Let's Replace the Privacy Policy

6a00e550913f3688330133f4819349970b

Ah, the Privacy Policy. It’s that last-second, hastily-assembled legal mumbo-jumbo that you cobble together as your application or web site is launching. It’s one of those assumed obligations that are a thorn in your side: a way of covering your ass, because almost nobody reads them anyway.

In the latest episode of Core Intuition, the iOS dev community’s classiest developer, Manton Reece, talked about how he had to generate a privacy policy for his new app, Sunlit.

I nodded my head as I listened, because the experience he described so closely matched situations I’ve been in before: find an old privacy policy, and change little bits so it matches what your service does.

The legal aspects about privacy policies – the obligations that large companies have to meet because everyone is getting sued by everyone else – are beyond my expertise. But the massive flaw I see in these documents lies in their purpose, and how poorly these documents serve them.

A privacy policy document’s purpose is to explain without ambiguity the way a company will handle your personal information. Because you inevitably give up details about yourself while using any application, it makes sense that the application provider explain what they will do with it.

But this document is flawed for a number of reasons. First, of course, is that it’s written in typically impenetrable legalese. After a lengthy preamble wherein the terms of reference are established (“this is an agreement between ‘the customer’ – YOU – and the ‘service provider’ – hereafter referred to as COMPANY X”), such documents explain how your data will never be sold or shared with third parties… Unless these terms change, which could happen at any time.

I am calling bullshit on privacy policies.

It’s 2014. As users share more information with more applications, we need a way to clearly, simply and concisely explain exactly what we’re doing with data. How it’s stored, how it’s transmitted, who has access to it. In that sense, I think the term “privacy policy” doesn’t go far enough: privacy is just one aspect of what I believe should be the full disclosure of data management.

The term I might use instead is “Data Management Statement”. You could also try “How Our Bits Like to Party”, or “What We Do With Your Data”. I’m just an idea guy; you can run with this.

This document would be written in plain language. You shouldn’t have to be a lawyer. In fact, the app developer would be the most appropriate author. In the interest of transparency, it would be a document that does a full disclosure on how data is used. Consider these areas:

  • What personal data must a user give in order to use this application?
  • What optional personal data can a user give, and how does it alter or improve the experience of using the application?
  • What data is collected through the use of the application?
  • How is data stored in the application?
  • What data is transmitted over the Internet?
  • What data is stored on the Internet?
  • What data does the developer have access to?

These questions should form the basis of any Data Management Statement. As an example, I’ve written one for my new app, ThreadOne, and posted it to the site. Again, the point isn’t to make this a legal document, but to speak clearly and openly about how applications use personal information.

While I will remain not-a-lawyer, if this practice is well-received, I’ll be doing it for all of my apps.