As companies scurry to bring their personal data governance into compliance with the EU General Data Protection Regulation, they would do well to revisit their public facing privacy statements, in light of Articles 12, 13, and 14. While Articles 13 and 14 hold the substantive requirements of an organization’s privacy statement, Article 12 has important but often overlooked qualitative requirements. Namely, Article 12 requires that information provided be
in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child.
This is by no means new advice and has been best (and ignored) practices for many years. Former attorney general of California, put out “Making your Privacy Practices Public” in May of 2014 which suggested, among other things,
Others have provided similar advice. See Kinsella Media’s Plain Language Primer for Privacy Policies for more pointers. Also, see Privacy Policies: How to communicate effectively to see the results of an analysis of existing privacy policies at the time and more suggestions. Let’s discuss some of those key requirements from Article 12
Despite perhaps intentions to be concise, most privacy notice are far from it. The 2014 study referenced above found the average privacy notice to be 1660 words long with the longest at 7718 words. This has contributed to the “bandwidth problem” making it impossible for individuals to read every privacy notice of every product or service they use. The average reader reads 250 words per minute and spends an average of 47 seconds on a web-page. I leave the math for you to figure out how many words the average reader would get through.
TIP: Strive for a privacy notice of a few hundred words, using short sentences and clear organization.
This isn’t a question of making your notice see-through, but rather that you be open and honest about what you’re doing, how you’re doing it, why you’re doing, etc… While unintentional obfuscation can occur through the use of technical or legal jargon (and is addressed by the other requirements in this list), intentional obfuscation demonstrates a lack of candor. Say what you do and do what you say.
TIP: Be candid. Candor builds trust with consumers. Don’t hide information or use ambiguous terms.
- Intelligible and easily accessible form
Despite most privacy notice still being lengthy, many companies are applying a layered approach that helps individuals navigate to the information they need. Densely worded notices, without headers or navigational cues, difficult to read fonts, lack of languages understandable by the reader, and burying the notice all contribute to making the notice unintelligible and inaccessible.
TIP: Use a layered approach so consumer can easily find information. Use clear fonts with good contrast. Make your privacy notice easy to find. Use icons where appropriate, but also include text descriptions for screen readers and try to meet Web Content Accessibility Guidelines.
- Clear and plain language
“The majority of privacy policies in the study do not follow accepted standards for effectively written communications. Most use complicated legal words and phrases that consumer are not likely to understand.” – Privacy Policies: How to communicate effectively. Despite years of regulators pushing for simplified language, privacy notices are generally not written for the comprehension level of the average consumer. In the U.S. the average adult reads at a 10th grade level, yet most privacy policies require a post secondary level of education to understand.
TIP: Run your notice through a readability scoring system. You should strive for an 8th grade reading level, though 10th grade can be acceptable. Microsoft Word has one built in or you can use an on-line tool.
Earlier this year, Professor Dan Solove and I won a challenge from the US Department of Health and Human Safety’s Office of National Coordinator of Health Technology to design a generator to build a privacy notice for health apps based on HHS’ existing model privacy notice, crafted the year before. In taking on this challenge, we were already presented with the text of the notice, we needed only to create a generator tool that would help developers easily generate conforming notices. One of the more striking aspects of the model privacy notice language was that it met much of the criteria above: it was short, well organized, and it was at an 8th grade reading level.
After the challenge was over, I immediately saw the opportunity to create a similar tool to generate notices that fulfill the substantive requirements of Articles 13 and 14 AND simultaneously meet the stylistic accessibility demands of Article 12. Writing a SIMPLE privacy notice is no simple task! Hopefully this new tool I’ve created can help more organizations realize the goal of making their privacy notices concise, transparent, intelligible, easily accessible, with clear and plain language.
While I still have many features I’d like to add (supporting multiple languages for instance, WP plugin version), I didn’t want companies preparing for GDPR to have to wait any longer. Therefore, I’m please to announce the initial version of the policy notice generator tool. While the tool isn’t meant to substitute for competent legal counsel, it is meant to supplement counsel’s efforts to produce notices that meet the requirements under the regulation. You, of course, should always seek the advice of a lawyer in a complex and evolving field such as privacy because your actions and words can affect your legal rights and responsibilities.