Practical Privacy

On Making Privacy Policies More Simple and User-Friendly

By Allen Brandt, CIPP/US, CIPP/E, CIPM
From the BBC’s cookie notice

David Vladeck, while he was heading up the FTC's Bureau of Consumer Protection, frequently railed against the current generation of consumer-facing privacy policies, and he has data to back him up: Consumers just don't read or understand the things.

Much has been written about the failure of many privacy policies in the way they have been implemented. Most, it seems, have been written by lawyers (disclosure: I am one) and seem only to exist for either the mandatory requirement to have a policy or to throw everything in the policy in the event plaintiff lawyers start calling—“you can point to page 3, paragraph 3(c)I … that explains everything.”

In fact, research shows that many consumers think that a "privacy policy" is there to protect, rather than just give them—not to mention regulators, privacy advocates and class-action attorneys—notice. A 2007 study at the University of California, Berkeley found that "75 percent of consumers think as long as a site has a privacy policy, it means it won't share data with third parties," consfusing the existence of a privacy policy with extensive privacy protection.

There even seems to be confusion about whether they should be called privacy policies or notices.

Looking for more information on how to write a consumer-facing privacy policy? Check out Close-Up: Creating a Privacy Policy in the IAPP Resource Center.

But semantics aside, a new, very different group of consumer-facing privacy policies are starting to emerge. It may have started with U.S. government legislation requiring federal websites to incorporate plain-language techniques into all new and updated pages. Banks in the U.S. have started experimenting with simpler documents, including the use of tables, to make information easier to find and understand.

And business is also doing its part, possibly to connect better with its customers.

My organization, GMAC, for example, recently converted our entire privacy policy into a series of one minute videos. There is still the fully written version available, but less than five percent of the visitors to the privacy page ever go there; they are clicking on the video links to get the information they need. And to help clear up some of the "privacy policy" confusion, we've changed ours to the "privacy center," as I think it has a better chance of being recognized for what it is: a resource.

In another example, the BBC’s website incorporates humor into its cookie explanation page with an image of smiling people eating cookies. How can you not smile and have a good feeling about any organization that can do this?

One of the earliest forms of unique privacy policy implementations was from the app game developer, Zynga. Here, they used a game to make the policy less scary and appeal to the site's users.

Finally, a great implementation of how to present policy information can be found on LinkedIn's privacy and terms of use pages. In addition to incorporating a short video, they broke the information into very small parts and have an icon and a summary next to each section letting the user navigate easier to their area of interest and highlight what is in each section. 

I'm sure that I've missed many great examples of how organizations are rethinking how to connect with their users and make these required policies part of their branding message and less of just a legal requirement, but these examples might help to give you some ideas and motivate you get started on rewriting your own. 

More from Allen Brandt

About the Author

Allen Brandt, CIPP/US, CIPP/E, CIPM, is corporate counsel, data protection and privacy, and chief privacy official for GMAC, which owns the Graduate Management Admission Test (GMAT), an exam delivered to prospective graduate business students in 111 countries worldwide. He provides legal guidance and counsel on U.S. and domestic consumer privacy issues, creates data protection policies and procedures, responds to privacy inquiries and leads the privacy training program. In addition, he monitors compliance with the council’s marketing programs and oversees the filing of international data processing applications and notices.

Brandt is a member of the California and Missouri Bars and is a Virginia corporate counsel.  

See all posts by Allen Brandt

Comments

  • December 11, 2013
    Kino
    replied:

    The problem is that these companies make money from selling information, they can dress it up all they want but their privacy policies will always be weak because of this.

To post your comment, please enter the word you see in the image below:

To post your comment, please enter the word you see in the image below:

Get your free study guide now!
Get your free study guide now!