One new initiative thinks it has a solution. Open Privacy Directive, known as OpenPD, is designing a new generation of flexible privacy policies that protect users' rights first, are flexible, and, perhaps most importantly, are standardized. Imagine visiting a site, looking at their footer, and being able to know exactly how they process your personal information without having to read pages of legalese. Your browser could warn you when you visit a site that uses your data in a way you're not comfortable with. This is the Internet that OpenPD is trying to create.
Here's how it works: OpenPD policies have two parts, the base and the configuration. All OpenPD policies employ the same base, which establishes blanket protection for all data and also ensures a number of fundamental user rights. If a service plans to collect information, it can declare the data it wishes to collect in the configuration, where it also must make clear what it plans to do with that data. And it all follows a machine readable format.
The OpenPD base prevents the service from collecting any data at all except as specified in the configuration*.* The base also requires services to allow users to delete their data, to follow a special procedure when modifying their OpenPD policy, and to practice responsible disclosure in data breaches. And how are data breaches defined? Any time that the OpenPD policy is violated. The blanket privacy privacy protections of the OpenPD base and its innovative definition of a data breach make it challenging for a company to mistreat user data and not face consequences.
In a perfect world, data would remain in our own hands. In this perfect world, the only thing we'd need is the private-by-default OpenPD base. Unfortunately, this isn't the world we live in, and services need to collect data about their users to function properly. To accommodate this unfortunate truth, OpenPD allows services to configure their policy using a number of standardized data collection categories and use cases.
To include OpenPD on a service is just like licensing content under Creative Commons. Just paste a link to the OpenPD policy and configuration in the footer—or anywhere else, for that matter. Because it's a standardized policy and configurations always follow the same common format, there is no need to read the entire document to know how a service uses personal data. Instead, just look at the configuration.
OpenPD is still in development. A proof of concept was released in January, and the team is currently hard at work drafting a more complete and flexible policy for release later this year. The entire project is licensed under Creative Commons, so it'll be free to use, no matter who you are. OpenPD is community driven, too: just this week they launched OpenPD Meta, a site where the project will be transparently governed.
Cover image: lock around a keyboard. Public domain, CC0.