Speaking at the Games Developers' Conference in San Francisco yesterday on the panel "Privacy by [Game] Design", I was thrown an interesting question: Does the privacy policy have any place in the
Speaking at the Games Developers' Conference in San Francisco yesterday on the panel "Privacy by [Game] Design", I was thrown an interesting question: Does the privacy policy have any place in the forward-thinking privacy era?
To be sure, privacy policy bashing has become populist stuff in recent years, and the role of the privacy policy is a topic I've heard debated many, many times. The normal conclusion to any discussion around this point is that privacy policies are too long, too complex and simply too unengaging for any individual to want to read them. Originally intended as a fair processing disclosure about what businesses do with individuals' data, critics complain that they have over time become excessively lengthy, defensive, legalistic documents aimed purely to protect businesses from liability. Just-in-time notices, contextual notices, privacy icons, traffic lights, nutrition labels and gamification are the way forward. See, for example, this recent post by Peter Fleischer, Google's Global Privacy Counsel.
This is all fair criticism. But that doesn't mean it's time to write-off privacy policies - we're not talking an either/or situation here. They continue to serve an important role in ensuring organisational accountability. Committing a business to put down, in a single, documented place, precisely what data it collects, what it does with that data, who it shares it with, and what rights individuals have, helps keep it honest. More and more, I find that clients put considerable effort into getting their privacy policies right, carefully checking that the disclosures they make actually map to what they do with data - stimulating conversations with other business stakeholders across product development, marketing, analytics and customer relations functions. The days when lawyers were told "just draft something" are long gone, at least in my experience.
This internal dialogue keeps interested stakeholders informed about one another's data uses and facilitates discussions about good practice that might otherwise be overlooked. If you're going to disclose what you do in an all-encompassing, public-facing document - one that may, at some point, be scoured over by disgruntled customers, journalists, lawyers and regulators - then you want to make sure that what you do is legit in the first place. And, of course, while individuals seldom ever read privacy policies in practice, if they do have a question or a complaint they want to raise, then a well-crafted privacy policy serves (or, at least, should serve) as a comprehensive resource for finding the information they need.
Is a privacy policy the only way to communicate with your consumers what you do with their data? No, of course not. Is it the best way? Absolutely not: in an age of device and platform fragmentation, the most meaningful way is through creative Privacy by Design processes that build a compelling privacy narrative into your products and services. But is the privacy policy still relevant and important? Yes, and long may this remain the case.
To be sure, privacy policy bashing has become populist stuff in recent years, and the role of the privacy policy is a topic I've heard debated many, many times. The normal conclusion to any discussion around this point is that privacy policies are too long, too complex and simply too unengaging for any individual to want to read them. Originally intended as a fair processing disclosure about what businesses do with individuals' data, critics complain that they have over time become excessively lengthy, defensive, legalistic documents aimed purely to protect businesses from liability. Just-in-time notices, contextual notices, privacy icons, traffic lights, nutrition labels and gamification are the way forward. See, for example, this recent post by Peter Fleischer, Google's Global Privacy Counsel.
This is all fair criticism. But that doesn't mean it's time to write-off privacy policies - we're not talking an either/or situation here. They continue to serve an important role in ensuring organisational accountability. Committing a business to put down, in a single, documented place, precisely what data it collects, what it does with that data, who it shares it with, and what rights individuals have, helps keep it honest. More and more, I find that clients put considerable effort into getting their privacy policies right, carefully checking that the disclosures they make actually map to what they do with data - stimulating conversations with other business stakeholders across product development, marketing, analytics and customer relations functions. The days when lawyers were told "just draft something" are long gone, at least in my experience.
This internal dialogue keeps interested stakeholders informed about one another's data uses and facilitates discussions about good practice that might otherwise be overlooked. If you're going to disclose what you do in an all-encompassing, public-facing document - one that may, at some point, be scoured over by disgruntled customers, journalists, lawyers and regulators - then you want to make sure that what you do is legit in the first place. And, of course, while individuals seldom ever read privacy policies in practice, if they do have a question or a complaint they want to raise, then a well-crafted privacy policy serves (or, at least, should serve) as a comprehensive resource for finding the information they need.
Is a privacy policy the only way to communicate with your consumers what you do with their data? No, of course not. Is it the best way? Absolutely not: in an age of device and platform fragmentation, the most meaningful way is through creative Privacy by Design processes that build a compelling privacy narrative into your products and services. But is the privacy policy still relevant and important? Yes, and long may this remain the case.