Europe's privacy mandate on deck

Deadline’s today to strike legalese

SAN FRANCISCO -- Silicon Valley companies for months have been rewriting their privacy policies to make them clearer in time for a deadline today -- the day Europe ushers in a sweeping new privacy law that stands to affect users worldwide.

The new law could spell the end of legalese -- of an era of signing away rights with a single click, experts said. But it also could have the opposite effect, creating longer, more confusing explanations.

The European law, called the General Data Protection Regulation, requires that companies use plain language to communicate how they process people's data. It also mandates that firms obtain explicit consent from consumers for every possible use of their information, and allow them to delete and request copies of all data companies have on them. Companies that break the rules face steep fines of up to 4 percent of global profits.

Because it is hard for technology companies to determine the citizenship of users who log in to their services, most companies say they will roll out the changes beyond the law's immediate jurisdiction in Europe, extending new protections, or at least clearer explanations, to citizens of the U.S. and elsewhere. Citizens outside Europe will not have the same legal recourse if they feel the companies' practices fall short.

Google, Facebook, Apple, and others have been rushing to ready new tools for people to download and delete their data -- along with revamped privacy policies and interfaces that purport to be more digestible. On Thursday, Facebook said it plans to insert alerts in the news feeds of more than 2 billion users in the coming weeks, giving them a series of choices, including whether they want Facebook to use face recognition on their photos and whether the company can use information collected about them from advertisers.

In some ways, the effort around the new European rules boils down to a single question: Will they bring about the end of legalese?

Privacy advocates have long complained about mind-numbingly long privacy policies stuffed with inscrutable fine print and jargon. Google's new contract with its users is 20 pages long, for instance. The result is that people feel they are blindly signing away their rights to protect their information from being used by companies in undesirable ways, privacy advocates say.

"The companies are realizing that it is not enough to get people to just click through," said Lorrie Cranor, director of the Cylab Usable Privacy and Security Laboratory at Carnegie Mellon University and the Federal Trade Commission's former chief technologist. "That they need to communicate so that people are not surprised when they find out what they consented to."

That has become more apparent in the past two months since revelations that a political consultancy, Cambridge Analytica, made off with the Facebook profiles of up to 87 million Americans. Cranor said that consumer anger over Cambridge Analytica was directly related to concerns that companies were engaging in opaque practices behind the scenes, and that consumers had unknowingly allowed it to happen by signing away their rights.

Irrespective of simpler explanations, the impact and success of the General Data Protection Regulation will hinge upon whether companies will try to force users to consent to their tracking or targeting as condition for access to their services, said Alessandro Acquisti, a Carnegie Mellon computer-science professor and privacy researcher. "This will tell us a lot regarding whether the recent flurry of privacy policy modifications demonstrates a sincere change in the privacy stance of those companies, or is more about paying lip service to the new regulation. The early signs are not auspicious."

Tech companies may be making some changes, but the European law -- an 88-page document that some say is as confusing as a privacy policy -- will take many years to sort out.

For example, under the law, if a mapping app asks for permission to collect a person's location in order to provide them with navigation, the app cannot then sell that information to advertisers, or do anything with it aside from using it to provide navigation services -- without what the law refers to as "affirmative" consent. Companies must also enable people to delete whatever data companies have on them.

The requirement of companies to disclose more about their data practices than ever before could result in more lengthy explanations, said Bart Lazar, a privacy lawyer with the Chicago firm Seyfarth Shaw.

On Wednesday, Apple announced a new privacy portal where people can now download copies of the profile the company keeps on them. It includes activity from the app store and Apple Music, iCloud, and visits to Apple retail stores. Spotify also is giving users a data-downloading tool and a streamlined privacy policy.

Earlier this month, Google announced a rewrite of its privacy policy and a slew of updates designed to provide simpler explanations about what data the company collects. Google isn't changing the way it handles data, but is trying to make its explanations more clear, such as providing user-friendly reminders of the extensive controls Google already offers.

"We've improved the navigation and organization of the policy to make it easier to find what you're looking for; explained our practices in more detail and with clearer language; and added more detail about the options you have to manage, export, and delete data from our services," William Malcolm, Google's European legal chief, wrote in a blog post. The changes will affect all users of Google's services.

Information for this article was contributed by Tony Romm of The Washington Post.

Business on 05/25/2018

Upcoming Events