Data Dilemma: The Rhetoric of (Privacy) Rights

If you’re on the internet, you’ve probably received an avalanche of privacy policy emails in the past few weeks, perhaps even from companies whose mailing list you didn’t realize you’d signed up for.

The cause behind this hubbub is a major European privacy law that’s been two years in the making. The General Data Protection Regulation (GDPR), which went into effect on May 25, 2018, ensures certain data privacy rights for individuals within the EU, such as the right to obtain information about how companies process your personal data, the right to request access to this data so that you can transfer it to another service, and the right to object to companies using your data for certain purposes. Companies also have an obligation to clearly articulate their privacy policies in a way that their users can understand—so, no obscuring important privacy info in a sea of legalese.

The law passed two years ago—well before the Cambridge Analytica revelation, or the more recent scrutiny of Facebook’s and Google’s role in Ireland’s abortion referendum (many saw this vote as a test case of how well these companies could prevent foreign parties from targeting key demographics on social media to influence elections). However, the GDPR gave companies two years to comply—a deadline that just passed.

Since many of the companies affected by the law have an international reach that extends beyond the EU, a lot of North Americans have been getting privacy emails too. Some organizations have applied the more stringent EU standards to their North American users as well, while others have established separate data privacy rules for different parts of the world. And now these companies need to clearly inform users of their new policies. Hence, the heap of privacy emails in your inbox.

Words, Words, Words

With all the recent controversy over data transparency and privacy, companies are choosing their words carefully when they present privacy changes to their users. Reading my own set of privacy policy emails, I was struck by some recurring rhetorical patterns: emphasizing users’ choices, control, and options; framing privacy changes as merely attempts to provide clarity, transparency, and details to improve users’ understanding; and relying heavily on first- and second-person personal pronouns while appealing to a sense of personal community or trust.

Unsurprisingly, many of these statements echo the word choice of the EU’s official communications on the GDPR, which the European Commission claims “will strengthen the protection of the individual’s right to personal data protection, reflecting the nature of data protection as a fundamental right for the European Union.” The goal is for people to “have more control over their personal data.”

How companies frame these mandated changes says a lot about how they want their users to perceive the new rules—or gloss over them. So, I dug through my inbox, and here are my observations after analyzing twenty of these privacy policy update notifications (both emails and website pop ups).[1]

Pattern One: Choices and Control

Half of the twenty emails emphasized users’ control over their data, and just as many used words like choices and options and highlighted users’ ability to manage their information. The overall message was that each company wants to give you choice, or power over your data—a strong message when many of us feel a bit overwhelmed and powerless where our online personal information is concerned.

Twitter’s word choice was particularly evocative, claiming that they want to empower users, who should have “meaningful control over” their data and its use. “You have the final say about whether and how we process your personal data.” 

This last quote, I should note, came right after Twitter said that if you don’t like their data privacy rules, you’re welcome to deactivate your account. So, some of the power and control these companies allegedly give you comes from the option to disengage.

Pattern Two: Totally Transparent

The messages also relied heavily on words like transparency and clarity, with many explicitly stating that their policy updates are merely to help users better understand their existing policies, to provide details and make policies more specific (careful not to imply that their previous data policies may have infringed on users’ rights). This language suggests that these changes are not substantive (whether or not that’s actually true), while also giving off the impression that these companies care that you comprehend exactly what you’re signing up for. Google’s email is a prime example:

“Nothing is changing about your current settings or how your information is processed. Rather, we’ve improved the way we describe our practices and how we explain the options you have to update, manage, export, and delete your data.”

Google was clear that they improved the way they describe their practices, not the practices themselves.

Given that these data privacy changes were prompted by the GDPR, and one of the GDPR’s main goals is increased transparency, it’s interesting that only thirteen of the twenty privacy notices I read mentioned any kind of privacy law as an impetus for their changes (and four of these kept the reference vague, not mentioning the GDPR specifically). Admittedly, these emails are a small and not necessarily representative sample, but Facebook was one of the six that failed to mention any legal reason for their policy changes. (Facebook did, however, emphasize users’ rights and the importance of their control over their choices.)

Pattern Three: Keeping It Personal

The final pattern I noticed is that almost all these messages were super personal—evoking feelings of friendship, trust, or community and using a lot of first- and second-person personal pronouns (we, our, us, you, your). Pronoun usage may not seem that important, but peppering your writing with pronouns that include the reader can help create a personal, conversational tone that inspires trust: Our company cares about you and your data privacy and your choices, and we want you to take control of your data. You can trust us.

Beyond the pronouns, many companies struck a genial tone, using their word choice to establish trust and a sense of community between themselves and you, their user. Twitter thanked users for their “trust” (implying that it had already been given), and Airbnb thanked each user “for being a member of our global community.” Similarly, Uber talked about the “lasting relationship” it has with its customers:

“We understand that protecting your privacy is essential to building a lasting relationship with you, and we’re committed to doing the right thing with the information you’ve entrusted to us.”

Overall, many of these companies implied that their privacy changes have an ethical impetus, not just a legal one. Whether this is just posturing or not, these privacy messages have been crafted to evoke good feelings about the company and its intentions toward you—and and to persuade you to trust that you don’t need to worry about what they’re doing with your data.

Privacy Rights, Privacy Wrongs

With all this talk of data privacy rights and companies’ ethical and legal obligations to respect them, it’s worth asking, what rights should we have when we freely give our data to companies online? A right is “something to which one has a just claim” or “may properly claim as due.” In general, a right connotes something deserved, whether legally or ethically. However, we don’t have clearly defined rights for a lot of what goes on in the internet age.

When I was younger, I remember talking to my dad, who is an accountant, about tax laws governing “tangible personal property” and how many state tax laws hadn’t been updated to explicitly account for digital products like software. (You could theoretically land in a situation where, in certain states, software delivered on a physical disc would be subject to tax as tangible property, while the same software delivered through the internet would not—because the latter wasn’t tangible.) It strikes me that data privacy is another area where the law hasn’t quite caught up to the technology, and where we need to continue to weigh the words we use as new standards take shape. The GDPR is the European Union’s attempt to define a standard for data privacy rights; however, it is limited geographically, and how effective it is remains to be seen. The conversation about data privacy rights and how we define them is just beginning.

What sort of data privacy rights should we have online? I’d love to hear your thoughts or any interesting privacy policy emails you’ve received recently and the rhetoric they’ve used. Otherwise, I’ll be back in two weeks with another blog about words.


[1] I reviewed privacy policy notices from the following companies: Pinterest, Ibotta, AngelList, Facebook, Patreon, New York Magazine, Fossil Q, H&M, O’Reilly Safari, NPR, Meetup, Google, Bluehost, eBay, Kickstarter, Twitter, Airbnb, Uber, Oath (which owns Yahoo, AOL), and Indeed. I did not analyze the full privacy policies and terms of service, but companies’ email and pop up communications to current users describing and summarizing the changes. Obviously, this sample is not representative and is shaped by my personal online subscriptions.

Leave a Reply

Your email address will not be published. Required fields are marked *