Article Lead Image

A trojan horse for the Internet age: The 100 words privacy policy law

A proposed law mandates privacy policies be less than 100 words. Here's why that's a really bad idea. 


[email protected]

Internet Culture

Posted on Feb 22, 2013   Updated on Jun 1, 2021, 11:48 pm CDT


Earlier this month, California lawmaker Ed Chau introduced a bill to the state’s legislature that many Daily Dot readers will love the sound of. The proposed law (PDF), Assembly Bill 242, would require that website privacy policies “be no more than 100 words and shall be written in clear and concise language at no greater than an eighth grade reading level” and declare “whether the personally identifiable information may be sold or shared with others.” Sounds brilliant, right? Don’t be so sure. The bill is bad—and, more importantly, a trap.

The problem with the bill itself was pointed out by ReadWrite’s Adam Popescu. He argues that while on the surface the bill seeks to help Internet citizens, it might actually have the exact opposite effect. Why? Because 100 words is not nearly enough space to both accurately and concretely convey to users how their information is being used. It is barely enough to scratch the surface.

Forcing website operators to restrict their privacy policy to 100 words would only have the effect of, in his words, “shackling and curbing” the amount of information website operators can tell users. The law would mandate 100 word privacy policies so short that they would only be able to vaguely hand wave towards the way they intend to use users’ personal information. Other privacy rights experts agree and have now come out against the bill for this exact same reason.

Popescu is right, of course. Internet citizens need more, not less, information about how their personal information is being sold and shared. I don’t want to see a 100 word policy, I want to see one with explicit statements about what information is being collection; who is specifically it is being shared with; and how I can remove my data from their systems. So while I appreciate Assemblymember Chau’s misguided attempt to help Internet citizens understand how and where their personal information is shared, restricting privacy policy’s to 100 words is not the answer.

And that’s not all: there is something even more dangerous about this bill.

When it comes to technology (or anything, really), laws beget laws. Each law relating to the Internet is one more government foothold in the online frontier, one more claim that politicians can make to expand their power over the Internet and the Internet’s citizens. In this way, even good laws (which the 100 word privacy policy bill is now, in intention) about the Internet are dangerous, for they give politicians precedent one more step toward governing the web.

A well-meaning law mandating the length and content of privacy policies opens the door to a law about the contents of the entire Terms of Service and maybe even to a law over user anonymity itself. That is the biggest problem.

So much of what makes the Internet great is its the freedom it provides. Yes, freedom—in the grand sense of supporting the Arab Spring and other social movements, but even freedom in the smaller sense, in allowing a LGBT teenager of heavily religious parents to learn about different viewpoints, or allowing a patient to anonymously connect with others with their condition. This freedom comes not from a political document mandating it, but rather the from absence of any mandate at all.

The Internet gives freedoms not through good governance, but through un-governance. The more the Internet is free from political control, the more it is able provide freedom to it’s users. And, the encroachment of governments on the largely ungoverned frontier that is the Internet is the single greatest threat the Internet has faced in its short life.

A law mandating terse privacy policies is a bad idea. Ostensibly designed to help Internet users understand how their personal data is being used, sold, shared online, it will do none of these things. Rather it will do the opposite, create privacy policies too short to provide more than the vaguest statements about a user’s privacy. More importantly, Assembly Bill 242 is a Trojan horse. It is one more attempt by states to enlarge their foothold in the digital domain; one more excuse for politicians to play network administrator. And we shouldn’t let them.

Chris R. Albon is a political scientist and writer on the global politics of science and technology. Presently, Chris leads the Governance Project at FrontlineSMS. Prior to FrontlineSMS, Chris earned a Ph.D. in Political Science from the University of California, Davis.

Photo by Darcy McCarty/Flickr

Share this article
*First Published: Feb 22, 2013, 3:56 pm CST