Perplexing Privacy Policies
The recent Facebook privacy scandal involving Cambridge Analytica highlighted the fact that most people do not understand the privacy policies to which they have agreed. [1] Millions of people had their data reused in ways in which they likely had not intended for it to be used. The issue of incomprehensible privacy policies is even greater when the data are highly sensitive, as is the case with many forms of health-related data. When people do not understand the privacy policies presented to them, they cannot make educated decisions in which the benefits and risks of sharing personal information are appropriately weighed.
In 2017, the Supreme Court of India ruled that privacy is a fundamental right of all citizens. [2] As was illustrated by the Cambridge Analytica situation, there is a difference between having a right to privacy and being able to assert it. When a privacy policy is time-intensive to read or requires a level of reading ability greater than that of its audience, thoughtful privacy decision making is impeded. Due to the heightened sensitivity around mental illness, relative to most physical illness, it is particularly important for apps addressing mental illness to have comprehensible privacy policies. The need for mental health privacy is particularly acute in India, as although over 40% of Americans believe that mental illness is similar to physical illness, less than 20% of Indians agree with this sentiment. [3]
In a recent article published in JMIR: mHealth and uHealth, Preeti Singh, John Torous, and I explored the complexity of privacy policies of Indian apps for mental health and compared their complexity to the privacy policies of apps intended to address a physical ailment prevalent in India; diabetes.[4] After analyzing the privacy policies of 41 Indian apps related to diabetes and 29 Indian apps related to mental health using 15 different readability measures, we concluded that there were no significant differences in the readability of the privacy policies for the two types of apps. Nonetheless, both types of apps typically had privacy policies that would present a challenge to users. The privacy policies of diabetes apps had a mean length of 1,875 words and those of mental health apps had a mean length of 2,421 words. Thus, reading one of the privacy policies would take about as long as reading an academic article! To make matters worse, the privacy policies were on average written at a college reading level. Because most people in both India and the United States do not have a college education, this is a significant barrier to general understanding. [5, 6]
The current state of affairs makes it difficult for app users to safeguard their privacy. In order to empower people using apps to protect their privacy, app developers can be encouraged to produce brief, clear privacy policies which can realistically be read and understood by the majority of people. The GNU General Public License is one example of the type of uniform policy that can be implemented to spare users the effort of reading unique, lengthy privacy policies for each digital tool that they use. Alternatively, legal regulations can protect the public from potentially harmful uses of data. Working along these lines, the European Union implemented the General Data Protection Regulation (GDPR) in 2018 and is developing an ePrivacy Regulation (ePR).
After analyzing the privacy policies of dozens of apps, it is clear that the presence of a privacy policy is not enough to ensure that people have control over their privacy rights. While the issue of policy complexity was found to be no worse for apps related to mental health, it was a serious problem nonetheless. Perplexing policies are a barrier to meaningful privacy protection.
References
[1] Granville K. Facebook and Cambridge Analytica: What You Need to Know as Fallout Widens. The New York Times. 2018. [cited 3 May 2018] https://www.nytimes.com/2018/03/19/technology/facebook-cambridge-analytica-explained.html. [Link]
[2] India’s Supreme Court rules privacy is a fundamental right [Internet]. AP News. 2017 [cited 24 September 2017]. Available from: https://apnews.com/12c1222843d24573a74388c3f68d1f69 [Link]
[3] Seeman N, Tang S, Brown AD, Ing A. World survey of mental illness stigma. Journal of affective disorders. 2016 Jan 15;190:115-21.
[4] Powell A, Singh P, Torous J. The Complexity of Mental Health App Privacy Policies: A Potential Barrier to Privacy. JMIR Mhealth Uhealth. Journal of Medical Internet Research. 2018 July; 6(7), e158
[5] Office of the Registrar General & Census Commissioner [Internet]. Census of India Website. 2017 [cited 24 September 2017]. Available from: http://www.censusindia.gov.in/2011census/C-series/C08.html [Link]
[6] American FactFinder. United States Census Bureau. 2017 [cited 24 September 2017]. Available from: https://factfinder.census.gov/faces/tableservices/jsf/pages/productview.xhtml?pid=ACS_15_5YR_S1501&src=pt [Link]