Inside 1to1:Privacy

Best Practices in Drafting Plain-Language and Layered Privacy Policies

September 13, 2012

Munur_ MehmetBranam_SarahMrkobrad_ Matt
By Mehmet Munur, CIPP/US, Sarah Branam and Matt Mrkobrad, CIPP/US, CIPP/G

Privacy policies have become long legal documents that most attorneys, let alone the average consumer, have difficulty understanding. They are meant to provide notice to individuals about data collection, use and disclosure policies. However, they are often complicated, long, unintelligible and, as a result, rarely read by the average consumer. It is important to change this reality. Below are a few best practices in drafting plain-language and multi-layered privacy policies that should help reverse this trend and help the average consumer read and understand your privacy policy.

Align privacy practices with privacy promises by conducting factual and legal due diligence.

Your organization’s privacy practices must align with its privacy promises to minimize legal liability. You can do so by conducting factual and legal due diligence. The factual due diligence allows you to determine what information your organization uses. The legal due diligence allows you to determine what laws govern the use of that information. You need to understand both in order to competently draft a privacy policy that minimizes legal risk for your organization.

Arguably, the largest legal risks to an organization resulting from statements in the privacy policy are risks arising from misalignment of privacy promises with actual privacy practices. A material difference between what the organization says in its privacy policy and what the organization does can result in enforcement actions by regulators or class-action lawsuits by consumers.

As a result, no privacy policy should be drafted in a factual vacuum. Rather, you should draft the privacy policy only after conducting due diligence about your organization’s collection, use, sharing and retention of information. You will need to find out if you only collect information from individuals or if you collect information about individuals from third parties such as service providers. You will need to find what types of information you collect from these sources and how you share it with others. You will also need to find out for what purposes you use the information and disclose those practices accordingly.

You should also avoid drafting your privacy policy in a legal vacuum. Your factual due diligence may lead you to realize that you may be collecting different types of data: personal information, automated information, healthcare information, financial information or even children’s information. Different laws, regulations or private obligations will apply to the use of this information. You may draft more precise privacy promises by finding out the exact requirements of these laws and how they apply to your organization. In fact, you may even find that your organization is not legally required to make some statements—even though it may choose to do so.

However, this is easier said than done. Many organizations have to deal with a large number of websites, products or services. Where products and services develop faster than policies and procedures regarding their governance, privacy policies may be outdated in a short period of time. Therefore, you should put in place policies and procedures to conduct due diligence early on in the product lifecycle and on a continual, ongoing basis.

Depending on feasibility, conduct a privacy impact assessment or a privacy risk assessment. At the very least, seek review of the policy from the website, service or product managers. This type of involvement from the entire organization results in a better final product. It also provides a good opportunity to educate various website, service or product managers on the details of the policy and ensures that the product and policy statements align.

In addition, it is crucial to strike a balance between providing detailed information to consumers while providing room for the business to grow. Consider whether it is in your organization’s best interest to state that you may use the information for one purpose when your organization has plans to do so in the future—though it currently does not. In fact, you even can try to anticipate changes in the law, which may require your organization to make additional promises, during your legal due diligence. This prevents a potential misrepresentation in your privacy policy and allows you to plan ahead.

Use multiple layers. Carefully determine what goes in each layer.

Having conducted the due diligence, you should then prioritize the disclosures in different “layers.” Your first layer should be the shortest and the simplest. Commonly called the highlights notice or privacy policy highlights, it should be the first policy that the consumers see and should be directly linked from your privacy policy link. It should have multiple links to the second layer, the full policy. See, for example, IBM, Microsoft, Nat Geo, P&G, Walmart or USPS highlights policies.

Aim for two layers, possibly supported by a third layer of FAQs or links to sections that provide more information about technical topics. The most common elements in the first layer are scope; uses and disclosures; rights and choices; important information, and contact information. Do not focus on practices that are commonly accepted or engaged in that are also consistent with your interaction with the consumers. In its final privacy report on protecting consumer privacy, the Federal Trade Commission noted this notion of commonly accepted practices. For example, fulfillment, fraud prevention, internal operations, legal compliance and public purpose and most first-party marketing would be anticipated by the consumer and would usually not require choice. Therefore, do not feel the need to disclose this information on the first layer of your privacy policy; place these in the second layer. Instead, focus on elements that may not be obvious to your consumers.

Under some circumstances, however, focusing on the common elements may be necessary. For example, this may be the case where your organization’s use of the consumer’s information is not consistent with the context of their transaction. This may also be the case if you do not have many uncommon uses of information. Therefore, carefully determine what information you need to place in the first layer of your privacy policy.

