New Online Tool Shows You What The Heck Privacy Policies Actually Say

We’ve talked about privacy policies a lot before. While they exist to give consumers information about what data is being collected and how it’s being used, they tend to share one big problem in common: aside from a few exceptions, most privacy policies are utterly impenetrable for the average reader.

They’re long. They’re dry. They’re in a particularly tortuous form of legalese, designed to maximize corporate butt-covering and not consumer understanding. They’re hard to find. And they’re so ubiquitous and dull that we ignore them.

So this week, a team of researchers from two universities are trying to make those policies a little more accessible, with a tool they call Usable Privacy.

Usable Privacy is a website launched jointly by Carnegie Mellon University and Fordham Law School to share some of their findings on privacy policy research. Right now, at launch, it has annotated privacy policies available for 193 websites; the researchers plan for that number to go up.

In a press statement, the researchers pointed out that studies show it would take an average user 600 hours to read all the privacy policies for their regularly-viewed sites. That’s 25 24-hour days — a month of your life, or 37.5 days of your life if you took sleeping breaks and nothing else — devoted entirely to learning where you stand… and that’s ridiculous.

“Our objective is to produce succinct yet informative summaries that can be included in browser plug-ins or interactively conveyed to users by privacy assistants that inform users about salient privacy practices,” said Norman Sadeh, the lead principal investigator of the study.

“While navigating our site, people will notice how complex and fragmented many privacy policies are,” Sadeh said. “The vast majority of statements are about first-party collection and third-party sharing and contain significant levels of ambiguity when it comes to determining exactly what is being collected and with whom it is shared.”

The tool is designed to let “lay users” — folks who don’t sit around reading privacy policies for fun, profit, and/or education all day long, so basically everyone — get a quick sense for what types of statements are being made in a privacy policy, without having to read the entire thing from start to finish with a notebook and a magnifying glass. It uses color coding to show how policies are organized and what types of collection, sharing, or retention practices they address.

With the color coding, visual bookmarking, highlighting and annotation all put together, Usable Privacy aims to reach two goals. The first is to demonstrate research and show off trends in the policies they’ve analyzed. For example, the visual bookmark sidebar shows how related concepts are not necessarily grouped together at all, but instead spread out into several different paragraphs or sections.

The other, though, is for the end users to be able to figure out more quickly just what’s going on. For example,

Usable Privacy finds that NBCU’s privacy policy is written at a college-or-higher reading level and that it contains 256 total statements about data collection, use, sharing, and retention.

Those statements are grouped together into nine discrete buckets, with “First Party Collection/Use” being the biggest. (That pattern holds for the vast majority of sites that Usable Privacy annotates, although to different degrees.) 132 statements in NBCU’s privacy policy are identified as relating to how they, specifically, collect and use data and what data they collect.

Falling under that umbrella are familiar statements like, “When you use our online services we collect information through the user of Cookies and Other technologies” and “we use information to provide the services you have requested,” which are basically how the internet works. However, it also warns of data bleed-through: “If you visit our online services on a device through which you also interact with social networks or if you interact with us through a social media function such as a plug-in (for example, a Facebook “like” button) then you may be permitting us to have on-going access to some information from your social network profile.”

The nest most common statements (57, total) concern third-party sharing and collection, like “we may disclose your personal information to … protect our legal rights,” or their right to sell your data as an asset belonging to a business unit if they sell that business unit.

About Do Not Track, they only say, “NBCUniversal does not currently take actions to respond to Do Not Track signals because a uniform technological standard has not yet been developed. We continue to review new technologies and may adopt a standard once one is created.”

The analysis goes on from there, and readers can navigate using either side panel to go directly to certain kinds of content, as well as just scrolling through the core policy text itself.

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.