Notice is the FTC’s primary Fair Information Principle. Users must be made aware of data collection practices if they are to make informed decisions. In our report we discuss several reasons why privacy policies are an ineffective means of notifying users of practices. However, to the extent that they remain the primary method of notice, we have some suggestions for improvement.
First, the policies should be readable for average users. Despite years of research showing problems with the language of privacy policies, they are still difficult to read. We conducted a Fleisch-Kinkaid readability test on the 50 policies we analyzed and found that the average grade level was 13.83 (the lowest was Chase with 8.66, and the highest was Adobe with 17.29, standard deviation was 1.89).
Stricter Definitions of "Affiliate" and "Third Party"
We recommend that users be given clear and proper notice as to whom the data will be passed, regardless of affiliation or method of sharing. The policies should not contain conflicting statements that third-party sharing is not allowed but third-party tracking and affiliate sharing are. Therefore, we recommend the FTC enforce strict definitions for the terms “affiliate” and “third-party.” In addition, users should be informed as to whether or not the flow of data will stop with the affiliate or if the affiliate may share data with another company.
Require User Consent for Enhancement
We also recommend that the FTC create an opt-in standard for enhancement, the practice of buying information about users from outside sources. The FTC’s self-regulatory regime is premised on the idea that consumers will selectively disclose personal information to websites they trust. Enhancement circumvents this process, and allows websites to obtain this same information without user participation. A user who decides to reveal a small amount of personal information to a website that she does not fully trust loses all defenses when that site can simply bump up the submitted data with extrinsic, enhanced data.