[Foundation-l] New draft of privacy policy (urgent)

Tue Jun 24 00:03:39 UTC 2008

On Mon, Jun 23, 2008 at 4:16 PM, Thomas Dalton <thomas.dalton at gmail.com> wrote:
> 2008/6/23 Mike Godwin <mgodwin at wikimedia.org>:
>> but there is no
>> question that the document has to function both as a statement of
>> binding policy and as an educational document.  Attempting to separate
>> one from the other is asking for trouble down the line.
>
> There is question - I question it. Policy and documentation are very
> different things. Trying to combine the two is very difficult and, in
> my opinion, doomed to failure for the reasons already given.
>
I have to agree with Mike here that a (good) privacy policy has to
function "both as a statement of binding policy and as an educational
document" (ignoring the part about whether or not there's "no
question").

In fact, I'd say the *primary* purpose of a privacy policy is as an
educational document.  If all the organization wants to do is bind
itself to something, a private board resolution would suffice.  I
think Mike should be applauded for trying to create an educational
document rather than a bunch of legalese.

(I guess in some jurisdictions privacy policies are legally required
so maybe the purpose could be to fulfill a legal requirement.  Or
maybe the purpose could be to keep browsers from popping up warnings
about the lack of a privacy policy.  But still, the base reason is
that the public has an ethical right to know these things - a right to
be educated.)

>> We considered for a while separating the current policy into a
>> statement of policy and an FAQ.  That would have "solved" the length
>> problem, more or less, but it also would create a problem, since the
>> FAQ itself would have functioned as a legally binding public promise
>> as well.  In other words, it would have seemed to be more elegant but
>> would have raised potentially more legal problems, especially to the
>> extent that the public relied on representations in the FAQ rather
>> than in the policy statement proper.
>
> I guess that depends on how well you write it. The policy should
> describe what the WMF commits to doing, the FAQ should explain why.

Why couldn't the FAQ *be* the current draft policy?  Then all that's
needed is a summary, which becomes the "privacy policy".  And then it
isn't a problem if the FAQ is legally binding, because it commits the
WMF to no more than the WMF was going to commit to anyway.  Or if you
don't want to call it a FAQ, because it's not in standard FAQ format,
call it "privacy policy (long version)" and "privacy policy (short
version)".

Or would it take too much time and effort (also read: cost) to come up
with a Godwin-approved shortened privacy policy?  That's the only
argument I can see against it, since Mike has already seemed to agree
it's possible to have a shorter "statement of policy".

Just brainstorming a solution that maybe can solve both points of
view.  Feel free to ignore me, or not.

> Legality aside, we're telling you, as real people, that this policy
> simply will not work. It doesn't matter how prudent it is, if it
> doesn't work, it's useless.
>
I certainly don't agree that it's "useless".  A privacy policy is
never going to make particularly fun reading material.  A shorter
policy would probably be more useful, not to mention more educational,
but a long policy isn't "useless".

This said, I've had to skim the new draft rather than read it in
depth.  I'll probably get to that later.  Sorry, Florence, non-ideal
world and all that.