Do Privacy Policies Matter?

Every business that collects personal data uses, or should use, a privacy policy. So, if you use privacy policies, or should be using them, you'll want to know what the global regulators' findings are on privacy policies.

We looked into the global study into privacy policies by 19 privacy regulators of over 2,000 websites around the world.  The key findings of the report are:

  • Over 20% of sites studied had no privacy policy at all - this is really worrying not just from a privacy perspective but also from a common-sense business practice: if you don't tell your customers how you're going to use the data which you collect about them, don't be surprised when complaints come rolling-in at a later date and if you find your business constrained as it grows. A little investment in your privacy policy now can save a whole lot of time and expense down the line.
  • Over 33% of those sites that had a privacy policy, had managed to make their policy difficult to read and weren't tailored to the website - so, asking your lawyer for a 'standard' privacy policy or copying and pasting policies from other sites doesn't work (as well as running the risk of infringing somebody else's IP)!
  • Privacy policies need to be carefully considered - they're a customer interaction, so organisations need to consider the tone and style of the policy as well as setting out in clear language what data is being collected, how it is being used, who it is being shared with and where it is being processed (now and in the future).  From experience, this balancing act is incredibly difficult to achieve in practice, but the key finding from the report is that the policy must be tailored to the site and clearly written in a way that users of the site will easily understand.
  • The UK regulator focussed on 250 of the country's larger websites - most of these had privacy policies but the weaknesses were around clarity as to the period of time for which data would be held and whether data would be transferred internationally - from experience, policies are often weak on these areas as the person drafting the policy needs input from every part of the business which processes personal data or allows it to be hosted by a third party supplier (so, IT and sourcing teams are key but HR and marketing also need to be involved, as a minimum) and there is also a dependency on the organisation having a systematic approach to information retention and destruction (and we know this isn't straightforward in practice).
  • The recommendations of the report aren't surprising - use plain language, break-up the information in the policy (headings, short paragraphs, FAQs etc.) and tailor the policies which are used for mobile apps and sites.   Again, this is really challenging in practice and needs careful and creative thought as you'll be dealing with small screens and incredibly powerful data feeds when apps and sites are accessed through smartphones.  Again, our experience is that many organisations are using their existing core privacy policies for apps and mobile sites (often with a hyperlink to the policy) - this doesn't work in practice!

In the wake of the high-profile issues around Google's privacy policy (and others), the global regulatory focus on privacy policies and the increasingly powerful amount of data which is being driven from websites and apps, privacy policies matter!

This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.