Privacy Policy Ponderings

By Matt Fisher, General Counsel, Carium
Twitter: @matt_r_fisher
Twitter: @cariumcares
Host of Healthcare de Jure – #HCdeJure

Most if not all websites will (or should) contain a link to a Privacy Policy at the bottom of the page. The Privacy Policy will in either great or vague detail describe what information is collected, how the information will be used, and potentially what rights are given to the user. Privacy Policies can frequently be somewhat dense and be full of legal language.

The implementation of various new privacy schemes (whether talking about GDPR from Europe or CCPA from California) has resulted in jurisdiction specific statements and language being added into the Privacy Policy. The new language is driven by the requirements of the new laws, but just adds to the length of the policy and could generate confusion as to who the language applies to.

Regardless of the contents or how the Privacy Policy is set up, the terms will almost always state that a user agrees to the policy just by using the website or applicable service. The agreement occurs even if the user does not actually view or read the terms of the Privacy Policy. That approach is arguably understandable as requiring specific agreement or consent prior to use would likely interfere with the ease of using a website. However, the lack of attention to the details in the Privacy Policy means users will not know what could be given up in the data that is entered or collected through the website or applicable service, an issue especially true for applications that are free. As a saying goes, there’s no such thing as a free lunch, which is especially true when it comes to data.

Contracts of Adhesion?
Could a Privacy Policy be viewed as a contract of adhesion? First, that raises the question of what exactly is a contract of adhesion. It can be a standard form contract that is drafted by one party, often with more leverage, and presented to another party for acceptance without the opportunity to negotiate or modify the terms of the agreement. A contract of this nature is often used in consumer settings to make transactions proceed in a smoother fashion or to avoid unexpected outcomes for the party presenting it.

While a contract with no room for negotiation seems unfair, a contract of adhesion will still be enforceable. One of the keys to enforcement when being reviewed by a court is whether there are any unconscionable, hidden, or buried terms in the agreement. That boils down to making each statement known and not trying to hide the ball on the user. Given the prevalence of so-called click thru agreements or agreements through use, how many users have any awareness of the terms that are being agreed to? The answer is likely few if any.

Adding to the difficulty of understanding or even getting anyone to review is the often dense nature of a Privacy Policy. Most webpages will display a Privacy Policy in a dense block of text that, if lucky, may be broken up by headings. Some policies attempt to use more everyday language as opposed to legalese, but still leaves a lot to dig through.

Despite many users not reviewing the terms of agreements like Privacy Policies, there is still a recognizable benefit to enabling agreement through simple use.

Expanding Privacy Concerns
As noted, attention to privacy and the use of data has been increasing as a steady pace over the past few years. The attention resulted in passage of new laws meant to enhance the rights of individuals in their own data. The rights focus on access, determination, and potentially control. The new scheme are a reaction to the proliferation of data and the view that such data were being exploited without an individual having an ability to have a say in that exploitation.

As suggested, the new rights, at least within the United States, are fragmented. At this point in time, there is no overarching federal privacy scheme, leaving the states to adopt patchwork laws that only apply within the boundaries of the state. Suggesting that the rights only exist in a particular state though somewhat ignores that nothing on the internet is so contained. As a result, the most restrictive or proscriptive state law could become a de facto national standard.

While standards may develop in that way, for a Privacy Policy it means inserting very qualified language that arguably needs a decision tree included to determine when and how the rights or obligations apply. The average user would not necessarily know the nuances of the law or laws driving the state specific language.

A Better Way
With all of the attention and concern around privacy, is there a better way? The variety of interests and scope of information to include certainly presents a challenge, but it also feels like it is possible to present the information in an easier to digest manner. One first attempt, that I got to work on, is the Privacy Policy for Carium. While the more standard document is present that dives into many of the usual terms and details, the initial presentation is in shorter blocks of text that give the high level explanation of what is being laid out. The goal was to encourage users to engage with the Privacy Policy instead of just going right past the policy.

The effort built upon the concepts laid out by Sage Bionetworks in a guide for patient centered informed consent. The premise is to present legal terms in a concise, easy to understand manner. The challenge of meeting this goal is ready acknowledged. However, the opportunity to distinguish and set apart a Privacy Policy by following these concepts is intriguing. The issue comes back to why not explore such options as a means of being friendlier to users.

Using plain English in a Privacy Policy does not mean sacrificing protections though. A Privacy Policy should set out clear legal rights and interests, but legal protection does not have to equate to making those terms hard to understand. An ideal guiding principle for legal drafting would be ensuring that everyone picking up the document can understand it. Drafting so only an attorney can understand is not necessarily helpful.

What Comes Next?
Continuing to move away from dense, overly complex Privacy Policies could help foster more trust between companies and users. Both sides need each other, so why not be more honest and clear about what is happening. Such an approach is a shift in thinking around how Privacy Policies work. Given the potential upside, how many will make the jump to experiment? That is not known, but hopefully time can be devoted to standard documents like Privacy Policies to move away from the old routine and set a new standard.

This article was originally published on The Pulse blog and is republished here with permission.