A Long Road to Short Privacy Statements

Computerworld - If 2001 was the year of the verbose privacy statement, 2002 will be a year of intense editing. Why? In two separate opinion polls, consumers said that they want "short, concise" privacy policies that are easy to understand. Only 3% of respondents said they carefully review online notices -- in part because of the complexity of such documents.

My review of the online privacy notices of the Fortune Global 100 revealed that U.S. firms averaged 1,316 words per notice, while businesses in other countries made do with nearly half as many. Our corporate editors will be busier than the rest of the world this year trying to reach the ideal that customers want.

American privacy statements are also hard to understand. Last summer, consultant Mark Hochhauser concluded in a study that the average privacy notice of a U.S. financial institution was readable at the level of a senior in college -- eight years higher than the recommended norm. (By way of comparison, this article reads at a grade 12 level.) Hochhauser says the primary culprits behind these high scores are sentences that never end.

Are the litigious American culture -- and the Gramm-Leach-Bliley Act (GLBA) in particular -- standing in the way of corporate editors seeking to do good? As it turns out, my count shows that the cautious cultures of the largest U.S. financial firms produced privacy policies averaging just 1,011 words -- almost Japanese in precision. So the GLBA doesn't seem to have had a big impact on relative length.

It's the high-tech industry that set the wordiness standard for all industries in this sample, with privacy tomes averaging 1,496 words. IT firms are long on words not because they're afraid, but because they were the first to see how critical privacy will be to their brands, and they overachieved. The American privacy-seal programs have also contributed to the verbosity by advocating lengthy policy templates.

Consumers say they want all corporations to adopt a simple, common format for their privacy policies. This has been the goal of the Platform for Privacy Preferences (P3P) project, which since 1997 has been developing a protocol for browsers to read standardized privacy policies and summarize their contents for users. Adoption has been slow, but with the backing of Microsoft, IBM, AOL and other heavyweights, P3P may yet transform the way consumers interact with privacy notices.

Until then, privacy officers will be streamlining their policies the hard way -- word by bitterly negotiated word.

Cline manages data privacy at Carlson Companies Inc., a Minneapolis-based group of businesses in the travel, hospitality and marketing industries. Contact him at privacy@computerworld.com.