0

Im having trouble grasping the definition of a privacy policy. Is it the agreement of user and another party? or can it also be privacy settings a user specify in an application? or is it just the terms they agree on before using the application?

Could this be a privacy policy?: "[check-box]Hide your recent activity", in a given application or this a privacy setting?

vasper
  • 3
  • 1

2 Answers2

1

(This is a really high-level answer. Happy to receive clarification if you require it to be more specific.)

A privacy policy is defined by 2 pieces of information:

  1. What the author considers to be private. This could be defined by legal or regulatory guidance in your state/country.
  2. How private information is to be managed. This may include mandatory or optional controls. The necessity of these controls is usually graded by words such as must, required, shall, should, may, and optional.

For example, this is a high-level policy statement:

  • Personally identifiable information (e.g., name, date of birth, address) must be kept secure.

Now, secure is a vague word, but remember that this is a high-level policy statement. One would generally delve into the policy description or set of standards that define what secure means based on whether the information is in digital storage or on a physical medium such as paper.

Even then, security control for data stored in digital storage would be different for, say, a hard within a system in a datacenter versus tape backup on an off-site location managed by a third party.

Security controls managed by your organisation would generally have technical controls, whereas enforcing security controls operated by a third party would generally be managed using contractual controls.

Zaakiy Siddiqui
  • 44
  • 3
  • One thing can a user specify their own policies? In the statement u gave can a user specify that they want to disclose name but none of the other? – vasper Aug 23 '16 at 02:58
  • @vasper What? The users *always* have the freedom to not diclose their personal information. The policy is about how the data is handled according to various definitions, rules and lawsnot about forcnig the user providing some information. Basically the policy says: "If you insert personal information on your account, we will be keeping it secure (in this and that way), except your favorite food which we don't deem as important to warrant all that security stuff. This and that may be able to look at your information but that 3rd party cannot". – Bakuriu Aug 23 '16 at 11:31
  • thank you that clarifies it. The literature about policies is so abstract i want to gouge my eye out. – vasper Aug 23 '16 at 13:14
0

In the US, the Federal Trade Commission has legal jurisdiction to engage in activities with the goal of "protecting America's consumers." These activities include policing the use and abuse of individual consumer data by companies.

Companies protect themselves from FTC investigation in a generic way by producing a document called a Privacy Policy. This document, traditionally using legal language- though recently the FTC has encouraged the use of plain, common-sense language, despite its lack of legal precision- states what personal data the company collects, how it uses it, with whom it shares it, etc.

A Privacy Policy, along with a Terms of Use, creates a kind of informal contract between the consumer and a company whose services the consumer is using. The consumer is obliged to use the services in accordance with the Terms of Use, and the company is obliged to abide by the terms of the Privacy Policy.

That said, both are authored by the company and represent the company's perspective. So Terms of Use are usually explicit and concrete about what can and cannot be done by consumer users, Privacy Policies are usually jargon filled and abstract with the intention of providing companies a lot of leeway in their actual technical practices.

Privacy Policies are documents that are largely mechanisms for self-policing, rather than mechanisms for regulation, from a legal perspective.

Jonah Benton
  • 3,359
  • 12
  • 20
  • You say mechanisms for regulation. Could that be data aggregation to desensitize the data? – vasper Aug 23 '16 at 13:15
  • Privacy policies are *legal* mechanisms, not technical. Don't think of a privacy policy as a technical document or spec, it is wholly different from that. A technical document is like a book written in Russian, and a Privacy Policy like a book written in French. They exist in their own universes, have their own idioms, audiences, references, etc. One can translate one to the other, but that by itself is a work of art, many things will translate poorly or not at all, and a literal translation is worst. – Jonah Benton Aug 23 '16 at 20:04