• by Wendy Davis , Staff Writer @wendyndavis, March 17, 2010

You might not expect consumer advocates to laud a major bank these days, but Chase has done at least one thing that privacy expert Chris Hoofnagle finds praiseworthy: The company came up with a clear way to inform checking account customers that they will lose their overdraft protection unless they opt in.

Speaking at the Federal Trade Commission's roundtable discussion about online privacy, Hoofnagle, a lecturer at the UC Berkeley law school, noted that Chase's document includes passages in red ink that tell consumers in no uncertain terms that debit card transactions will be denied if they don't have money in their account, unless they sign up for overdraft protection.

"We don't see privacy notices that say anything that clearly or that urgently," Hoofnagle said.

Fred Cate, director of the Center for Applied Cybersecurity Research at Indiana University School of Law - Bloomington, was likewise critical, calling privacy policies "an unmitigated disaster."

He proposed that once the FTC decided to enforce privacy policies as if they were contracts, any hope that such policies would communicate information was lost. That's because companies loaded up their policies with legalese-ridden terms that were aimed more at avoiding liability than at explaining to Web users how their data was being collected and used.

The FTC roundtable discussion comes as the notice-and-choice framework is facing heated criticism from some privacy advocates as well as policymakers like the Commerce Department's Daniel Weitzner, who recently told The New York Times that "there are essentially no defenders anymore of the pure notice-and-choice model."

There are good reasons why privacy policies -- at least in their current forms -- are under attack. For one thing, they're too long and complicated for people to understand. At the same time, for all their wordiness, many don't provide nearly enough information.

Consider, a recent study by Berkeley School of Information found that most privacy policies of the 50 top Web sites were filled with loopholes. Among others, the policies "contained unclear statements (or lacked any statement) about data retention, purchase of data about users from other sources, or the fate of user data in the event of a company merger or bankruptcy."

Hoofnagle raised an additional problem with privacy policies: He says some companies that allow consumers to "opt out" continue to collect data on consumers, but stop sending them targeted ads. That type of choice, he says, in which consumers are tracked yet don't receive whatever benefit comes from the tracking, "is completely illusory."

The current administration may well decide it agrees.