Privacy Policies: The Good, the Bad and the Witty
Privacy statements are all over the Web, it seems, and they're pretty much universally ignored. That's because the legal tracts that most companies display are the epitome of user-unfriendliness. A few mavericks are trying a different approach, though, with statements that are clear, concise -- and sometimes even entertaining.
Lorrie Thomas does not "sell, share or whore out" the personal information of any visitor who comes to her Lorrie Thomas Web Marketing site -- and she backs up this no-share promise in her privacy statement.
Indeed, the entire document is a straightforward description of what the company will and will not do with personal data. For example, it "collects the domain name (where possible) of visitors to our website, and user-specific information on what pages consumers access or visit. The information we collect is used to improve the content and layout of our website."
Ad Servers? It does not maintain any such relationships.
Furthermore, any contact from the company will be only about the specific information the visitor requested.
The firm's policy over sharing its information -- and with whom -- was the greatest concern among clients, Thomas told CRM Buyer, "so I decided to be as blunt as possible to get my message across."
For anyone who has waded through the typically mind-numbing legalese of the privacy statements that many companies put out, Thomas' version is a breath of fresh air.
Aimed at informing consumers of precisely what will be done with their personal information -- and thus reassuring them -- most privacy documents are weighed down by details. They end up being the very antithesis of consumer-friendly outreach.
That is beginning to change. "Everyone understands that these statements are very difficult for the consumer to read and understand," said Lisa Sotto, partner and head of privacy and information management practice at Hunton & Williams.
With the last few years, there has been a trend among companies to make these notices more comprehensible to the average consumer. Sotto dates this push back to when the Federal Trade Commission offered up guidelines for changing the format of the privacy notices required under the Gramm-Leach-Bliley Act (GLB Act).
In general, the "FTC is very active in this arena," she said, "and its focus includes all companies -- not just the big ones."
A privacy protection division the FTC formed about two years ago is further evidence of the agency's seriousness, she noted.
Privacy statements that invoke the FTC's ire include "notices that don't provide sufficient information about collection and disclosure practices, or security practices, or notices that are in legalese," she said. "It is also critical that companies provide adequate information, and the language is written so that it can be understood by the average reader," she said.
Ironically, there are few laws that actually require businesses to offer their customers a privacy notice. Once a company has published one, however, the FTC's mission is to see that it's honored. Laws on the books that do mandate a privacy notice include the GLB Act (for financial companies), HIPAA (for health providers) and a California law that de facto covers everyone else, as it applies to any company that does business in the state.
Despite this patchwork policy framework, best practices for privacy notices are beginning to gain traction, Sotto said.
One, for instance, calls for the company to pull into a shorter document key provisions and terms, making it easier for consumers to compare privacy notices from company to company.
Another best practice is defining of terms in easy-to-understand language, noted Bart Lazar, a partner with Seyfarth Shaw. That, plus its easy-to-read format is why he likes American Express' privacy notice, he told the E-Commerce Times.
"It is navigable, and it breaks things up into nice chunks and then defines its terms," Lazar said.
The Entertainment Factor
Unfortunately, there is no best practice that calls for a company to entertain its clients via its privacy notice, a la Thomas and, to cite another example, the Kramer Law Firm, which advises readers that it is "not sophisticated enough to automatically collect your personally identifiable information, such as your name, address or email address, hopes, wishes, disappointments, etc... .[but] in those instances when we do collect personally identifiable information ...We'll tell you when we are collecting personally identifiable information about you by asking for it. If we ask for your name, address, phone number, email address, shoe size, etc, you can be sure that that's within the category of "personally identifiable information."
As for security, Kramer's Web site "maintains virtually no more than the most basic safeguards -- i.e., password protected databases and the like -- to ensure the security, integrity and privacy of personally identifiable information submitted to our site.
"If you're uncomfortable with our honesty here, we strongly encourage you to use false data when responding to our requests for your personal information. That way, if that personal information is ever disclosed, you'll rest soundly knowing that nothing of real value has been lost," the statement reads.
The Straightforward Route
Indeed, it is still rare -- despite the examples set by heavy hitters such as Microsoft or Kraft -- to find a privacy notice that merely easy to read.
Many companies do not set out to write complex policies. Oftentimes, they are just woefully misguided about what is required, Joseph E. Campana, author of Privacy MakeOver: The Essential Guide to Best Practices, told CRM Buyer. "I saw one recently that said it was providing a privacy notice because the Freedom of Information Act required companies to do so. When I asked the company where it got that, someone told me that the Web master included that language."
Campana points to his privacy notice as a guide. It includes sections on the information the site collects; how that information is used; whether it is disclosed to others (no, it is not); its security policy and its opt-out provision.
Basically, there are a handful of questions that a good privacy notice will answer, Hunton's Sotto agreed -- and without the use of legalese:
- what information is collected;
- how it is used;
- to whom it is disclosed;
- what security is provided;
- how visitors are notified of changes to the policy; and
- contact information for the company.
Companies get bonus points if they provide users with a way to change information they have already turned over.