Why are privacy policies so difficult to understand? Because they are vague and unclear–which prevents users from understanding what companies do with their information, according to new research by former Ranking Digital Rights (RDR) research analyst Priya Kumar.
In November 2016, Kumar presented a paper using data from RDR’s 2015 Corporate Accountability Index, in which she analyzed the privacy policies of 16 of the world’s largest tech companies evaluated in that year’s Index. Her research shows that these companies typically fail to convey to users what happens to their information–from the point it is collected to when it is (possibly) deleted. Kumar finds that along with vague or unclear language, the lack of uniform definitions for what companies consider “personal information” make it difficult for users to get a complete and accurate picture of how companies handle their information.
The analysis also shows that companies are more transparent about the information they collect compared to what information they share, and that companies are least transparent about what user information they retain–even after a user deletes their account or service. “People would expect a company to keep information they actively submit to the service (e.g., posts, messages, photos, videos, etc.), until they delete it themselves,” according to Kumar. “But companies collect several other types of user information, and they typically fail to disclose how long they retain those types of information.”
The paper was presented as part of the Privacy and Language Technologies track of the Association for the Advancement of Artificial Intelligence’s (AAAI) Fall Symposium Series held in Virginia. Click the link for a PDF of the paper: Privacy Policies and Their Lack of Clear Disclosure Regarding the Life Cycle of User Information