groovybits 6 days ago

    I disagree with this sentiment.

    If you do not track any user activity on your site, then perhaps there is not need to have a pop-up warning in your face.

    But the fact that you willingly do NOT track user activity IS your privacy policy. The policy does not go away. As a user visiting a site, I would much rather have the policy accessible, even if it says that the website does not have any tracking enabled.


    And I'm surprised that a legal advisor would recommend to remove the policy entirely. Isn't it generally better to be explicit and forthcoming, rather than say nothing at all?

  • LinuxBender 6 days ago

    I agree with this. If you really don't collect data, then state it as such. That should certainly bolster confidence by the end users of the system.

  • Animats 6 days ago

    It's not that hard to read most EULAs and privacy policies, because they're usually plagarized from someone else's documents, and contain much the same clauses.

    ...Overreaching indemnification clause, bleah...disputes must be resolved in courts of Northern California, OK (Outer Nowhere, not so OK, offshore tax haven island, very bad) ... arbitration required under AAA consumer rules, not too bad (National Arbitration Forum was very bad) ... no class actions, all too common ... "sole discretion" termination, run away in a B2B context ... vagueness in what can be done with your data, all too common, and often where privacy rights go away ... mention of "affilates" having access, not good ... limitation of liability, common for ordinary websites but inappropriate for anybody you keep money with ....

    After you read about ten of these things, a pattern emerges.

  • johnny313 6 days ago

    This really raises the question of what it means to "consent" to something. If you don't actually understand what you are consenting too, is it legally binding?

  • kevin_b_er 6 days ago

    A meeting of the minds is no longer really a requirement in American contract law. You do not have to understand what you're being legally bound to. You don't even have to understand if your human rights are being signed away either.

  • rhino369 6 days ago

    The idea is that you have a meeting of the minds that the document you are signing contains the terms. If you could later argue that you didn't understand it and therefore shouldn't be bound, it would make contracts impossible to uphold.

    Though I do think there should be some sort of loosening of the requirements for a contract to be found unconscionable or deceptive.

  • nabnob 6 days ago

    Not a lawyer, but I seem to remember reading somewhere that a lot of these user agreements aren't legally binding specifically because no one reads them and most people don't understand what they're agreeing to anyway.

  • solomatov 6 days ago

    It's not only about privacy policies. Terms of service and other contracts which people use are equally incomprehensible and full of legalese.

  • solomatov 6 days ago

    A good example of how far the situation came is described here: https://abovethelaw.com/2010/06/do-lawyers-actaully-read-boi...

    >Judge Posner at ACS panel: For my home equity loan, I got 100s of pages of documentation; I didn’t read, I just signed. #ACS10 #Posner #LOL

  • howard941 6 days ago

    Isn't that a more efficient use of time? The terms aren't negotiable other than walking away.

  • solomatov 6 days ago

    I am not so sure about it. The contract might contain something substantially adverse to you and still be enforceable. For example, in some EULAs I saw a paragraphs completely forbidding you to compete with any products of the company.

  • 6 days ago
  • morpheuskafka 6 days ago

    I don't think it's really fair to compare a privacy policy to A Critique of Pure Reason. One is hard to read because it references laws and has a lot of boilerplate stuff that you can skip over, the other involves abstract philosophical questions that are difficult to consider in terms of the subject matter itself.

  • bediger4000 6 days ago

    All or nearly all privacy policies are incomprehensible. The main exceptions appear to be European, or non-profit's.

    Does this uniform incomprehensibility come from an identifiable root cause, or is it just emergent because of a variety of factors, not all of which afflict every company?

  • lmkg 6 days ago

    Key quote from the article:

    > These are documents created by lawyers, for lawyers. They were never created as a consumer tool

    They are generally treated as the responsibility of the legal team, so they are written as legal documents. Companies treat them as a way to pro-actively defend against lawsuits (much like the Terms of Service), and not as a way to inform or educate users.

    The reason why many readable privacy policies come from Europe is because GDPR makes it literally a legal requirement that they are written "using clear and plain language." Source: GDPR Article 12 https://gdpr-info.eu/art-12-gdpr/

  • zelon88 6 days ago
  • mLuby 6 days ago

    That is shockingly comprehensible and concise; you are right to be proud!

