Everybody knows these modal dialogs when visiting a website for the first time that ask you to accept cookies and consent to being tracked by third-party advertising networks. It actually became a habit for me to always click through these things and reject any kind of tracking or use of my personal information except for the “required” cookies.

But today, I came across this dialog on atlasobscura.com with the title We value your privacy:

I highly doubt Atlas Obscura actually values my privacy when the only option is to “accept”. By the way, if you actually follow to the privacy policy to “withdraw consent”, access to the content is still blocked by this modal dialog on the next visit. Leaving technical details aside, for the layperson there is in fact no other choice than clicking “accept”, if they want to get access to the website.

Now, if you actually read their privacy policy in detail, it contains this one phrase that really stired up my blood even more:

Atlas Obscura may, at its sole discretion, modify this Privacy Policy at any time. By accessing the Website at any time after such modifications, you are agreeing to such modifications.

How can such a privacy policy be legal? They claim to value my privacy and I can review what they mean by that in the policy. However, at the same time they do not commit to keep it like that and might not “value my privacy” at any later point in time.

Now think this further. If this clause is in fact legal, we could set up a website with a volatile privacy policy. That would be a privacy policy that changes on every visit of the website.



As an example, on the first visit, we happily tell the visitor that we do not collect any information, do not use personal information, and of course also do not sell any kinds of data to adverstising networks. However, as soon as the visitor accepted this policy (of course they are privacy aware and read the policy), it will suddenly change to the opposite. The visitor will never be informed or even asked for consent again.

Would you agree to a contract that can be changed by the other party at any time in any way? You get the idea. Of course, actually implementing a privacy policy changing unexpectedly would include malice, so the visitor might have a case against it, but only if they ever notice…

I just took Atlas Obscura as an example of such a policy and I do not mean to only blame this website in particular. There are in fact a lot of other sites on the web that apply the same or a similar privacy policy.

If your privacy policy contains a clause that allows you to change the policy without asking me for consent, you do not actually value my privacy.