The popovers are the result of government innovation. I'm skeptical whether it's actually possible to get people to read the privacy policy before using a website.
Edit: just realized pbhjpbhj has written much of this elsewhere in this thread, upvote that instead, although I'll keep mine since it is slightly different: https://news.ycombinator.com/item?id=20607528
It would help if companies could respect the rules in EU that says data collection should be voluntary and opt in.
Then the privacy policies could be really short.
That said I agree with others that reasonable standard policies would be great for both consumers and businesses:
Something like the Creative Commons licenses comes to mind:
- 0, green: nothing (no analytics, no state, so no login possible)
- sessions, green: login possible
- telemetry, yellow: anonymized, short lived (< 3 business days) data, not linked to use, not shared outside of development
- 1 party analytics, yellow: like telemetry but longer lifespan and shared outside of development
- 3 party analytics, red: uses Google Analytics standard edition or any other 3rd party tracker that shares data
The GDPR does actually contain a provision - Article 12(7) - which allows for that sort of indicator:
>The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing. Where the icons are presented electronically they shall be machine-readable.
Which is why the EU has already mandated that. But privacy is a complicated issue, so there are limits to how brief a complete policy can be; just the suggested template[1] is a four page PDF.
One way to do this would be to have privacy standards. EU PP0, PP1, PP2, etc., that would conform to particular uses of one's data.
Such info could be tagged in page head and then you could do things like search for a forum that doesn't (according to policy) use your data for revenue (or share it outside the named business -- perhaps that's "PP0", in analogy to CC0), etc..
One way to do this would be to have privacy standards. EU PP0, PP1, PP2, etc., that would conform to particular uses of one's data.
Or at least have those as standardised starting points that cover the routine points that will be the same for 90% of data processing operations, so you only have to specify additional detail for things that might be unusual or surprising.
If you look at the template privacy policy that SpicyLemonZest linked to, a large proportion of it is boilerplate that covers either reasonable and normally expected data processing or standard notifications required under the GDPR etc. Repeating that more-or-less verbatim on every website someone visits today doesn't help either that person or those websites.
It would simplify things greatly if instead of all that boilerplate, a short list of one-liners is all you need to state if you're only performing normal data processing for common purposes, as defined by official privacy standards along the lines pbhjpbhj suggests but perhaps specific to each common purpose. Then you only need to elaborate on anything unusual or particularly sensitive, and anyone interested in how you're processing data about them can quickly identify such cases (or verify that there aren't any and they don't have anything to worry about).
It would help if privacy policies were brief and clear.
And the way to do that is standardisation.
In many situations, at least here in Europe, you can go about your normal life without worrying too much about tricky contracts catching you out. There are consumer protection rules that restrict what can be done, prohibiting it entirely in some of the most serious cases, but also setting out reasonable expectations in some sense so that any business wanting to violate those expectations has to be clear about their alternative or might find it doesn't stand up if challenged.
One difficulty with the online world at the moment is that because it's very international in nature, even rules that apply across say the whole EU or at federal level in the US don't necessarily provide any guarantees to visitors of websites or recipients of emails because the business or other organisation they're dealing with might not be in the same jurisdiction as them.
On top of that, these big data-hoarding organisations pose an unprecedented threat to our privacy and ultimately to our freedom and way of life because there is an unprecedented amount of data collection and processing going on. Some things didn't really matter much at a small local scale, like the person passing you in the street seeing your face and knowing you were there at that moment in time, yet forgetting you a moment later. The exact same data points can matter a great deal more when we're talking about huge numbers of them being collected and collated by a single entity that can then process a more informative data set in ways that would never have been possible in the simpler case. Now the marketer or the government or the criminal who hacks the marketer or bribes the government official has a detailed record of your normal daily movements and any anomalies, or your spending patterns across everywhere you shop and everything that says about you, and so on.
We need a clear basic framework for what we as a society are and are not willing to permit in these areas, for how we trade off the potential advantages of organisations that might genuinely be trying to help us having access to more data against the potential risks of organisations that are not necessarily acting in our best interests having access to more data, even if in some cases they might be the same organisation using the same data in different contexts.
I personally regard the GDPR as a swing and a miss in this context. The intent might have been good, but it's so complicated and ambiguous that in many ways it creates problems rather than solving them. Crucially, that is particularly true for organisations that were trying to be responsible about how they work with personal data and privacy issues, which might have been looking to the GDPR and the national regulators for clarity about the ethics and legality of different practices with pros and cons.
So there have been some moves in positive directions recently, but right now, if I'm selling you something online then I still have to state in my privacy policy that I'm going to keep records of money you pay me and I'm going to store those records for long enough to comply with my obligations around tax records. Does it really help anyone to declare obvious and indeed legally required behaviour like that, or is it just noise?
To pick a less obvious example, maybe we should have clear defaults about analytics. For example, perhaps a business is allowed to monitor how its customers are using its own hosted systems by default, but activities like accessing users' personal data uploaded to those systems for other purposes, exporting users' personal data from their local devices, or sharing any of this data with third parties requires explicit disclosure and maybe some level of consent.
Privacy policies could indeed be much clearer if only the exceptions to common sense had to be declared in some standardised way, and if an acceptable definition of "common sense" were itself provided somewhere through legislative or regulatory means.
The GDPR isn't a bunch of rules, it's a process. It's no different to your health and safety process. You define your process, what data you have and where it is and any risks.
Personally, with massive PII dumps getting leaked every week I'm not surprised governments are starting to act.
> but right now, if I'm selling you something online then I still have to state in my privacy policy that I'm going to keep records of money you pay me and I'm going to store those records for long enough to comply with my obligations around tax records.
No, you don't. That's covered by the rule "Compliance with a legal obligation" because you have to do it, but only store as much as you need.
Quite: far too many people equate the "consent" basis for holding data as the _only_ basis for holding data. It is not, and and compliance with other laws is also a valid reason which _cannot be overridden by withdrawal of consent_.
Sure, but if we're talking about data usage for marketing and targeted ads, then generally consent would be the only basis that can apply.
If you have a legitimate basis to collect and store personal data for some purpose X, then that doesn't allow you to use the data you collected and stored for anything else - if you want to use the same data for some other purpose (like targeting ads or given them to your "partners" to target ads), then you need consent; and if you give them to your "partners" to allegedly execute that legal need X but it turns out that they're using it to target ads or reselling data, then you're liable for that.
Sure, but if we're talking about data usage for marketing and targeted ads, then generally consent would be the only basis that can apply.
That's debatable. The GDPR itself explicitly notes [Recital 47] that even direct marketing can constitute a legitimate interest.
However, there are specific provisions for that case, particularly the explicit provision [Article 21, para 3] that if the data subject objects to processing for direct marketing purposes then that is black and white and that processing must be stopped.
Yes you do [have to state that in your privacy policy].
Compliance with a legal obligation is valid grounds to store and process data, but the information requirement still applies - you need to inform the customer what you're collecting and why, you just don't need their consent in this case.
E.g. the GDPR article 13.1.d / 14.2.b - you need to inform the data subject about what exactly is your legitimate need that justifies the processing of data; and customers then can judge whether that need (and the collected data for it) seems reasonable or warrants a complaint to the regulator.
The GDPR is an EU regulation. An EU regulation is a bunch of rules that have direct legal effect across the Union.
No, you don't. That's covered by the rule "Compliance with a legal obligation" because you have to do it, but only store as much as you need.
That's a legal basis for processing, which you also have to disclose. It doesn't exempt you from disclosing other required information such as the types of personal data you're collecting or your policy on retention.
