We've discussed the stupidity of privacy policies many times in the past. Honestly, it's an idea that serves no useful purpose, yet most sites are required to have one, and if you don't, people get all upset. But no one reads them, and most people incorrectly assume that if a site has any privacy policy, they must keep data private.
The reality is that the incentives of a privacy policy are to not use it to keep your info private. In fact, the incentives are to make a privacy policy as permissive as possible. Because the only time you get in trouble is not if you fail to protect someone's privacy... but if you violate your own privacy policy. So companies have the incentive to write a privacy policy that is as permissive to the company as possible, so that they're less likely to avoid violating their own privacy policy. That is, conceptually, the best privacy policy for a company is one that says "we don't take your privacy seriously at all and share all your data," because then they'll never break that policy. Of course, companies don't go that far, because that's pretty extreme -- but it does lead to vague privacy policies that no one reads anyway. Oh, and even when people do read them, almost no one understands them.
In fact, a new report notes that if you actually bothered to read all the privacy policies you encounter on a daily basis, it would take you 250 working hours per year -- or about 30 workdays. The full study (pdf) by Aleecia M. McDonald and Lorrie Faith Cranor is quite interesting. They measure the length of privacy policies, ranging from just 144 words up to 7,669 words (median is around 2,500 words) and recognize that at a standard reading pace of 250 words per minute, most privacy policies take about eight to ten minutes to read. They also ran some tests to figure out how long it actually takes people to read and/or skim privacy policies.
They put all of this together and estimated that it would normally take a person about 244 hours per year to read every new privacy policy they encountered... and even 154 hours just to skim them. They used some variables to create a lower and upper bound estimate as well:
They then go further to try to estimate the cost to the economy of all this privacy policy reading, but I always finds such extrapolations to be pretty meaningless. They assume a constant return on time, so just like bogus studies about how much personal surfing "costs" the economy, those figures seem totally meaningless. But the amount of time estimates do seem completely valid.
And, here's the thing: that's only for privacy policies. Imagine if you read terms of service and end user license agreements too... Of course, sometimes those include little hidden gems. Like the time a company put a clause in its EULA that the first person to read that clause and contact them would get $1,000. It only took four months for someone to actually spot it.
Posts
No comments:
Post a Comment