    (BTW "it’s" should be "its" in the second sentence.)

  • svachalek 6 days ago

    I don't see why they can't just follow the example of open source licenses. GPL is powerful and complicated, but when you see something is GPL you know what you're getting into because you've seen it before. There are a handful of well-known policies that have varying levels of generosity, and anyone can always make up a new one -- but if they do it's a bit of a red flag and people will dig in to find out what it's about.

    The problem with current policies is only partly that they're complicated, it also has a lot to do with them being snowflakes too.

  • michaelaiello 6 days ago

    Built http://www.privacyparrot.com which uses ML to simplify privacy policies back in 2011 and it continues to grow in usage.

    Thank you HN community for the feedback back then https://news.ycombinator.com/item?id=3222334

  • selectout 6 days ago

    Did an analysis on Alexa's top 1000 sites and their privacy policies a few years back. A brief infographic of the high level of this https://mashable.com/2011/01/27/the-real-reason-no-one-reads...

  • droithomme 6 days ago

    My preferred privacy policy is as follows:

    "Privacy Policy: We will not share your private information with anyone."

  • LinuxBender 6 days ago

    I tried to convey something similar and simple [1] I think

    [1] - https://tinyvpn.org/help/#privacy

  • lmkg 6 days ago

    Not GDPR-compliant, nor would I personally consider it anywhere near complete.

    What information do you have about me? Can I see a copy of it?

    Why do you have it? What are you using it for?

    How long are you keeping it?

    How are you keeping it secure? (As far as I can tell, GDPR does not actually require you to answer how, only that you do it.)

    As an alternative, my preferred privacy policy:

    "We do not collect your personal information."

  • akersten 6 days ago

    Hey, yours isn't complete either! :)

    Just by visiting your site, you are collecting my personal information (after all, GDPR says IP address is PII). So what are you doing with it, and how long are you keeping it?

  • lmkg 6 days ago

    GDPR does not say that IP address is PII. Among other objections, GDPR does not mention IP address, nor does it mention PII.

    The current guidance on IP addresses is ambiguous, but my understanding is that an IP address on its own does not count as personal data. It can become personal data when it's used to create a profile. So if you only have the full IP fleetingly to serve web pages, and all logging wipes the last octet, there's no point where the data that you process counts as personal data.

  • droithomme 6 days ago

    GDPR doesn't get that specific, but the judges in the courts do.

    In Breyer v. Bundesrepublik Deutschland, E.C.J., No. C-582/14, 10/19/16, it was ruled that internet protocol addresses relating to visitors' use of websites constitutes "protected data" according to European Union laws.

  • lmkg 6 days ago

    Thank you for the case citation. This is the summary I found:


    My reading of that, and online commentary that I've found, seem to indicate that the IP address is not personal data across the board, but rather only in a specific context. I'm a little over my head in whether that specific context is "basically all the time" or not. It sounds like it only applies when you have the legal right to make the ISP give you subscriber info related to an IP address?

  • guitarbill 5 days ago

    From that document and other reading, I think it's also when combination of information results in being able to identify a person. For example, dynamic IP address + timestamp is not enough for anybody but the ISP. But add in other information, for example HTTP headers, it might be unique enough.

    Also, what they're saying is some things trump privacy. Legal requirements to keep logs. Legitimate interest, e.g. billing. Defending against cyber attacks. Using that information for other purposes is still a no-no.

    TL;DR: IP address + other info often becomes PII, and there are some exceptional cases where it's legitimate to store PII despite privacy concerns.

  • akersten 6 days ago

    Yes, but what does that mean?

    What does your site define as private information? If the data got sent to you, it's no longer "private," at least in one sense of the word.

    Is "selling" information considering "sharing"?

    Questions like these are why the legalese of privacy policies needs to be complicated - it's simply ambiguous otherwise.

  • droithomme 6 days ago

    > Yes, but what does that mean?

    It means exactly what people would expect it to mean. In such cases of plain and simple language in a contract, courts go with that.

    > What does your site define as private information?

