And if the terms of the policy change?
It’s bad enough that most of the “choices” we have in privacy today are either, “Accept our terms or don’t use the service.” But then the terms can change at any time?Nearly every privacy policy I looked at had some variation on these words: “Please note that this Privacy Policy may change from time to time.” If the changes are “material,” which is a legal phrase meaning “actually affects your rights,” then all data that’s collected under the prior terms will remain subject to those terms. Data that’s collected after the change, though, will be subject to the new terms, and the onus is put on the user to check back and see if the terms have changed.Most companies, like Google, Yahoo, and Microsoft, promise to make an effort to let you know that material changes have been made, by contacting you or posting the changes prominently. Some, like New York Times Digital and Facebook, promise that material changes won’t go into effect for six months, giving their users some time to find out.Recently, Facebook decided to test out the right they had reserved to change the terms of use. Facebook wanted to amend the terms of its license to the content provided by Facebook members. Although it wasn’t actually a term in the privacy policy, it implicated users’ privacy rights as it involved personal content they had uploaded to Facebook. Facebook claimed that its new terms of use didn't materially change users’ rights but merely clarified what was already happening with data. For example, if user A decides to send a message to user B, and then A deletes her account, the message A sent to B will not be deleted from B’s account. The information is no longer belongs only to user A.However, Facebook’s unilateral attempt to change the terms of use provoked such uproar that the changes were withdrawn. Instead, two new documents were created, Facebook Principles and Statement of Rights and Responsibilties, and users were given the option to discuss and vote on these documents before they go into effect. Ultimately, the new versions were approved by vote of Facebook members.Facebook is certainly not a model of privacy protection, but this incident is illuminating. Legally, Facebook could change its terms without its members’ approval. But practically, it couldn’t. There’s been some debate over whether angry users understood the changes and what they meant, but that’s almost irrelevant. Facebook couldn’t simply dictate the terms of its relationship with its users any more, given that its greatest asset is the content created by its users.It may seem counterintuitive, but it’s not surprising that some of the most visible and effective consumer efforts to change how a company uses personal information have stemmed from an online service based on voluntary sharing. The more people are given opportunities to participate in how information is shared, the better people can understand what it means for a company to share their information and the more likely they are to feel empowered to shape what happens to their information. Facebook can’t offer the service that it does without the content generated by its users. But as it’s begun to realize, its users then have to be a part of decisions about the way that content is used.We all know privacy policies are frustrating, inadequate, and difficult to understand. So it's good to remember that all our privacy battles don’t have to be fought on their terms.