Our personal information is used to control how we think, feel, and vote. In the United States, we saw this most recently with the Cambridge Analytica and Facebook data scandal and the enactment of GDPR in Europe. Privacy is on the top of everyone's minds—but who actually reads privacy policies? According to a 2014 Pew Research survey, half of Americans don't even know what a privacy policy is.

One new initiative thinks it has a solution. Open Privacy Directive, known as OpenPD, is designing a new generation of flexible privacy policies that protect users' rights first, are flexible, and, perhaps most importantly, are standardized. Imagine visiting a site, looking at their footer, and being able to know exactly how they process your personal information without having to read pages of legalese. Your browser could warn you when you visit a site that uses your data in a way you're not comfortable with. This is the Internet that OpenPD is trying to create.

Perhaps OpenPD puts it best in its overview document: "Most privacy policies are unhelpful. They fail to clearly define the data subject's rights, they use ambiguous language, and they don't clearly explain the data they collect." The document continues, "OpenPD is a standardized system for classifying data rights so that they can be clearly understood. It exists on top of an existing privacy policy, or, for smaller projects that don't already have a privacy policy, in lieu of one." Think of OpenPD like a reverse non-disclosure agreement between a service and its users that is flexible but also machine readable.

Here's how it works: OpenPD policies have two parts, the base and the configuration. All OpenPD policies employ the same base, which establishes blanket protection for all data and also ensures a number of fundamental user rights. If a service plans to collect information, it can declare the data it wishes to collect in the configuration, where it also must make clear what it plans to do with that data. And it all follows a machine readable format.

The OpenPD base prevents the service from collecting any data at all except as specified in the configuration*.* The base also requires services to allow users to delete their data, to follow a special procedure when modifying their OpenPD policy, and to practice responsible disclosure in data breaches. And how are data breaches defined? Any time that the OpenPD policy is violated. The blanket privacy privacy protections of the OpenPD base and its innovative definition of a data breach make it challenging for a company to mistreat user data and not face consequences.

In a perfect world, data would remain in our own hands. In this perfect world, the only thing we'd need is the private-by-default OpenPD base. Unfortunately, this isn't the world we live in, and services need to collect data about their users to function properly. To accommodate this unfortunate truth, OpenPD allows services to configure their policy using a number of standardized data collection categories and use cases.

To include OpenPD on a service is just like licensing content under Creative Commons. Just paste a link to the OpenPD policy and configuration in the footer—or anywhere else, for that matter. Because it's a standardized policy and configurations always follow the same common format, there is no need to read the entire document to know how a service uses personal data. Instead, just look at the configuration.

OpenPD gets even cooler, however: in addition to serving as a contract, it's also like a license. When a service collects data under OpenPD, that data is itself licensed under OpenPD. Even if the service were to later change its privacy policy to something other than OpenPD, the data collected while OpenPD was in force would still be protected under the terms of OpenPD.

OpenPD is still in development. A proof of concept was released in January, and the team is currently hard at work drafting a more complete and flexible policy for release later this year. The entire project is licensed under Creative Commons, so it'll be free to use, no matter who you are. OpenPD is community driven, too: just this week they launched OpenPD Meta, a site where the project will be transparently governed.

OpenPD is an exciting step towards the next era of privacy online. It's a high tech redesign of the traditional privacy policy that emphasizes user rights and transparent governance—just when the Internet needs it most.


Disclosure: R. Miles McCain, the author of this article, is a member of the OpenPD team. Follow him on Twitter @milesmccain or online https://rmrm.io.

Cover image: lock around a keyboard. Public domain, CC0.