When is a Privacy Policy not a Privacy Policy?

OK, I admit it.  I was on the road and got a longing for junk food. It happens. So I pulled in to a joint and ordered myself a ton of calories that I was going to regret.

With my trayful of fat and carbs came a long receipt for my sins which contained a juicy offer – a burger and fries at half the usual price.  All I had to do was take an online survey to let them know how I fared with my fare.

I accessed the required website while nibbling my chips and of course, I couldn’t ignore the first screen I saw:

Or in other words, we can find out who you are (via your IP address) and where you are, we’ll ship it to the privacy wild west of the US (they are registered under Privacy Shield but I had to do a separate search for that information) and we’ll use cookies without your direct consent.  Oh, and if you want to know more, there are THREE other terms and privacy notices to read.

I read them.  One is 12 pages (the Controller’s, who did in fairness, also have a nice one pager summary), the second is 13 pages (half in nice capitals on a pdf) and the third runs to 21 pages of A4 in 11 point font under 16 headings.  It states it is a privacy policy but it is clearly something that has been over-lawyered and loses the run of itself, for example:

[Entity] are commercial computer software, as defined in 48 C.F.R. §2.101. Accordingly,

if you are an agency of the US Government or any contractor therefor, you receive only those

rights with respect to the [entity] as are granted to all other users under license, in

accordance with (a) 48 C.F.R. §227.7201 through 48 C.F.R. §227.7204, with respect to the

Department of Defense and their contractors, or (b) 48 C.F.R. §12.212, with respect to all other

US Government licensees and their contractors.

The US Department of Defense? I thought you just wanted to know if the loo was clean?  For the love of all that is fair and transparent, this is clearly overkill.  Or laziness.  What has this got to do with my cheap burger?

I clicked Continue.   The survey itself is innocuous – were the staff friendly? Was the food good? Were the toilets clean?  All harmless stuff.  Which begs the question why lawyer up so heavily?

I then thought to myself “who exactly is this aimed at?  Everyone? Possibly.”  But given the brand and the offer, one could safely conject that they know that under-16s will jump at this offer.  Deep in the privacy policy they tell us that you cannot do the survey if you are under 16 unless you have permission of a parent or guardian.  If not, don’t do the survey.  That’s it.

There is no way to enforce this rule.  It’s one part of the GDPR that is simply unworkable.

And then I found this:

When you choose to access [entitly] through Social Media login credentials, [entitly] may, depending on your privacy settings, have access to information that you have provided to the Social Media platform, such as your name, e-mail address, profile photo, posts, comments and other information associated with your Social Media account. We may use this information for any purposes described in this Privacy Policy and for any additional purposes of which you were advised at the time the information was collected. If you do not want your Social Media information to be shared with[entitly] by a Social Media provider, you should not use your Social Media accounts to access [entitly].

i.e. Don’t press this big red button

This paragraph is nowhere to be found unless you go looking for it and believe me it takes a while to find.  But this is chilling, and just wrong.

So I’m a 13 year old, hanging out with my buddies in the local burger joint  and if I pony up my pocket money for even a small ice cream in this establishment, I’ll get this tempting offer for my return hang out and can do the survey again and again.  This US-based entity is sucking up my personal data and very likely my social media accounts. Are they profiling 13 year-old me?  Are they selling the profile on the open market? How long are they retaining all my data and metadata? We don’t know because they’re not telling. They are burying their intentions under swathes of jargon. All for a cheap burger.

A lot has been written over the years about the frankly ridiculous nature of privacy policies.  How can people be expected to embrace the concept of controlling their personal data when the very people charged with helping them do so allow publication of reams of legalspeak?

Irish Data Commissioner Helen Dixon is on the record stating that “transparency will be a key enforcement priority.”  A privacy policy needs to be succinct, written in plain English, in language a child can understand – just tell folks the who, what where, when, why and how you are going to process their data.  Easy!

Not easy.

It is really tough to do this. In a previous role of mine, the lawyers once gave Customer Care a full A4 page of script that they wanted to be read before every outbound call to ensure the privacy policy was understood by the customer.  Of course, while the intention was honourable, in practical terms this was bonkers and Customer Care (rightly) refused to do it.   One way to attack this beast is to layer your information:

• if presenting it in a digital format: state what the page is about at the top. Then provide more detailed information progressively down the page or on other linked pages.
• if presenting verbally: state your 5Ws and H succinctly and offer to give the customer/user further information on all/any they choose.

When is a Privacy Policy not a Privacy Policy? When it is three Privacy Policies that no-one is going to read because they are gobbledegook. It’s so much easier to click “Agree” and that’s what “adtech” or “martech” (or whatever the buzzword is fashionable this quarter) depend on.  The user’s indifference.

You can have your cheap burger with fries, but you may have sold a part of your soul to get it.