Christopher G. Bradley of Kentucky has written Privacy Policy Indeterminacy. Here’s the abstract:
Despite being subjected to decades of sharp criticism, privacy policies published by companies remain a linchpin of privacy regulation. Representations in these policies provide the main measure against which consumer privacy can be judged. Policies are rarely read by consumers and are most often interpreted by decision makers within companies who have to determine if a proposed course of action is consistent with stated policies as well as underlying privacy law. The degree to which policies provide constraint will rely on whether the policies are sufficiently clear that even a company-friendly reading requires a consumer-data-protective course of action.
Experimental evidence on the interpretation of privacy policies provides no grounds for encouragement about such constraint, because it suggests that policies are often so ambiguous that neither laypeople nor experts can consistently interpret them. This Article supports those experimental findings with real-world evidence. It draws on a data set of court filings of experts appointed to consider the legality of transfers of consumers’ private data. The study finds that even independent, court appointed experts rely on interpretive practices that are unreliable and inconsistent. It reveals divergences concerning what even relatively common, standard privacy policy provisions actually mean, in relatively common situations, such as the attempt to sell data as part of a reorganization or liquidation. This suggests that privacy regulation should not rely too heavily on the language of privacy policies unless greater consensus can be reached.
The Article then proposes to put the interpretation of privacy policies on more sound footing. It explores two primary approaches. Privacy policies could be subjected to more certain meaning through a turn to standardization, where policies are communicated by reference to interpretive principles laid out by regulation or by understanding grounded in empirical research on the meaning of the various terms. Alternatively, privacy policies could be subjected to a set of interpretive principles that would provide a more certain basis for interpretation and also encourage drafters of policies to state themselves more clearly.