As companies scurry to bring their personal data governance into compliance with the EU General Data Protection Regulation, they would do well to revisit their public facing privacy statements, in light of Articles 12, 13, and 14.  While Articles 13 and 14 hold the substantive requirements of an organization’s privacy statement, Article 12 has important but often overlooked qualitative requirements. Namely, Article 12 requires that information provided be

in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child.

This is by no means new advice and has been best (and ignored) practices for many years. Former attorney general of California, put out “Making your Privacy Practices Public” in May of 2014 which suggested, among other things,

Others have provided similar advice. See Kinsella Media’s Plain Language Primer for Privacy Policies for more pointers. Also, see Privacy Policies: How to communicate effectively to see the results of an analysis of existing privacy policies at the time and more suggestions. Let’s discuss some of those key requirements from Article 12

GDPR Model Privacy Notice Generator Template

Earlier this year, Professor Dan Solove and I won a challenge from the US Department of Health and Human Safety’s Office of National Coordinator of Health Technology to design a generator to build a privacy notice for health apps based on HHS’ existing model privacy notice, crafted the year before. In taking on this challenge, we were already presented with the text of the notice, we needed only to create a generator tool that would help developers easily generate conforming notices. One of the more striking aspects of the model privacy notice language was that it met much of the criteria above: it was short, well organized, and it was at an 8th grade reading level.

After the challenge was over, I immediately saw the opportunity to create a similar tool to generate notices that fulfill the substantive requirements of Articles 13 and 14 AND simultaneously meet the stylistic accessibility demands of Article 12. Writing a SIMPLE privacy notice is no simple task! Hopefully this new tool I’ve created can help more organizations realize the goal of making their privacy notices concise, transparent, intelligible, easily accessible, with clear and plain language.

While I still have many features I’d like to add (supporting multiple languages for instance, WP plugin version), I didn’t want companies preparing for GDPR to have to wait any longer.  Therefore, I’m please to announce the initial version of the policy notice generator tool. While the tool isn’t meant to substitute for competent legal counsel, it is meant to supplement counsel’s efforts to produce notices that meet the requirements under the regulation. You, of course, should always seek the advice of a lawyer in a complex and evolving field such as privacy because your actions and words can affect your legal rights and responsibilities.