As the EU passed new laws regarding Data Collection and Security, and they are now being implemented, users are being required to accept new privacy policies as data collection practices evolve. This isn’t really a new requirement; as companies rewrite privacy policies everyday that we have to decide to read (Gasp!), or simply hit Accept to continue to use a service. However, with the laws changed, every company doing business in the EU is now sending emails with updated policies, and the amount of email is staggering. The emails remind us that the services we may use that effect the EU are convenient, but the practices being used in the emails to solicit user response is contradictory to the policies being accepted by the users.Let me give some examples:1. Why would a user want to click on a link in an unsolicited email to accept a policy when it is never a best practice to do so? Even hovering over the link may indicate a legitimate domain, but there is no guarantee that the website at that domain has not been hacked. Wouldn’t it be a better idea to ask the user to login to their account, and temporarily present them with a landing page requesting users to accept the new policy before continuing to use the service? Yes, this is annoying; our financial institutions do this with paperless requests and advertisements for new services, but it is more secure and less likely to promote phishing scams.2. Why, in today’s security climate, would an organization use a redirect service to provide a link for policy acceptance? I have seen this several times in the last few weeks. Not only will this prevent savvy users from following the link, but it is also ludicrous that a service would use a redirect to track which users are accepting their policy. Again, just ask the user to login and use a landing page. Their response on the website is your answer to the statistics you want to collect.3. Why do we continue to force users to download beacon graphics to read email? Okay, I understand you want to know who is actually interested in your service but may not click on your links in the email. But for those of us that turn off loading of remote content, this only makes your email difficult to read due to formatting anomalies, and in the end may simply get your email filtered permanently. So what do they actually accomplish, other than teaching the uneducated masses to accept insecure practices and asking them to accept something that the law is trying to restrict?4. Why can’t we simplify the verbiage? Talk to any user, and they will express disgust with the legal language of privacy policies and EULAs. Even worse, a good majority will admit to not even reading the script before clicking Accept. Would it not be more beneficial to present a more concise explanation with a link on the website to the full legal documentation? Some companies try to do this, but as an industry, we fail miserably at informing the users of our intentions.5. Lastly, I will ask, why can’t we provide links in privacy policies to help users determine how to protect themselves, and decide how much information they actually want to divulge to companies? When the Internet was young, and we didn’t have all the online marketing choices, education was a common goal for most users. Those of us online wanted to explore the possibilities, and learning about the consequences was part of the process. Users today have less motivation to learn about security than previous generations, but I am confident that, given a choice, more users would rather read how to protect themselves across multiple platforms (general end-user security), rather than read a policy that applies to one service.
This article was just intended to express some frustration and present some observations this user has had during these latest regulation changes. I fully support the changes, but I wish those of us who are forced to comply would spend more time thinking about what they mean to our users and how we can make the Internet a safer place for all./me stepping off my soapbox.