Decoding the Privacy Policies of Assistive Technologies
Kirk Crawford, Yi Xuan Khoo, Asha Kumar, Helena Mentis, Foad Hamidi · 2024 · Proceedings of the 21st International Web for All Conference (W4A) · doi:10.1145/3677846.3677850
Summary
This paper systematically analyzes the privacy policies of 18 assistive technologies available in the United States, examining how these companies communicate data collection and processing practices to their users. The researchers used the PRISMA (Preferred Reporting Items for Systematic Reviews and Meta-Analysis) process to identify and select ATs from government recommendation lists and prior research, covering a range of technologies including electronic glasses (Acesight, OrCam MyEye, NuEyes Pro, eSight), navigation apps (Lazarillo, LookTel GPS), visual interpretation services (Aira, Be My Eyes), speech-to-text software (Dragon Voice), reading apps for dyslexia (Ghotit), and communication devices for deafblind users (UbiDuo 3 Wireless, Orbit Chat). Following Braun and Clarke's thematic analysis process, the first three authors independently coded each privacy policy, identifying themes through collaborative discussion, cross-checking, and iterative refinement. The study addresses a critical gap: while previous research has examined AT users' privacy perspectives and general privacy policy readability, no study had systematically analyzed the privacy policies of ATs designed for people with different types of disabilities. The findings reveal that AT companies often treat privacy policies as legal shields rather than tools for empowering informed user consent, creating significant risks for a population that may share particularly sensitive personal data through their everyday technology use.
Key findings
The analysis revealed five major themes. First, none of the 18 AT privacy policies provided protections specific to individuals with disabilities — a striking omission given that these are technologies designed explicitly for disabled users. Protections for children appeared in 13 of 18 policies, but no equivalent safeguards existed for disabled users who may face heightened privacy risks. Second, policies were structured primarily as legal guardrails protecting companies rather than users, with language emphasizing minimum legal compliance over meaningful user protection. Third, significant inconsistencies emerged in how companies described data storage, handling, and security — 13 policies detailed data handling practices while 6 remained vague. Fourth, 8 of 18 policies failed to distinguish between essential data (needed for the AT to function) and non-essential data collection, with some like Dragon Voice listing collection of sensitive information such as sexual orientation and immigration status without explaining why. Fifth, third-party data sharing practices lacked transparency, with some companies shifting responsibility to users to review third-party privacy policies themselves. The researchers noted that people with disabilities face nearly double the lifetime risk of intimate partner violence, making data privacy protections especially critical for this population.
Relevance
This research has significant implications for AT developers and organizations procuring assistive technologies. The finding that zero AT privacy policies include disability-specific protections should prompt immediate action from the AT industry. For accessibility practitioners evaluating tools, this study provides a framework for assessing whether AT vendors adequately protect user data — a consideration often overlooked in procurement decisions that focus on functionality and WCAG compliance. The paper challenges AT companies to move beyond generic legal templates and develop privacy policies that acknowledge the unique vulnerabilities of their user base, including the sensitivity of disability-related data and the heightened risks of data exposure for disabled individuals. Organizations deploying ATs should advocate for clearer distinctions between essential and non-essential data collection, transparent third-party sharing practices, and policies written in accessible, plain language.
Tags: privacy · assistive technology · policy analysis · data protection · informed consent · disability rights
Standards referenced: GDPR · HIPAA