We looked into the global study into privacy policies by 19 privacy regulators of over 2,000 websites around the world. The key findings of the report are:
- Privacy policies need to be carefully considered - they're a customer interaction, so organisations need to consider the tone and style of the policy as well as setting out in clear language what data is being collected, how it is being used, who it is being shared with and where it is being processed (now and in the future). From experience, this balancing act is incredibly difficult to achieve in practice, but the key finding from the report is that the policy must be tailored to the site and clearly written in a way that users of the site will easily understand.
- The UK regulator focussed on 250 of the country's larger websites - most of these had privacy policies but the weaknesses were around clarity as to the period of time for which data would be held and whether data would be transferred internationally - from experience, policies are often weak on these areas as the person drafting the policy needs input from every part of the business which processes personal data or allows it to be hosted by a third party supplier (so, IT and sourcing teams are key but HR and marketing also need to be involved, as a minimum) and there is also a dependency on the organisation having a systematic approach to information retention and destruction (and we know this isn't straightforward in practice).
- The recommendations of the report aren't surprising - use plain language, break-up the information in the policy (headings, short paragraphs, FAQs etc.) and tailor the policies which are used for mobile apps and sites. Again, this is really challenging in practice and needs careful and creative thought as you'll be dealing with small screens and incredibly powerful data feeds when apps and sites are accessed through smartphones. Again, our experience is that many organisations are using their existing core privacy policies for apps and mobile sites (often with a hyperlink to the policy) - this doesn't work in practice!