Skip to main content
SpringerLink
Log in

A Comparative Study of Online Privacy Policies and Formats

  • Conference paper
Privacy Enhancing Technologies (PETS 2009)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5672))

Included in the following conference series:

Abstract

Online privacy policies are difficult to understand. Most privacy policies require a college reading level and an ability to decode legalistic, confusing, or jargon-laden phrases. Privacy researchers and industry groups have devised several standardized privacy policy formats to address these issues and help people compare policies. We evaluated three formats in this paper: layered policies, which present a short form with standardized components in addition to a full policy; the Privacy Finder privacy report, which standardizes the text descriptions of privacy practices in a brief bulleted format; and conventional non-standardized human-readable policies. We contrasted six companies’ policies, deliberately selected to span the range from unusually readable to challenging. Based on the results of our online study of 749 Internet users, we found participants were not able to reliably understand companies’ privacy practices with any of the formats. Compared to natural language, participants were faster with standardized formats but at the expense of accuracy for layered policies. Privacy Finder formats supported accuracy more than natural language for harder questions. Improved readability scores did not translate to improved performance. All formats and policies were similarly disliked. We discuss our findings as well as public policy implications.

Funded by NSF Cyber Trust grant CNS-0627513, Microsoft through the Carnegie Mellon Center for Computational Thinking, Army Research Office grant number DAAD19-02-1-0389 to Carnegie Mellon CyLab, and FCT through the CMU/Portugal Information and Communication Technologies Institute. Thanks to Robert McGuire and Keisha How for programming assistance.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Acquisti, A., Grossklags, J.: Privacy and rationality in individual decision making. IEEE Security & Privacy Magazine 3, 26–33 (2005)

    Google Scholar 

  2. Anton, A., Earp, J.B., Qingfeng, H., Stufflebeam, W., Bolchini, D., Jensen, C.: Financial privacy policies and the need for standardization. IEEE Security & Privacy 2(2), 36–45 (2004)

    Article  Google Scholar 

  3. Bendrath, R.: Icons of privacy (2007), http://bendrath.blogspot.com/2007/05/icons-of-privacy.html (accessed Feburary 22, 2009)

  4. Business Wire: European union issues guidance on privacy notices; new notices make it easier for consumers to understand, compare policies (January 2005), http://www.tmcnet.com/usubmit/2005/jan/1104731.htm (accessed May 19, 2009)

  5. Center for Information Policy Leadership: Ten steps to develop a multilayered privacy policy (2007), www.hunton.com/files/tbl_s47Details (July 2007)

  6. Children’s Online Privacy Protection Act of 1998 (COPPA), Public Law No. 104–191 (October 1998), www.cdt.org/legislation/105th/privacy/coppa.html (accessed March 27, 2007)

  7. Cranor, L.F., Guduru, P., Arjula, M.: User interfaces for privacy agents. ACM Transactions on Computer-Human Interaction (TOCHI) (2006)

    Google Scholar 

  8. Egelman, S., Tsai, J., Cranor, L.F., Acquisti, A.: Timing is everything? the effects of timing and placement of online privacy indicators. In: CHI 2009, Boston, MA, USA (2009)

    Google Scholar 

  9. Federal Trade Commission: FTC staff revises online behavioral advertising principles (February 2009), http://www.ftc.gov/opa/2009/02/behavad.shtm (accessed May 15, 2009)

  10. Graber, M.A., D’Alessandro, D.M., Johnson-West, J.: Reading level of privacy policies on internet health web sites. Journal of Family Practice (July 2002)

    Google Scholar 

  11. U.S. Gramm-Leach-Bliley Financial Modernization Act of 1999, Public Law no. 106–102 (1999)

    Google Scholar 

  12. Hochhauser, M.: Lost in the fine print: Readability of financial privacy notices (July 2001), http://www.privacyrights.org/ar/GLB-Reading.htm (accessed March 27, 2007)

  13. Huang, H.J.: Language-focus instruction in EFL writing: Constructing relative clauses in definition paragraphs. In: 2008 International Conference on English Instruction and Assessment (2008), http://www.ccu.edu.tw/fllcccu/2008EIA/English/C16.pdf (accessed Feburary 22, 2009)

  14. Jensen, C., Potts, C., Jensen, C.: Privacy practices of Internet users: Self-reports versus observed behavior. International Journal of Human-Computer Studies 63, 203–227 (2005)

