Privacy Policies Best Practices

Here at Forrester I get a number of questions about how companies should write their privacy policies and I wanted to share some of the top tips with you. You have probably come across some illegible privacy policies if you've ever stopped to read them. They are pages and pages long and finding the information you actually want is difficult if not impossible. So how should you write your privacy policy?

  1. The main privacy policy should be very short. Ideally, the high level policy should fit on a single Web page. Check out Proctor & Gamble for a great example. It should consist of an overview of the information and lots of links to more detailed information should the customer want it. If the policy must fit on a single Web page, the top should have an outline and links to later sections.
  2. The policy needs to define it's scope upfront. Which Web sites does the policy apply to? Or more importantly which ones does it not apply to?
  3. The policy needs to be comprehensible to the everyday person. Far too many privacy policies have been written by corporate lawyers using terms that most regular people will not understand. Think of your mother or your brother or your child, could they read and understand it? If you need an example of what not to do, look at your bank. Most banks sites are atrocious. Using high-level principles to explain your policy often makes it easier to understand. Take a look at a rare financial example with ING Direct. Often times this requires that your privacy practices be very conservative about sharing data.
  4. When explaining the customer's options, provide a link or information on how to exercise those options in the same place. If you give the consumer a choice about how their information is used, point them in the direction of how to tell you about their choice. If customers who want to opt-out can't figure out how, you've now aggravated a potential customer who might then walk away.

Following these ideas can be easier said than done. How can you tell if you've met some of the above goals? Have someone else review the policy pretending to be a potential customer, such as a parent wanting to grant permission for their child to use your site, or to deny it; a customer who wants to know what information you collect or prevent you from sharing it with your affiliates.

Categories: