Perfunctory note that I’m not a lawyer…
Privacy policies are hard to make. This site has one I’m not thrilled with.
I’ve recently tried to help a number of my clients with making one or improving an existing document. It’s led me to realize that I think they are uniquely tricky documents to make, especially for small organizations.
- Privacy policies have to be specific about legal, technical, and business practices. They have to account for an organization’s IT, back office procedures, and other technology choices.
- Privacy policies sit in between a bunch of organizational roles. That makes it especially tricky because any one person involved won’t have all the necessary knowledge.
- Much like a good accessibility statement, privacy policies aren’t fixed documents. They need to be kept up to date, and new staff have to be onboarded to make sure they are aware of it and follow what it says.
So my experience, especially with small organizations, privacy policies end up being nobody’s job because they involve everyone’s job. And therefore, we get crappy privacy policies at best and no privacy policies 90% of the time.
Back to the Basics
How can we make this better? Let’s get back to focusing on the fundamental reasons why privacy policies are important in the first place. A privacy policy exists so website visitors know what information about them is collected, how it’s collected, what it’s used for, and how to opt-out.
At least for right now, it feels like great is the enemy of the good enough. We need to at least try, do our best, and continue to improve our practices as we go.
Where’s My Template?
Because privacy policies are specific to the technologies you use and how you use them, it’s basically impossible to write an accurate template that one can use off the shelf.
The best privacy policy templates that I have seen are still little more than flushed out outlines, and honestly I think the wordier templates give people the incorrect assumption that they’re mostly finished and all one has to do is fill in the blanks and not describe their practices at length.
WordPress’s Privacy Policy generator added in May 2018 is actually pretty good, but it is long and incomplete. You can find it by going to Settings > Privacy and clicking the “Check Out Our Guide” link. (In theory, WordPress generates a template that plugins can add sections to depending on what they do. However, not every plugin has been updated to include necessary information.)
Get Started
The best time to have a privacy policy is yesterday, but the second best time is today. So head into your WordPress site to take a look at that template, and see if you can get something up to be transparent with your visitors as soon as you can.
My problem with privacy policies is that I never read them. My bad, I know, but life is short. [I did open yours — but still couldn’t force myself to read it with any critical eye.]
As a result, I’ve little motivation to actually write them.
What I’d like to see is something like Charity Navigator for privacy policies — a web badge that would say “This site is good/bad/indifferent as far as what it does with the data it collects from you.” Does that make any sense? Is it impossible on its face?
If I could submit a privacy policy to an external entity that would do some sort of check that I wasn’t flat out lying, maybe it’d make more sense.
Anyway, thanks for raising the issue — I’ve been thinking about it since your Aug 28 post (for some reason this article hit my email inbox just today). Thanks, in general, for your wisdom and service to the community.
Nancy, thanks for your thoughtful comment. You’re certainly right that most people are not going to read privacy policies. Based on your comment, I’m now experimenting with a brief summary at the top of mine that is hopefully easier to read.
Ideally, we’ll live in a world where people don’t need to read privacy policies, but I think that in order to get to that place, organizations must actively take on crafting policies so that they themselves consider their practices.
The idea of a privacy policy vetting organization is interesting, though it seems daunting for the reasons I mentioned in the post: Every organization is different and every person with access to the data must abide by the stated procedures. For instance, I can’t tell you how many times I’ve sat in meetings where someone suggests taking a cache of emails from one place and adding them to a new newsletter without asking permission. That type of stuff is _more_ important than the policy itself, but I think the policy is one component of building a culture that prevents those types of things from happening.