Brief thoughts on privacy policies
I came to the conclusion a while ago that a privacy policy is not really a legal document. It’s a document that has legal ramifications, yes, but in the same way that anything a business says has legal ramifications. Perhaps I should rephrase my first statement: I don’t think the privacy policy should be perceived as a legal document.
The privacy policy, for the last decade or so, has been the easy way to comply with privacy laws and regulations. It’s one document which checks all the boxes for most privacy requirements out there. All privacy frameworks require some sort of notice to be given to users about privacy practices. Some are explicit that organizations need an actual privacy policy document, but not all of them. The US-EU Safe Harbor Framework, for instance, only says: “An organization must inform individuals about the purposes for which it collects and uses information about them … This notice must be provided in clear and conspicuous language when individuals are first asked to provide personal information to the organization or as soon thereafter as is practicable, but in any event before the organization uses such information for a purpose other than that for which it was originally collected or processed by the transferring organization or discloses it for the first time to a third party.” (The EC’s FAQ however does mention a privacy policy.)
In Australia, NPP 5 and the proposed replacement UPPs do require a discrete Privacy Policy – but this is in addition to a general notification requirements (NPP 1.3, UPP 3).
In the online world, all you really deal with is information, and so figuring out how personal information and other data flows can be an intricate task. It’s tricky enough for people working inside an organization to figure this out (imagine how the privacy people at Facebook feel when all the engineers are working on 101 new features at once and they are trying to keep up with where all the data is going). So, when it comes to communicating all of this to an outsider, you can imagine the difficulty this presents. This is why you end up with privacy policies many thousands of words long. They’re virtually useless in the real world.
For some time now, people have regarded that privacy is merely a matter of having a privacy policy and making sure that an organization sticks to it. No longer.
The world is gradually beginning to realize that privacy is actually about helping people to understand what is happening to their information. Not just in theory, but in practice. Just because the information there, but buried somewhere in that policy, doesn’t mean it’s going to be helping anybody understand anything.
No one reads a privacy policy from top to bottom (with the exception of, in my experience, lawyers, compliance officers, and Germans). But people do read privacy policies to find out specific things. Are you going to sell my data if I give it to you? Do I own my data? Will you still keep my profile if I decide to delete my account? Unfortunately, this information can be pretty hard to locate – you almost need an FAQ for the privacy policy.
So now we see the gradual introduction of condensed privacy policies, layered privacy policies, and more interestingly “just in time” privacy notices. For example, when you have an iPhone App that wants to grab your location, you get a popup asking if you want to disclose it. The thing is, people only care about certain things, and most of the time it’s obvious.
When I install a Facebook App, my most immediate concern is: is it going to post stuff on my wall without asking me first? And then, what profile information is it going to grab from me? Facebook’s JIT notice doesn’t do a very good job of answering these two questions.
If you use Foursquare, your main concern is: exactly who is going to have access to my location information and how can they use it? And then, if I decide to leave after I try your service for a day, will you delete all my data?
Of course, there’s a tension between what the business guys think will increase conversion rates, and what’s good privacy practice, but that’s another topic for another day.
Anyhow, that brings me back to the privacy policy. Obviously it’s not working, but yet it’s kind of necessary. If the way a business handles information is complicated, there’s no possible way you can explain it in a single screen. So, what to do?
You have to get away from the idea that the privacy policy is a legal document. It’s a help document. It should be accessible.
Why don’t more privacy policies have pictures? Videos? Interactivity? Why aren’t they structured in a way that makes it easy for people to zero in on what’s really important to them?
Instead of burying the important stuff, bury the boilerplate – the stuff everyone already expects (e.g., everyone tracks visitors using web bugs, this is not a surprise to most users). Answer the customer’s most burning questions clearly and you’ll implicitly be conveying that you acknowledge what the customer really cares about. That sounds trust-building to me. If your privacy practices, when disclosed upfront, turn a customer off – then imagine how they will feel if they sign up, use your service, and then find out about it later?
9:19pm 
