Online Privacy Policies Don't Do Their Job, Critics Say

& -- Online privacy policies need to be easier to understand and more conspicuous because few people now actually read them, said panelists at a U.S. Federal Trade Commission workshop on targeted online advertising.

While privacy policies can help users understand what personal information is being collected, they often need "college-level reading skills" to understand them, said Lorrie Faith Cranor, a Carnegie Mellon University computer science professor who's done research on privacy policies.

Cranor suggested FTC action may be necessary to help standardize privacy notices online. "We should look at the whole picture and think, 'Do we need nutrition labels for privacy?'" she said during the second day of an FTC workshop examining concerns about targeted online advertising.

Representatives of Microsoft, Google and Yahoo told audience members they're working to make privacy policies easier to understand and notices about data collection more immediate.

Representatives of eBay and Yahoo said their companies are experimenting with small question-mark shaped links on targeted ads that explain why a customer was shown the ad.

Microsoft tries to provide frequent links to its privacy policy, and makes it available every time customers sign up for a service, said Peter Cullen, chief privacy strategist at Microsoft. "Now, do we make sure they have to scroll through the short-form [privacy] notice?" he said. "No, because in all honesty, our customers have said that's overdoing it."

But Esther Dyson, Internet policy commentator and founder of EDventure.com, called on online advertising companies to use the same "brilliance" they have for delivering targeted ads to deliver targeted privacy policies and data-collection warnings to individual Web users.

Static privacy polices have limited appeal, she said. "I don't think you can force consumers to look at this stuff," Dyson said. "If they're interested, they do click. The problem is what they can find when they click, which is mostly incomprehensible."

She called on Web sites to tell individuals specifically what information is collected about them.

But "just-in-time" privacy notices take up space, said some panelists. "Every pixel fights for its life," Cullen said.

Joel Winston, associate director of the FTC's Division of Privacy and Identity Protection, opened the second day of the e-behavioral workshop by asking whether privacy notices could be made better, or whether they just don't work.

Part of the problem is that many privacy policies change without warning, and users have to go back to the policy to see the changes, said Carlos Jensen, a computer science professor at Oregon State University. "Reading a privacy policy that could change five seconds after you read it means I'm not going to bother," he said.

More standardization of privacy notices is needed, Jensen said. Web users don't want to wade through multiple Web sites with different privacy notices in different locations, he said.

But Web sites are still experimenting with the best ways to deliver privacy notices, said Colin O'Malley, director of strategic business at Truste. Web sites should still be allowed to figure the best approach before the FTC gets involved, he said.

"We don't want to lead with a prescription," he said.

A better system is needed, and Web sites need to give more detailed information about the personal data they collect, said Jeffrey Chester, executive director of the Center for Digital Democracy and a critic of targeted advertising practices.

"There has to be a simple, unified way to tell the individual exactly what is going on," he said. "Why can't you say you're collecting and targeting and profiling this information? Why can't you say [to users] what you tell your clients?"