Americans’ privacy is protected on the Internet and mobile apps by a classic disclosure system — we expect those who collect, use, and transfer data to disclose their practices. The basic idea is that consumers, armed with full disclosure, can make informed decisions.
There’s just one problem. Hardly anyone reads privacy policies. (Except one important group.)
Consider the recent backlash against Unroll.me. Unroll.me offered a useful service — cleaning up user inboxes, by automatically unsubscribing to newsletters and promotional messages. Many people, burdened by overstuffed inboxes, welcomed that service. They signed up for the service, used it, and took pleasure in their cleaned-up inboxes.
Until, however, they learned that their inboxes hadn’t just been cleaned up. The inboxes had also been mined for data, which Unroll.me resold to its clients. One particular tidbit came out in a New York Times Magazine article about Uber; that company had used data purchased from Unroll.me about the business of its rival ride-sharing service, Lyft.
When the news came out that Unroll.me didn’t just clean up inboxes, but also snooped around in them, the company got a windstorm of criticism, and its managers apologized and promised to change its privacy practices.
But in fact, Unroll.me had disclosed everything from the beginning. Its privacy policy informed users, “We may collect, use, transfer, sell, and disclose non-personal information for any reason.” And indeed, Unroll.me collected information (such as information about Lyft usage), anonymized the data to remove personal information, and sold it to interested parties, like Uber. It disclosed what it did, and did what it disclosed.
So why was there an outcry and a consumer revolt against Unroll.me when the news came out that it, well, did what it said it would do?
Very simply, few consumers read privacy policies. Some policies may be too long or too legalistic. But even when key passages are direct and to the point (like, “We may collect, use, transfer, sell, and disclose non-personal information for any reason”), consumers hardly ever pay attention to them.
The Federal Trade Commission has suggested that the problem could be solved if policies were “clearer, shorter, and more standardized.” But consumers brush over even simple bullet-point disclosures. And life and business aren’t standardized, so it isn’t feasible to fully standardize privacy disclosures.
All of which makes another recent development significant. The Oregon legislature passed legislation that would obligate companies to comply with their own privacy policies. A failure to comply would violate Oregon’s consumer protection law.
The idea, apparently, is that it’s not just consumers who aren’t reading the privacy policies, and that the companies who write and post them need a hammer to ensure that they read, understand, and comply with their own policies. It is an odd situation. A lot of effort goes into crafting privacy policies. But consumers rarely read them. Oregon lawmakers apparently think that companies don’t either.
Laws like Oregon’s will, however, further encourage and empower the one small group that we know avidly reads privacy policies: plaintiffs’ class action lawyers.
Mark Sableman is a partner in Thompson Coburn’s Intellectual Property group. He is the editorial director of Internet Law Twists & Turns.