Brief thoughts on privacy policies

I came to the conclusion a while ago that a privacy policy is not really a legal document. It’s a document that has legal ramifications, yes, but in the same way that anything a business says has legal ramifications. Perhaps I should rephrase my first statement: I don’t think the privacy policy should be perceived as a legal document.

The privacy policy, for the last decade or so, has been the easy way to comply with privacy laws and regulations. It’s one document which checks all the boxes for most privacy requirements out there. All privacy frameworks require some sort of notice to be given to users about privacy practices. Some are explicit that organizations need an actual privacy policy document, but not all of them. The US-EU Safe Harbor Framework, for instance, only says: “An organization must inform individuals about the purposes for which it collects and uses information about them … This notice must be provided in clear and conspicuous language when individuals are first asked to provide personal information to the organization or as soon thereafter as is practicable, but in any event before the organization uses such information for a purpose other than that for which it was originally collected or processed by the transferring organization or discloses it for the first time to a third party.” (The EC’s FAQ however does mention a privacy policy.)

In Australia, NPP 5 and the proposed replacement UPPs do require a discrete Privacy Policy – but this is in addition to a general notification requirements (NPP 1.3, UPP 3).

In the online world, all you really deal with is information, and so figuring out how personal information and other data flows can be an intricate task. It’s tricky enough for people working inside an organization to figure this out (imagine how the privacy people at Facebook feel when all the engineers are working on 101 new features at once and they are trying to keep up with where all the data is going). So, when it comes to communicating all of this to an outsider, you can imagine the difficulty this presents. This is why you end up with privacy policies many thousands of words long. They’re virtually useless in the real world.

For some time now, people have regarded that privacy is merely a matter of having a privacy policy and making sure that an organization sticks to it. No longer.

The world is gradually beginning to realize that privacy is actually about helping people to understand what is happening to their information. Not just in theory, but in practice. Just because the information there, but buried somewhere in that policy, doesn’t mean it’s going to be helping anybody understand anything.

No one reads a privacy policy from top to bottom (with the exception of, in my experience, lawyers, compliance officers, and Germans). But people do read privacy policies to find out specific things. Are you going to sell my data if I give it to you? Do I own my data? Will you still keep my profile if I decide to delete my account? Unfortunately, this information can be pretty hard to locate – you almost need an FAQ for the privacy policy.

So now we see the gradual introduction of condensed privacy policies, layered privacy policies, and more interestingly “just in time” privacy notices. For example, when you have an iPhone App that wants to grab your location, you get a popup asking if you want to disclose it. The thing is, people only care about certain things, and most of the time it’s obvious.

When I install a Facebook App, my most immediate concern is: is it going to post stuff on my wall without asking me first? And then, what profile information is it going to grab from me? Facebook’s JIT notice doesn’t do a very good job of answering these two questions.

If you use Foursquare, your main concern is: exactly who is going to have access to my location information and how can they use it? And then, if I decide to leave after I try your service for a day, will you delete all my data?

Of course, there’s a tension between what the business guys think will increase conversion rates, and what’s good privacy practice, but that’s another topic for another day.

Anyhow, that brings me back to the privacy policy. Obviously it’s not working, but yet it’s kind of necessary. If the way a business handles information is complicated, there’s no possible way you can explain it in a single screen. So, what to do?

You have to get away from the idea that the privacy policy is a legal document. It’s a help document. It should be accessible.

Why don’t more privacy policies have pictures? Videos? Interactivity? Why aren’t they structured in a way that makes it easy for people to zero in on what’s really important to them?

Instead of burying the important stuff, bury the boilerplate – the stuff everyone already expects (e.g., everyone tracks visitors using web bugs, this is not a surprise to most users). Answer the customer’s most burning questions clearly and you’ll implicitly be conveying that you acknowledge what the customer really cares about. That sounds trust-building to me. If your privacy practices, when disclosed upfront, turn a customer off – then imagine how they will feel if they sign up, use your service, and then find out about it later?

  9:19pm  •  Law  •  Tweet This  •  Add a comment  • 

When an hour is worth more than an hour: calculating your hourly rate

Some industries are known for their brutal work hours. For example, if you’re a service provider involved in helping large cap companies with their M&A transactions, it’s likely that you’re not a stranger to the 100+ hour work week. Although the remuneration for these jobs is usually very high relative to other occupations with more reasonable hours, cash compensation is often normalized by converting it to a per hour metric. Take your salary+bonus and divide it by an estimate of the number of hours you work per year. If you work 50% more hours than your peer but only get paid 20% more, your peer is actually making 20% more than you when you convert it to an hourly rate. Of course, absolute remuneration still counts for something – if you are making 20% more per hour, but are limited in the number of hours you can work, you can’t really take advantage of that better rate to make more money. And salaried workers don’t get paid by the hour, so the question is moot – you can’t make more money in your job by working more hours. You have to use the extra time you have to find another source of income.

But back to the idea of calculating an hourly rate. On reflection, I think that this simple calculation doesn’t take into account quality of life considerations. After all, an hour of work spent between 3-4pm is a lot different to an hour of work spent between 3-4am. It’s far less enjoyable when you’d rather be in bed, for one (I always say, I don’t care how much you enjoy your job – it’s hard to enjoy anything at 8am when you’ve just pulled an all-nighter). To account for this, we need to assign a greater value to time which is outside of “normal” working hours. For example, outside of the usual hours most people work, say 7am-7pm, you start to give up things that most people don’t. Dinner with friends, your own free time, sleep, and, potentially in the long term, health. So, if you work from 8am to 11pm, that 15 hour day should actually be considered to be worth more than 15 hours, because at the end of the day you begin to sacrifice things that most others don’t. I think there needs to be a graduated scale, with abnormal working hours being weighted with a multiplier.

One model of this could be as follows:

For example, if you typically work a 70 hour week, with 12 hour days from 9am-9pm and 10 hours on the weekend, then each weekday would actually be considered to be a 12hr 30min day, and work on the weekend would count as 12.5 hours, giving a total of 75 hours. Another example is if you pull a 9am-3am day, the 18 hours actually counts for 22h45m (12h + 3h45m + 4h + 3h). The result is a decrease in your effective hourly rate of compensation.

The numbers I have picked are arbitrary, but my main point is the concept. Ultimately if you genuinely love your job and there’s nothing else you’d rather be doing (as is the case with many entrepreneurs), the hours don’t matter as much. However, weighting hourly calculations this way is a good way to quantitatively factor in other important things in life, like health, relationships, and so on. Different people may choose to weight numbers differently depending on what’s important to them in life. The next time you try and figure out if a job has really been “worth it”, consider the quality of the hours you’ve had to give up.

  11:04pm  •  Life  •  Tweet This  •  Add a comment  •