How to Make Privacy Policies Better, in Two Easy Steps

[Commentary] The agita over Spotify’s privacy policy resembled disputes in 2015 over other companies’s privacy policies -- like Samsung’s and Uber’s -- as well as the the cyclical fretting over Facebook’s reach. These scandals have attained a degree of predictability: They are almost as formulaic as the legalese of the policies themselves. But beyond the cycle of discovery, outrage, and apologetic adjustment, there are deeper problems. The way lawyers, executives, and developers address user privacy just doesn’t work that well. Neither consumers nor corporations benefit from our current amend-then-freak-out regime.

The situation could be improved with two different specific adjustments, one legal and one technical. Legally, the tech-policy writer Logan Koepke advocates that companies should announce a new privacy policy whenever they change. If a regulatory change looks unlikely, though, there is a technical intervention that Apple and Google could make. Imagine if, right before a run, Spotify asked for 60 minutes of access to your GPS location. If you still seemed on the move 55 minutes later, it would ask for another hour of access. That seems to me like a better trade: Not all the access, all the time, wherever; but access right now, for a little while, here. Apple or Google could encourage this practice simply by making that feature possible at the operating-system level. It would be more seamful, and it would be more trustworthy.