    If a site defines what is private information that is different from a common sense understanding, the site is being dishonest and tricky.

    > If the data got sent to you, it's no longer "private," at least in one sense of the word.

    That is an absurd and disingenuous interpretation that no reasonable person would ever expect to mean to be the definition of private.

    > Is "selling" information considering "sharing"?

    Yes, selling information is sharing it. Obviously. As any court would rule.

    > Questions like these are why the legalese of privacy policies needs to be complicated - it's simply ambiguous otherwise.

    Complicated contracts are always bullshit 10,000% of the time, designed to cheat and trick in all of the cases, without any exception ever.

    The most simple language possible is needed. Complex wording hides a multitude of sins.

  • thekyle 6 days ago

    Also, most sites are hosted by hosting companies. Is putting PII in a database on a server in a datacenter not owned by the site owner sharing?

  • jiveturkey 6 days ago

    Graphs done right! I can't imagine how this article could be better.

    I wish they would make their privacy analysis tools available to the public. So you could plug in the URL of your favorite policy and see how it ranks.

  • mirimir 6 days ago

    This is not exactly news, but having a NYT statement is cool.

    They're obviously legalistic bullshit. So whatever privacy and rights I need, I create myself. And so I can entirely ignore ToS and privacy policies.

  • diveanon 6 days ago

    "I agree" is the biggest lie of the information age.

  • lacker 6 days ago

    Meanwhile, the New York Times privacy policy is also enormously long and unreadable. It even links to the Google privacy policies, saying that by reading the NYT you also have to be aware of the Google privacy policies, because the NYT uses both Google Ads and Google Analytics.


  • Alex3917 6 days ago

    > It even links to the Google privacy policies, saying that by reading the NYT you also have to be aware of the Google privacy policies, because the NYT uses both Google Ads and Google Analytics.

    In order to build apps on Google APIs, your end users are required to agree to Google's API terms. In this case I'm not sure they were required to do this, but it's pretty normal to have your users agree to third-party terms as part of your terms.

  • dougk16 6 days ago

    I spent a ton of time on making my site's privacy policy easy to read, while also discussing philosophy and some technical aspects, meant to be read by anyone who can understand simple English.


    Feedback welcome! It's time to come up with solutions! So post yours below as well!

  • ticmasta 6 days ago

    I did a similar, deeper review of less policies for my course work in Privacy Protection and Freedom of Information with some of the same conclusions around length & required reading level. It's worse than this though; Orgs like Facebook have dozens of documents that deal with what data they collect and how they will use it. Even identifying what comprises their "privacy policy" is a huge task.

    Another massive issue: unilateral, largely uncommunicated changes. Stack Exchange used to have a very handy regular (read: legalese) policy and a parallel "plain language" version that I can't find anymore. They still have a relatively decent policy but that's only because the average quality is so low.

    for context I was using Canada's The Personal Information Protection and Electronic Documents Act (PIPEDA) and Alberta's PIPA which is a scope similar to GDPR in many ways. PIPEDA is an interesting document; it's based on a set of expectations or statements that are decidedly "non legal" in nature which makes it very different from most laws

  • davidw 6 days ago

    I've never used the service, but these guys have tried to standardize and automate the generation of privacy policies:


  • hadrien01 6 days ago

    You need an account just to generate text?

  • davidw 6 days ago

    I just recalled it existed and posted it - you can go argue with the people at the company about how their site works.

    I would imagine that it's kind of vulnerable to people just ripping the text off if they're not careful.

  • lixtra 6 days ago

    Creative Commons like modular privacy policies could be a solution: https://www.achtungtechnik.de/english/2018/GDPR-statement-li...

  • heisenbit 6 days ago

    My understanding of the GDPR in Europe is that these policies inform consumers but do not bind them. There is a widespread practice to let consumers sign them everywhere but this piece of paper does not change much the requirements for the company under the law.

  • eitland 6 days ago

    For me it was very interesting to see what GDPR did did to Googles privacy policy: it seems to have forced them to simplify and shorten it.

  • itsaidpens 6 days ago

    Lawyers are awful.

  • 13415 6 days ago

    Luckily, these "contracts" are void in most European countries.