Reform needed as Australians are drowning in privacy policies

Our recent survey indicates that Australians are asked to read and consent to 116 privacy policies – or 467,000 words - as we go about using common products and services. The volume of the often confusing policies mean that it’s almost impossible for people to give ‘informed consent’ when agreeing to a policy, and CHOICE thinks it’s time for this to change:

7 Likes

The average privacy policy was 4000 words. Are they this way because the lawyers who write them like to charge by the word or are they padded out with the intention of discouraging the user from reading them? I can’t believe that saying what data you collect and what you are going to do or not do with the data would take more than 500 words if the author intended to be concise.

Obviously there is a spread around that average. @BrendanMays could you say what the maximum and minimum are? My guess is that some are much longer, so they are saying much the rest are not, or just using more words. Some are much shorter, so why can’t the rest be like that?

6 Likes

So how did the privacy policy of the Choice websites go when tested? You did test them?

6 Likes

May I generalise this and say that there should be a push to reduce legalese relating to everyday issues.

Last week we had the thread with the lady in a retirement home, and her lawyer had trouble understanding the contract. We have policies we have to agree to every-time we want to do just about anything new online, every-time we join a discount group, etc. We are drowning in words that most people don’t even read.

There should be a push to make all legal agreements and contracts in plain English, simple, and brief.

9 Likes

I’ll have to double check with the data team about the upper and lower limits. UK consumer group Which? put together this table of combined privacy and T&C document wordcounts:

The CHOICE Privacy policy is 2264 words, it is a focus for CHOICE to be following the best practices in this as well. Having a clear and concise policy is a big part of the suggested solution, but so are effective privacy laws. With so many services online now, it would be good to have a baseline of what privacy practices we should be able to rely on.

EDIIT: Here is a bit more detail in the numbers from our survey. Microsoft was the longest at 14,861 words, and the Tripview app was the shortest with just 284 words. Shorter isn’t necessarily better as important details might be lacking, there is an interactive table in the article here with more details:

6 Likes

We don’t really have any privacy rights anyway. Our date of birth, phone number and address are given to thousands of people in India, the Philippines and Indonesia, and these countries have huge markets in identity theft.
I think people should have more rights… The privacy policies are a problem, as are the terms and conditions… Hopelessly long winded and contorted. Designed to make you give up. I have, in the past, returned computers and other devices because I don’t agree with the terms and conditions. I wish millions of other people would do the same. That might change things.

3 Likes

The only way to achieve that is with blanket legislation of rights and obligations. Unfortunately, nothing can prevent a company unilaterally adding constraining terms with legalese such as “to the maximum extent permitted by statutory rights and obligations …” prefacing the terms they wish to drown you in anyway. The worst of all terms is along the lines of “These terms and conditions are updated from time to time, and published on our website. Your continuing use of the products and services shall be under the latest terms and conditions, as amended…”

…Which makes reading them a waste of time in the first place, because they can change them without informing you - and with your implied agreement by default…

The other joy is needing to create an account before ordering a product, only to find that the company doesn’t have the product, or some other reason for the transaction to not proceed. They still have your data, and you’ve already been forced to agree they can keep it and use it for all of the vague purposes stated in the privacy “agreement”. It would be more appropriate if the “agreement” was called “The terms and conditions describing the extent to which we can abuse your data…”

4 Likes

I’d like to nominate the Meta (Facebook) privacy policy as the worst one I’ve ever seen. I went to read the latest version and gone are the days of simple headings (What We Collect, How We Use It). Instead we have this jumble of tables, infographics, sub-menus and endless links.

Forget an overwhelming number of privacy policies, this is overwhelming on its own.

1 Like

Renewed calls for privacy reform:

3 Likes

It’s made me think about the local plumber (total of 2+apprentice staff) who is now using a third party product to manage contacts, bookings and invoicing/billing. In that instance linked to my mobile number. I’ve noticed at least one other small local service using the same product.

Do my dealings with these smaller businesses evade the current legislation, while their chosen service provider is free to do as it pleases? I’ve not entered knowingly (EG have not registered) into any agreement with their service provider or been offered T&Cs or a privacy policy.

One such service:

ServiceM8 is so in tune with a business it tracks the staff by their time and locations. It also knows where they are going to be for the next job and sends out alerts advising of their arrival at your home will be in ‘nn’ minutes. For the business it’s a very effective tool. For the customer, possibly one way to feel informed and cared for. Others may suggest different feelings.

For the data the system holds, and the possibility ServiceM8 can track a single customer across multiple clients - it looks very much like an open book. Note ServiceM8 can also handle online cold inquiries for forwarding to the business, asking for contact, location and job details in advance. Either in response to an email or phone call inquiry.

For 2 of the 3 instances I can relate for the mentioned service provider. I only became aware my details were in the system after a booking advice was sent via SMS. Also only after making a verbal booking directly with the business.

If the legislation is not changed to capture all businesses, we need an opt out clause that blocks a business from using such services without our individual fully informed prior agreement.

1 Like

Invariably current privacy policies contain a clause that says that the business that you actually engage and deal with can share your data with any company that that business uses as a service provider. That is up to a point reasonable but …

Wouldn’t that mean that you are opting out of using the business? They aren’t going to design two business processes, one where they provide the service while also outsourcing to third parties (used by the majority of customers), and one where they provide the service but do everything in house (used by you).

So the “informed consent” can be as “informed” as you like but it isn’t “consent” - because you have no choice but to consent?

My plumber uses MYOB to issue invoices. I imagine that they have for some time used MYOB software to manage their accounts, and MYOB is now somewhat cloud-based and/or MYOB is looking for ways to generate more revenue by providing more than just licensed software.

So now the simple act of getting a faulty cistern fixed triggers a flood (no pun intended) of data going who knows where …

The gumbyment would probably view this development as a good thing. Now they only have to lean on a few large accounting software firms and they get what they want across zillions of small businesses e.g. insight into whether a few “cashies” might be occurring and e.g. data collection for the government. The government even pushes this along by making their requirements more and more complex so that a small business can only possibly hope to comply with government requirements by engaging a third party (either as licensed software or as a service or both).

2 Likes

If you don’t have any evidence that government is doing the wrong thing it is so easy to invent some speculation to fill in the gap. This is bound to improve the quality of political discourse.

In the press that kind of assertion would have been called a beat-up in the past, today it is fake news.

1 Like

I did not suggest and am not suggesting that the government is doing anything illegal. I was suggesting that this is a convenient arrangement where they can get 3 guys in a (virtual) room and basically say:

  • we will be legislating X to come in at July 1 - ready or not, or
  • do X or we will regulate it / legislate it

whereas in days of yore it would involve any number of manual accounting processes and any number of different accounting software packages, as chosen by many thousands of companies around Australia and any change would take years of consultation.

Consolidation is nearly always convenient for government - but usually bad for the consumer once it reaches a small enough number of choices.

No but you bring up the possibility and hint that it might. When this forms a pattern in several threads where you tell us that if X happens then the government, might, could, it would be easier, more likely etc, do something wrong the principle behind these aspersions is pretty clear. You take opportunities to criticise the government for what you imagine they might do rather than what they do.

You don’t have to say explicitly that a person or organisation is doing something wrong for it to be an attack without evidence. I had hopes for better, I still do.