Privacy isn't public knowledge
Online policies spread confusion with legal jargon
By Will Rodger, USATODAY.com
Most major Web sites now have privacy policies explaining how they collect and use
personal information gathered from visitors. The government has long pushed for such
policies, and companies hope that if sites post them voluntarily, Congress won't step in
and pass restrictive privacy laws.
|Expert wants to spread understanding
Hochhauser, a psychologist from Golden Valley, Minn., has focused for more than 15 years
on measuring the clarity of the written word.
Being a readability consultant may sound academic, but it has real-world implications few
Subjects of medical experimentation, people who rent automobiles, employees in need of
understandable rights in the workplace - all need language they can understand.
So where others obfuscate, Hochhauser, 53, elucidates.
"Historically, a lot of things were done to people without their permission," he
Now, large, well-funded organizations are dealing with individuals on the Internet. And
again, the imbalance between companies whose operations are closed to outsiders and
technologically naive consumers gives Hochhauser pause.
He got into the field in 1985 after he became concerned that AIDS prevention brochures
were written in language most Americans could not understand. While at the University of
Minnesota student health service, Hochhauser created a national stir at the annual meeting
of the American Psychological Association when he showed that many brochures required the
reading comprehension of a college sophomore - leaving most Americans out in the cold.
Hochhauser says that after analyzing the sites, he's convinced that most Web privacy
but if no one understands it, it's pointless. It does something for the organization, but
nothing for the consumer."
Few argue with the importance of disclosure. But do big Web sites want you to
understand what they tell you? Maybe not, suggests an analysis by an independent expert
for USA TODAY of the privacy policies of 10 major sites.
To understand the scope of the problem, consider the policy of Yahoo!, the Net's most
Many of the Web sites have been certified by industry bodies such as TRUSTe. But without
exception, policies are ponderous, full of jargon or written so as to leave many surfers
scratching their heads, says Mark Hochhauser, the psychologist and linguistics expert who
analyzed the sites.
Every policy studied is written at a college level or higher, he says. And in a nation in
which most people read at the 10th-grade level or below, that means a minority will
understand the policies. "If you really don't want people to understand, write it in
legalese and have it run on for four or five pages. People will say, 'To hell with it,'
" he says.
Privacy policies began showing up on the Web four years ago, but many policies continue to
be confusing because privacy is inherently complex.
"If you make it easy to read and simple, it often doesn't say much," says Ed
Black, head of the Computer and Communications Industry Association. "If you get into
details, it can become complicated."
But Robert Pitofsky, a lawyer for more than 50 years and chairman of the Federal Trade
Commission, which monitors privacy online, says even he has difficulty. "Some sites
bury your rights in a long page of legal jargon so it's hard to find them and hard to
understand them once you find them," Pitofsky says. "Self-regulation that
creates opt-out rights that cannot be found (or) understood is really not an acceptable
form of consumer protection."
Pitofsky won't point fingers on the record, but examples aren't hard to find. A single
sentence in the policy of HealthCentral, for instance, has 174 words.
"If the sentence is too long, you can't keep it in your short-term memory,"
Hochhauser says. That can happen with as few as 30 words, he adds. Word choice also is
important; here, too, policies come up short. "Most people rely on a few hundred
words in the course of their day. Why would the average person have a legal
vocabulary?" he says.
In a few weeks, the FTC will release the results of its second audit of Web privacy
policies. The agency will look at how many sites have privacy policies, as it did in 1998.
But for the first time, it also will look at how hard the policies are to understand.
"These privacy policies are a consumer fraud" and violate federal law, says Joel
Reidenberg, a professor of law at Fordham University and author of a seminal book on U.S.
privacy law. "To provide a notice that most Americans cannot understand and argue
that that is sufficient is utter nonsense."
All of the sites analyzed have been involved in privacy controversies, and all but two
were among the 20 most visited sites on the Web, according to Media Metrix. The FTC is
investigating three - HealthCentral, Yahoo! and DoubleClick - over complaints that they
have violated users' privacy.
The policy, when printed out, takes eight pages. It has 3,405 words and 167 sentences.
Some passages raise more questions than they answer. "As a general rule, Yahoo! will
not disclose any of your personally identifiable information except when we have your
permission or under special circumstances, such as when we believe in good faith that the
law requires it or under the circumstances described below." But Yahoo! does not say
what is required by law, let alone how it determines "good faith."
Hochhauser concedes that many consumers are used to dealing with fine print and legal
language in contracts. Consumers also have a general idea of what to expect, and a long
history of consumer law protects against many abuses.
But that is not the case on the Internet, privacy advocates say. Instead, consumers must
wade through language drafted by high-priced lawyers.
Robert Gellman, a Washington, D.C., lawyer and privacy advocate who writes policies for
commercial Web sites.
So what's the solution? "Laws," he says flatly. "We need laws to protect
Some sites let consumers opt out of being tracked, but that doesn't guarantee that other
practices are user-friendly. Consider DoubleClick, which made headlines after a USA TODAY
investigation reported it had begun tracking Net users' movements by name without
permission. After weeks of controversy, DoubleClick said it would delay further
implementation. The company remains under investigation by the FTC and at least four
DoubleClick's site discloses that users will be tracked by name when they visit the more
than 11,000 sites with ads placed by the company. Double Click says it will do so only
with your "permission." It doesn't tell you that it assumes it has permission
unless you explicitly opt out.
Here's what you have to do:
Read the first 1,468 words of the policy.
Click on a link to another page.
Read 650 more words that tell you why you shouldn't opt out.
Click on a link to a third page.
Read 200 more words urging you once again not to opt out.
Click on a final link to opt out of the program.
read and comprehensive," DoubleClick's Josh Isay says.
But policies may change at any time, and changes are not flagged. Unlike most contracts,
the policies examined were not dated. The upshot: Visitors must reread a policy every time
they visit a site.
"All of these policies can be boiled down to three simple words," says privacy
advocate Jason Catlett of Junkbusters. "Subject to change."