Include the full details of your privacy policy in the second layer. While some regulators have advocated for up to three layers, each with more detail than the previous one, this is uncommon in practice. This second layer should include all information: the obvious, the technical and all the information appropriate to educate your consumers about the use of their information. The particulars of the policy will be determined by the laws applicable to your websites, products or services. However, feel free to use a checklist or other industry guidance documents, such as the AICPA Generally Accepted Privacy Principles, to ensure that you covered all bases.

On the other hand, some information may be better described in a third layer. For example, detailed information relating to cookies, data retention, international data transfers and use of data centers in multiple locations may require additional explanations that you may want to include in FAQs or a separate policy outside the first two layers of the privacy policy. If you are bound by the revised E-Privacy Directive in the EU, you may choose to include a separate policy listing your cookies, which is linked to your privacy policy. However, you should also generally refer to these issues in the second layer.

Be sure that the different layers, FAQs or any other extraneous statements relating to your privacy policy do not conflict with the full privacy policy. For example, if the first layer of your privacy policy states that you do not sell your consumers’ personal information and the second layer of your privacy policy—your full privacy policy—states that you may sell or transfer this information as part of a business transfer, then you may confuse your consumers and face potential enforcement actions.

Finally, note that a layered approach, while advocated by regulators and shown to be consumer-friendly, has not yet been tested in litigation. Implement this approach carefully, and make sure that the hyperlinks work as intended. If done right, it should achieve the dual purpose of providing easy-to-understand privacy notice to consumers and limiting liability through complete and accurate disclosure.

Choose your words carefully. Cut out the fluff.

Carefully choose the words you use. Use simpler, more familiar terms and avoid defined terms and legalese whenever possible. Remember, consumers are not attorneys and likely will not understand legal concepts.

Inevitably, you will need to use words of art, such as cookies, local shared objects, HTML5 or data controller. In those instances, include hyperlinks to the explanations or the FAQs that provide meaningful explanations. There is no need to define every concept with quotation marks, especially if they are self-explanatory and there is little ambiguity. If your privacy policy applies to a website, you need not state that the “privacy policy applies to this website.” Your privacy policy should be simple enough that there are very few definitions.

If you define a concept, do so carefully. If you exhaustively define “personal information" and your privacy policy applies only to personal information, then you may end up with categories of information for which you do not have a privacy policy. This is fine, so long as it is your intention. However, trends in technology, privacy and enforcement are making disclosures relating to unique IDs, cookies and IP addresses more important. Therefore, be sure that your privacy policy achieves its objective of informing your consumers of the use of their information—whether sensitive, personal, personally identifiable, automated, anonymized or otherwise.

A word of caution—you may not want to tell your consumers how much you care about the privacy and security of their information. Complaints from class-action lawsuits and the FTC enforcement actions are littered with companies who have told their users how much they care about the privacy and security of their personal information when the company suffered a breach. Instead, describe your privacy and security in general terms. Twitter took this route when it revised its original privacy policy after the 2010 FTC enforcement action to remove provisions relating to the concerns for its users’ security—perhaps realizing a little too late that it was not legally required to make those promises.

Use short sentences, active voice and bullet points.

Your privacy policy should also be organized and easy-to-read. Shorter sentences that use active voice are easier to understand. Use a table of contents with hyperlinks to the major sections of the policy. Each section of the privacy policy should then link back to the table for easy navigation. Use bullet points when you find yourself listing many items. This can be especially useful when listing types of information collected or the purposes for which information is used. Bullet points can create easier-to-read sentence structure and aid appearance.

Review your work. Publish accordingly.

You should have the privacy policies reviewed by others. To ensure that the policies are simple enough to read, have colleagues who are not in the privacy or security field read them. You need not hire focus groups—though that is not a bad option either. Be creative. If you or your colleagues have young adults in your family, have them review your policies.

Also, be sure to read up on the issues relating to publicizing your privacy policy revisions before publishing the initial or updated version of your privacy policy.

Following the recommendations above should help you draft more understandable privacy policies. Your consumers—and hopefully courts and regulators—will appreciate your efforts in communicating more clearly with them.

Mehmet Munur, CIPP/US, is an attorney at Tsibouris & Associates, LLC; Sarah Branam is the privacy manager for Epsilon, and Matt Mrkobrad, CIPP/US, CIPP/G, is the privacy manager and bank secrecy act officer at Alliance Data.

Read more by these authors:

Five considerations before publicizing privacy policy updates