GDPR Compliant Privacy Policies like Creative Commons

Lesen Sie den Text auf Deutsch.

Currently, many service providers update their privacy policies with respect to the GDPR. For customers this is a major annoyance. WhatsApp, for example, recently changed their privacy policy, and asked users on starting the app to agree to many pages of fineprint before they could proceed to using the app.

It takes approximately 60 minutes just to read the WhatsApp legal page - if you really want to understand the implications possibly much longer. And these days, such updates currently fly in daily. This situation is unacceptable and needs a major change.

What we really need is a privacy policy standard like Creative Commons (CC). The CC Licenses are concisely structured in modules. With some practice, you easily understand what CC-BY-SA 3.0 means, for example. Similarly, a privacy policy standard should be created from modules.

For example, DPS-IT-INET-MED-SPECIAL-M(END)-1.0 could mean for a running app:

  • Our privacy policy is according to data protection standard 1.0 (whatever standard 1.0 includes)
  • We use IT systems (databases, etc.) to store your data
  • Your data is collected through the internet (oh btw, we also use cookies and see your IP)
  • Your pulse data is treated as medical data and well protected
  • We keep your data until the end of our contract (cancellation of membership)
  • Additional special regulation (going beyond the standard) is covered in the following paragraph
  • Special regulation section: Only after your explicit agreement we share your pulse data and running history with your insurance so they can offer you better premiums. If you tweet about your run, you’ll see the tweet upfront and have to confirm all data that you tweet

This standard could also be used to indicate GDPR compliancy. Probably, most providers won’t be able to avoid a special section, but ideally that would only contain a few lines. For many blogs, forums and news sites a single line could be enough to communicate their policy to the customer. Of course the explicit policy would have to be included as well, to make the lawyers happy. Even though privacy policy generators already exist they are not standardized, yet. Well, that is the idea. Maybe, there is a willing lawyer out there to help?

Write us: