While privacy policies have a reputation as verbose multi-page documents crawling with legalese that the common user has neither the legal degree nor patience to digest, they're changing.
A couple of years ago, the EU enacted the General Data Protection Regulation (GDPR), which is seen as the gold standard in privacy law globally. And then the rest of the world started to follow suit. Since the EU GDPR passed, countries including Brazil, China, India and Canada have passed or are in the process of passing similar privacy laws.
Those legislative changes, combined with a heightened consumer awareness of data privacy risks based on news-making breaches, has put the heat on companies to exemplify strong data privacy programs.
While the GDPR requires companies collecting data to publish privacy policies, in the U.S., they're mandated by state and local regulations, sometimes industry-specific, given that the country still doesn't have a federal privacy law.
It comes down to this: Do what you say, and say what you do.
But here's a little more detail on how to do that.
Dennis Dayman, chief privacy officer at Maropost, a cloud-based marketing platform, has been helping companies on their data privacy for 25 years. He's written his fair share of privacy policies and read far more of them.
"That's probably the biggest thing I run into these days is people trying to try and copy and paste policies as their own," Dayman said. "They just say, 'I'm gonna grab this as a beginning template.’ But it doesn't necessarily have the same data collection practices as the company they copied it from."
It's especially dangerous when companies falsely claim within their privacy policies they're certified under Privacy Shield, a data-transfer mechanism with strict requirements and enforced by the Federal Trade Commission. This month, the FTC settled with five companies who falsely claimed self-certification under Privacy Shield. Some of these cases might have been the result of "borrowing" another company's policy language rather than an outright intent to falsify their certification status
It's important to know your specific data collection practices before publishing a policy designed to articulate what you do with customer data.
Catherine Dawson, a privacy attorney who's (full disclosure) now Osano's general counsel, said she often sees the same misstep.
That can be difficult, but Dayman thinks about it simply.
"I always talk about applying the grandmother test," Dayman said. "I come from the digital marketing side of things when it comes to use of data. "Would you do this to your grandmother? Would you collect this data and use it the way you want to on your grandmother? Privacy has to be as hyper transparent for your grandmother to use as well. You've got to be very careful in drafting that."
A great way to ensure the text is accessible to the average person, Dayman recommends pulling people from inside your building — building being a metaphor in these times of COVID — and asking them to read the policy. Does it make sense to them? Is it filled with legal and technical jargon that only a lawyer could understand?
Dayman recommends keeping it simple. If you're using words like "jurisdiction" or "precedence," you might be taking the wrong approach.
"Those are really nice words to use from a legal perspective, but find other ways to say that if you can," he said.
Dawson agreed, but said there's a reason people fall back to legal jargon sometimes, especially if the company relies heavily on third-party data and vendors.
"It can be hard for people to articulate clearly how their data is shared with third parties," Dawson said. "It's not that folks are trying to hide the ball, but more that the online advertising ecosystem is complex. It can be challenging to describe accurately and clearly how the data you collect flows through that ecosystem and how it is combined with other data."
Daymen said it's best to take a "top-down" mentality. Aim to get buy-in from your CEO and the board, if possible. "Getting buy-in from the executive and those who make decisions about the company is highly important," he said.
But it's also important to pull in various business groups who might not seem obvious. The IT team, the engineering team and even the sales team all touch and use customer data at some point, so it makes sense that they would at best provide input on the policy or at least review a draft to ensure what's being conveyed about company practices maps to how their department uses data.
"You don't always know what the engineering team is doing with the data. Sometimes they have to use data to test systems, and you have to figure out whether you have to make a statement (about that in your policy)," Dayman said.
The bottom line, said Dawson, is to roll up your sleeves and fully understand all of your company’s data practices. If you get the fundamentals wrong, your policy will fall short. Be as straightforward as you can in your descriptions of those practices and then ensure the rest of the organization doesn’t deviate from those descriptions.