You are here


Let's retire the phrase 'privacy policy'

TRUE or false: "When a website has a privacy policy, it means the site will not share my information with other websites or companies without my permission."

According to my research - a nationally representative phone survey conducted in January and February - a majority of Americans think this is true.

It isn't. Not even close.

Over the past 15 years, I've conducted six national surveys with colleagues about how people see and think about their privacy in both the online and offline worlds. In each survey we've included a statement roughly like the one above. The picture is consistent: when people see the phrase "privacy policy", most assume their information is kept private.

It's a misleading label. In reality, these policies explain how companies will use your information - because they are using it.

Your feedback is important to us

Tell us what you think. Email us at

To be clear, it is lawful - and common - for websites to trade most types of information about us without asking. The reason "privacy policy" is a ubiquitous phrase is that since 1998, the Federal Trade Commission (FTC) has strongly suggested that all websites (and, later, all apps) include a disclosure about what they do with visitor data and what choices visitors have regarding those uses. What lies behind these links is a cavalcade of disclosures of how businesses across the Internet track us, target us and trade our information.

Consider Target's privacy policy, which is perfectly legal and not at all unusual. Target collects data about you across its website and app, in addition to knowing what you buy. It uses the information for its own marketing purposes. It also allows "third-party companies" to collect "certain information when you visit our websites or use our mobile applications". In other words, it can share the data it collects with just about anyone.

But Target is not just profiling you based on how you shop with Target. It may also collect what you say on any blogs, chat rooms and social networks you use, and it may obtain "demographic and other information" about you from "third parties". You have to assume that Target can purchase any known information about you held by any other company. Not even your body is off-limits - cameras in some stores "may use biometrics, including facial recognition", for theft prevention and security.

Our surveys consistently show that Americans dislike being tracked. Why, then, aren't Americans more angry and opposed to how often and extensively businesses track them?

One reason: most Americans don't read privacy policies, and so they aren't aware of what is going on.

The words "privacy policy" may well be a big part of the problem. The very fact that a company seems to have a policy on privacy gives consumers a false belief that the company won't share their information without permission - a reason not to click and learn more.


In addition to the "privacy policy" label defusing public anger against commercial surveillance, it may also distract people from the need for effective privacy laws.

Two of our surveys asked people whether they agreed or disagreed that "existing laws and organisational practices provide a reasonable level of protection for consumer privacy today". We found that among people who understood the "privacy policy" label's correct meaning, a majority thought privacy laws needed to be stronger. By contrast, among those who misunderstood what "privacy policy" means, a majority saw no need for organisational and legislative changes in the service of privacy.

It's hard to avoid the conclusion that the term "privacy policy" benefits data collectors over the public. The label's phrasing was not a result of research or agency deliberation. In fact, back in 1998 the FTC used the phrase "information practice statement" for the data-disclosure document it wanted. It didn't take hold, possibly because companies realised that "privacy policy" embodied the ambiguity they wanted.

Fifteen years of research consistently shows that the label is deceptive - depending on the survey, between 54 per cent and 73 per cent of Americans assume companies won't share their information without permission.

One solution would be for the FTC, which is mandated to police deceptive corporate practices, to rule that only sites and apps that don't share people's information without their permission can use that phrase. Otherwise, they should use a more accurate label, such as "how we use your information".

Companies don't want people to realise how extensively they use our information and are likely to object to this new, clearer phrasing. Yet it is a struggle worth pursuing in the interest of creating transparency around the name of a document that has been mistitled and misunderstood since its inception. NYTIMES

  • The writer is a professor of communication at the Annenberg School for Communication at the University of Pennsylvania

BT is now on Telegram!

For daily updates on weekdays and specially selected content for the weekend. Subscribe to