    Article  Google Scholar 

  15. Kay, M., Terry, M.: Textured agreements: Re-envisioning electronic consent. Technical report cs-2009-19, David R. Cheriton School of Computer Science, University of Waterloo (2009)

    Google Scholar 

  16. Kelley, P.G., Bresee, J., Reeder, R.W., Cranor, L.F.: A “nutrition label” for privacy. In: Symposium on Usable Privacy and Security (SOUPS) (2009)

    Google Scholar 

  17. Lemos, R.: MSN sites get easy-to-read privacy label. CNET News.com (2005), http://news.com.com/2100-1038_3-5611894.html (accessed May 30, 2007)

  18. My Byline Media. The Flesch reading ease readability formula, http://www.readabilityformulas.com/flesch-reading-ease-readability-formula.php (accessed March 9, 2009)

  19. OUT-LAW News: Drop the jargon from privacy policies, says privacy chief (September 2005), http://www.out-law.com/page-5791 (accessed March 23, 2007)

  20. Pollach, I.: What’s wrong with online privacy policies? Communications of the ACM 30(5), 103–108 (2007)

    Article  Google Scholar 

  21. Reeder, R.W., Kelley, P.G., McDonald, A.M., Cranor, L.F.: A user study of the expandable grid applied to P3P privacy policy visualization. In: WPES 2008: Proceedings of the 7th ACM workshop on Privacy in the electronic society, pp. 45–54. ACM Press, New York (2008)

    Chapter  Google Scholar 

  22. Report by Kleimann Communication Group for the FTC: Evolution of a prototype financial privacy notice (2006), http://www.ftc.gov/privacy/privacyinitiatives/ftcfinalreport060228.pdf (accessed March 2, 2007)

  23. Saltzer, J.H., Schroeder, M.D.: The protection of information in computer systems. Proceedings of the IEEE 63, 1278–1308 (1975)

    Article  Google Scholar 

  24. Sheng, X., Cranor, L.F.: An evaluation of the effect of US financial privacy legislation through the analysis of privacy policies. I/S - A Journal of Law and Policy for the Information Society 2, 943–980 (2006)

    Google Scholar 

  25. The Center for Information Policy Leadership, H.. W. L. Multi-layered notices, http://www.hunton.com/Resources/Sites/general.aspx?id=328 (accessed March 23, 2007)

  26. The Office of the Privacy Commissioner: Release of privacy impact assessment guide and layered privacy policy (August 2006), http://www.privacy.gov.au/news/06_17.html (accessed Feburary 22, 2009)

  27. Tsai, J., Egelman, S., Cranor, L.F., Acquisti, A.: The effect of online privacy information on purchasing behavior: An experimental study. In: The 6th Workshop on the Economics of Information Security (WEIS) (2008), http://weis2007.econinfosec.org/papers/57.pdf (accessed Feburary 22, 2009)

  28. Vila, T., Greenstadt, R., Molnar, D.: Why we can’t be bothered to read privacy policies: models of privacy economics as a lemons market. In: ACM International Conference Proceeding Series, vol. 5, pp. 403–407 (2003)

    Google Scholar 

  29. W3C Working Group: The platform for privacy preferences 1.1 (P3P1.1) specification (2006), http://www.w3.org/TR/P3P11/ (accessed March 28, 2007)

Download references

Author information

Authors and Affiliations

  1. Carnegie Mellon, Pittsburgh, PA

    Aleecia M. McDonald, Patrick Gage Kelley & Lorrie Faith Cranor

  2. Microsoft, Redmond, WA

    Robert W. Reeder

Authors
  1. Aleecia M. McDonald
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Robert W. Reeder
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Patrick Gage Kelley
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Lorrie Faith Cranor
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. David R. Cheriton School of Computer Science, University of Waterloo, University Avenue West, N2L 3G1, Waterloo, ON, Canada

    Ian Goldberg

  2. Department of Computer Science, Purdue University, 305 North University Street, IN 47907-2107, West Lafayete, USA

    Mikhail J. Atallah

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

McDonald, A.M., Reeder, R.W., Kelley, P.G., Cranor, L.F. (2009). A Comparative Study of Online Privacy Policies and Formats. In: Goldberg, I., Atallah, M.J. (eds) Privacy Enhancing Technologies. PETS 2009. Lecture Notes in Computer Science, vol 5672. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-03168-7_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-03168-7_3

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-03167-0

  • Online ISBN: 978-3-642-03168-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation