Despite being subjected to decades of sharp criticism, privacy policies published by companies remain a linchpin of privacy regulation. Representations in these policies provide the main measure against which consumer privacy can be judged. Policies are rarely read by consumers and are most often interpreted by decision makers within companies who have to determine if a proposed course of action is consistent with stated policies as well as underlying privacy law. The degree to which policies provide constraint will rely on whether the policies are sufficiently clear that even a company-friendly reading requires a consumer-data-protective course of action.
The Article then proposes to put the interpretation of privacy policies on more sound footing. It explores two primary approaches. Privacy policies could be subjected to more certain meaning through a turn to standardization, where policies are communicated by reference to interpretive principles laid out by regulation or by understanding grounded in empirical research on the meaning of the various terms. Alternatively, privacy policies could be subjected to a set of interpretive principles that would provide a more certain basis for interpretation and also encourage drafters of policies to state themselves more clearly.