It's no secret that online privacy policies aren't the easiest documents to understand. As far back as 2008, researchers at Carnegie Mellon University reported that actually reading an online privacy policy would take 10 minutes on
average. In other words, it would probably take people longer to read the privacy policy of any given site than to read whatever articles or other content drew them to the site in the first place.
Now, a California lawmaker is hoping to prod the industry into changing that. Ed Chau has proposed Assembly Bill 242, which would require privacy policies to "be written in clear and concise
language," and at "no greater than an 8th grade reading level." The bill also says privacy policies must state whether users' personally identifiable information may be shared and, if so, with
whom.
California already requires Web site operators who collect personal information to offer privacy policies, but the law doesn't yet mandate the level of detail that Chau would like to
see.
He says that one reason he's pushing for the law is because "many privacy policies actually create a false sense of privacy for the average consumer," according to The Sacramento Bee. Chau added that consumers end up just scrolling through without reading the
documents.
Chau isn't the first to make those observations. Several years ago, researchers at UC Berkeley reported that consumers tend to assume that companies that have privacy policies also
have good privacy practices. "In a way, consumers interpret ‘privacy policy’ as a quality seal that denotes adherence to some set of standards," reads a summary of the report.
Despite the well-known problems with privacy policies, Chau's recommended fix doesn't seem very practical in today's complex Web
environment, where even industry experts have a hard time keeping up with the new ways in which ad networks and exchanges collect and use data. That's especially true given that Chau's bill also
requires that privacy policies offer precise details about data collection and use. Among other requirements, Web site operators would have to tell people the categories of personally identifiable
information that are collected, as well as the categories of third parties that receive information about users.