U.S. vs. Europe on Online Privacy

A group called Consumers International has released a report about online privacy in the U.S. and Europe. The report's sound-byte conclusions - "U.S. beats Europe in online privacy protection" - have been widely reported in tech media, but I'd like to take issue with the report in a brief analysis below.

A lot of the blame for the misreporting falls on the authors of the study. They described their study as "An international comparative study of consumer privacy on the internet", when in fact it was nothing of the kind.

One of the major problems facing pro-privacy activists today is a certain type of corporate spin. Major advertisers in the U.S. have created a PR campaign whose goal is convincing people that notice about how your privacy is being violated (typically buried in a dozen pages of fine legal print) is more important than actually having privacy. The PR campaign is designed to push the idea that a privacy policy is what is really needed, not actual privacy. Of course, the privacy policy can say anything: "You have no privacy when dealing with this website" is a perfectly valid privacy policy. A privacy policy which says, "We keep all your information private", when in fact the company sells everything it knows about you to the highest bidder, is also a perfectly valid (though untruthful) privacy policy. So the existence of a privacy policy says absolutely nothing about the actual privacy afforded. Indeed, since privacy policies are written to protect the company, not you, the existence of a privacy policy is a good clue that this is a company which intends to violate your privacy. If you don't collect information from visitors to your site, you have no need for a privacy policy.

So it's embarrassing to see "consumer" organizations take a study of privacy policies and call it a study of privacy. It says to me that either they're strapped for resources (studying privacy is much harder than studying privacy policies) or that they're being dishonest. Occam's Razor suggests the first. But the results are harmful to their cause I think - they end up promoting the idea that privacy policies = privacy. This roughly similar to the idea that good brochures equal good vacation spots, or that good signage on the outside of a hospital equals good medical care inside.

Honestly: if someone did a study of hospitals by walking around them and examining the posted signs, and called it "An international comparative study of medical care", it would immediately be seen for a fraud.

Methodology is important. No study is useful without the proper methodology to support its conclusions, and in this case few methods to study privacy were actually employed. The researchers didn't, for example, actually audit any companies, actually going on-site and interviewing people to see what was actually done to data that was collected. The only useful conclusion drawn out of the study is that the large popular European sites were less likely than large popular U.S. sites to have posted privacy policies - quite possibly because, due to the fairly strict European rules covering the use of personal data, those European sites do much less privacy-violating than U.S. sites and therefore have much less need to post privacy policies. (And the European sites aren't involved in the U.S. PR campaign run by U.S. advertisers, either.)

The study is not awful. The researchers actually did some minimal verification - checking to see whether "do not mail" actually results in not getting spam mail from a company, for instance. (They encountered several cases where they received advertisements even though they had indicated they didn't want any - Ebay users will be familiar with this practice.) But most of the study was based on examining privacy policies.

Possibly the best way I can describe the study is this way: If a company did not collect any information from visitors, did not sell it to marketers, and in general respected its visitors' privacy - but didn't have a privacy policy spelling that out, in great detail - it would receive a poor grade from this study. This is fundamentally wrong - the organizations intending to protect privacy have forgotten the forest for the trees.

Duh !

[Betcour]

I live in France, I OWN my personnal datas (I can ask any company owning some to delete it or not resell/give it). I can sue any company not following this guideline.

Every web site has to register with a gov. agency what datas are collected and how they are used.

Now I'm curious to know how a privacy policy on a US web site can give me more protection than that...