Perfunctory note that I’m not a lawyer…
Privacy policies are hard to make. This site has one I’m not thrilled with.
I’ve recently tried to help a number of my clients with making one or improving an existing document. It’s led me to realize that I think they are uniquely tricky documents to make, especially for small organizations.
- Privacy policies have to be specific about legal, technical, and business practices. They have to account for an organization’s IT, back office procedures, and other technology choices.
- Privacy policies sit in between a bunch of organizational roles. That makes it especially tricky because any one person involved won’t have all the necessary knowledge.
- Much like a good accessibility statement, privacy policies aren’t fixed documents. They need to be kept up to date, and new staff have to be onboarded to make sure they are aware of it and follow what it says.
So my experience, especially with small organizations, privacy policies end up being nobody’s job because they involve everyone’s job. And therefore, we get crappy privacy policies at best and no privacy policies 90% of the time.
Back to the Basics
At least for right now, it feels like great is the enemy of the good enough. We need to at least try, do our best, and continue to improve our practices as we go.
Where’s My Template?
Because privacy policies are specific to the technologies you use and how you use them, it’s basically impossible to write an accurate template that one can use off the shelf.
2 thoughts on “Making privacy policies is no one’s job”
My problem with privacy policies is that I never read them. My bad, I know, but life is short. [I did open yours — but still couldn’t force myself to read it with any critical eye.]
As a result, I’ve little motivation to actually write them.
What I’d like to see is something like Charity Navigator for privacy policies — a web badge that would say “This site is good/bad/indifferent as far as what it does with the data it collects from you.” Does that make any sense? Is it impossible on its face?
Anyway, thanks for raising the issue — I’ve been thinking about it since your Aug 28 post (for some reason this article hit my email inbox just today). Thanks, in general, for your wisdom and service to the community.
Nancy, thanks for your thoughtful comment. You’re certainly right that most people are not going to read privacy policies. Based on your comment, I’m now experimenting with a brief summary at the top of mine that is hopefully easier to read.
Ideally, we’ll live in a world where people don’t need to read privacy policies, but I think that in order to get to that place, organizations must actively take on crafting policies so that they themselves consider their practices.