Best Practices in Drafting Plain-Language and Layered Privacy Policies
By Mehmet Munur, CIPP/US, Sarah Branam and Matt Mrkobrad, CIPP/US, CIPP/G
Align privacy practices with privacy promises by conducting factual and legal due diligence.
However, this is easier said than done. Many organizations have to deal with a large number of websites, products or services. Where products and services develop faster than policies and procedures regarding their governance, privacy policies may be outdated in a short period of time. Therefore, you should put in place policies and procedures to conduct due diligence early on in the product lifecycle and on a continual, ongoing basis.
Depending on feasibility, conduct a privacy impact assessment or a privacy risk assessment. At the very least, seek review of the policy from the website, service or product managers. This type of involvement from the entire organization results in a better final product. It also provides a good opportunity to educate various website, service or product managers on the details of the policy and ensures that the product and policy statements align.
Use multiple layers. Carefully determine what goes in each layer.
Finally, note that a layered approach, while advocated by regulators and shown to be consumer-friendly, has not yet been tested in litigation. Implement this approach carefully, and make sure that the hyperlinks work as intended. If done right, it should achieve the dual purpose of providing easy-to-understand privacy notice to consumers and limiting liability through complete and accurate disclosure.
Choose your words carefully. Cut out the fluff.
Carefully choose the words you use. Use simpler, more familiar terms and avoid defined terms and legalese whenever possible. Remember, consumers are not attorneys and likely will not understand legal concepts.
Use short sentences, active voice and bullet points.
Review your work. Publish accordingly.
You should have the privacy policies reviewed by others. To ensure that the policies are simple enough to read, have colleagues who are not in the privacy or security field read them. You need not hire focus groups—though that is not a bad option either. Be creative. If you or your colleagues have young adults in your family, have them review your policies.
Following the recommendations above should help you draft more understandable privacy policies. Your consumers—and hopefully courts and regulators—will appreciate your efforts in communicating more clearly with them.
Mehmet Munur, CIPP/US, is an attorney at Tsibouris & Associates, LLC; Sarah Branam is the privacy manager for Epsilon, and Matt Mrkobrad, CIPP/US, CIPP/G, is the privacy manager and bank secrecy act officer at Alliance Data.
Read more by these authors: