New tools will read those jargony online privacy policies so you don't have to
When was the last time you carefully read through a website's privacy policy? For most people, the answer's never. We all care about our privacy, but nobody wants to scroll through pages and pages of legal text, clearly not written with the consumer in mind.
There's a strong interaction between the companies and regulators through these privacy policies. But the user's need for transparency and control about how the data is collected is kind of neglected in the process.- Florian Schaub
Florian Schaub is an assistant professor at the School of Information at the University of Michigan and he's looking at how to make privacy policies more consumer-friendly. Recently, he collaborated with other researchers in the U.S. and Europe to develop two AI tools that can go through websites' privacy policies, so you don't have to.
Polisis and Pribot will read privacy policies for you
"Privacy policies often describe what companies are allowed to do with your data in terms of who can they share it with, what are they collecting and what are they using it for," Schaub said. "Our goal is to make this information more accessible to people."
A demo of Polisis
The solutions that the researchers came up with are Polisis and Pribot, a visualization tool and a chatbot that harness machine learning to interpret privacy policies for consumers.
A demo of Pribot
Polisis can analyze any of the 18,667 websites that's currently in its system and show how the website handles your data in a beautiful flow chart. Alternatively, you can also chat with the Pribot to get answers on specific questions about a website's privacy policy.
How to design consumer-friendly privacy notices
Now, you might be wondering why privacy policies are so vague and confusing in the first place. The truth is, it's not really written for the consumer, according to Schaub, but to demonstrate compliance with data protection laws and regulations.
"There's a strong interaction between the companies and regulators through these privacy policies," he said. "But the user's need for transparency and control about how the data is collected is kind of neglected in the process."
To improve privacy notices, Schaub recommended partitioning them so that only parts of the policy that are relevant to what you're doing at the moment gets served up. Additionally, he said users should be able to say 'yes' or 'no' to specific practices, rather than forcing them to agree or disagree with the entire policy. "The [latter] is not really a choice," he explained. "You can disagree of course, but that also means you can't use that particular service."
The upcoming General Data Protection Regulation's effect on companies
In May, the European Union's General Data Protection Regulation law will come into effect. There'll be provisions around how people need to be informed about data practices, what kind of controls need to be given to them, and what it means to obtain consent from consumer, Florian explained. But still, it's not clear how to do all this properly, he said. "You still need to notify people about who's collecting the data for what purpose, who's the privacy contact for the company, etc."
For Schaub, coming up with ways to make all that information available in a accessible format for the consumer is going to be an interesting challenge. But for now, he's glad to see companies have already started responding to the GDPR. Facebook announced a new data privacy centre in January that will be rolling out worldwide later this year. "Hopefully, that'll make it easier and more transparent for people to take control of their privacy."