The Future of Privacy Policies: A Privacy Nutrition Label Filled with Fair Information Practices

E-commerce continues to blossom as evidenced by online retail sales in excess of $33 billion over the first quarter 2008. This growth helps spur the staggering economy but also magnifies the serious threats surrounding personally identifying information (PII) submitted during e-commerce transactions. The most common threats, such as identity theft and aggregated data files, do the most damage when companies are careless (i.e., losing laptops filled with unencrypted data) or callous (selling data on the open market) with the PII they collect. The first line of defense against these threats is the electronic privacy policy. In theory, privacy policies are supposed to force companies to analyze and strengthen their privacy practices and then provide Web surfers with a detailed picture of what happens to their information upon submission. Privacy policies are most effective when Web site visitors can locate, read and comprehend their terms. Armed with this knowledge, individuals are supposed to make accurate privacy assessments before submitting information online. Problematically, contemporary privacy policies fail to live up to their promise because they are posted inconspicuously, purposefully vague and filled with legalese. This inaccessibility leads Web surfers to ignore privacy practices completely while they continue to submit PII blindly.Privacy policies can be effective if companies clearly and conspicuously discuss how their privacy terms relate to fair information practices (FIPs). FIPs are widely agreed upon guidelines covering the most important areas of the data trade - PII collection, use, storage and dissemination. The Federal Trade Commission has designated the five core FIPs to be notice, choice, access, integrity and enforcement. This article argues that a standardized privacy nutrition label - similar to the labels required by the Nutrition Labeling and Education Act - posted conspicuously on all e-commerce homepages can increase policy effectiveness. These federally mandated labels require companies to discuss their privacy practices in relation to each Key FIP. Although companies need not adopt specific policy terms or run their practices through a governmental clearinghouse, they must honestly disclose their practices. This is true of even the most unpopular practices such as external PII dissemination. Over time, consumers will become aware of these standardized labels, begin to understand FIPs, differentiate between privacy-protective and privacy-invasive practices and make better decisions before submitting PII.