Privacy policies on websites do they disclose enough?

In online privacy, for instance, giving notice about their practices is among the only affirmative obligations websites face. The strategy is also one of the most heavily criticized. Not only does no one read privacy policies, skeptics rightly point out, but many believe that their mere existence guarantees certain base level protections that may or may not exist.

Should we give up on notice? My recent draft paper argues: maybe not. We should explore two possibilities, at any rate, before we do. The first is that regulators may sometimes select the wrong form of notice for the job. Today most website “terms” say that the company “may disclose data pursuant to lawful requests.” That does very little to further user understanding or action. But maybe it could work to:

•Require a “warning” that email is about to pass 180 days into the territory of mere subpoena;
•Require law enforcement or permit companies to “notify” targets of a subpoena so they can fight it; or
•Require law enforcement and companies to “report” on the overall volume of subpoenas.


Link: http://cyberlaw.stanford.edu/node/6641