Online Privacy: Whose Responsibility is it Anyway?

I read a lot of cookie policies.  I realise that puts me in a very small minority, but it is part of my job. However, I think they can be very enlightening.   Often overlooked as the poor cousin to the privacy policy, I believe I can learn much more about a company’s real attitudes to operational privacy from their cookie policy than I can with their privacy policy. 

The added advantage of this insight is that a cookie policy is usually by far a shorter document, and much less likely to be written in that most impenetrable of languages, Legalese.

There is one phrase I see quite a lot that I think speaks volumes.  It goes something like this:

Our site includes content/services from [YouTube, Facebook, Twitter].  We are not responsible for the cookies set by these third parties.

Sometimes they will go on to say the visitor should go and read the privacy policies on those sites, although few would bother to paste a link.

Now, I am fairly sure that at some point in time, some lawyer was paid to provide those kind of words with the assurance that they will be ‘compliant’. Then thousands of other people would have just copied them, thinking that ‘if so and so has written that, it must be OK.’

What that phrase says to me is something completely different:

We have put someone else’s code on our website. We have no idea what the privacy impact of doing this is, we don’t care enough to find out, and we don’t care enough about your privacy to give you a say in the matter.

Whatever else they may say about how important their visitors’ privacy is to them, and how they don’t share or sell personal data to anyone, what this tells me is that they are paying lip service, putting as little effort as possible into actually providing any privacy.

Taking this ‘not my responsibility’ angle is a like a landlord telling their tenant that it’s not their fault when the ceiling caves in, because they didn’t build the property.

However, as I have written elsewhere recently, while that approach may work for now, it will not be good enough for very long. The simple fact is, if you put a bit of code in your web pages, you should consider yourself responsible for it and the impact it might have – privacy or otherwise. 

You should make it your responsibility to find out what the implications are, by asking whoever provided it.  And if they won’t or can’t tell you – look into alternatives.

Sometimes of course there are not alternatives, but if that is the case, then it is still your responsibility to not only tell your visitors, but give them a choice.  To do anything less is to help create and sustain an environment where privacy becomes an impossible burden on your visitors.

Whose responsibility is it?  Your website is the window through which the world looks at you.  You may not have blown the glass, made the frame or fit it in place.  But if it’s a shoddy job – you’re the one that ends up looking like you don’t care.

Consumer desire for greater online privacy, driven by concerns about what companies are doing with their information, is on the rise.  Increasingly individuals are also taking action, see for example the increasing popularity of ad blocking technology.  This is currently damaging the industry far more than it needs to in large part because they continue to avoid as much responsibility as possible for online privacy.

It’s time to learn from that mistake.