Keep GDPR privacy policies short and simple

Published in

The Balance of Privacy

3 min readOct 28, 2018

Otherwise, few people will bother to read them

If your privacy policy looks like the one in the image above, then you’ve got a problem. The dense, unstructured wall-to-wall text requires you to scroll through the whole document to find what you’re looking for. Which few people will do, of course.

Why most people don’t read privacy policies

Some people might go through your privacy policy line by line; but most of them won’t. There are two reasons for this.

The first is that we live in an age of information overload, and simply don’t have the time. We therefore scan, and if the point is not immediately clear, we move on. This is true for all business writing, which is generally poorly written and struggles to get to the point.

The second reason is that policies are lengthy legal documents written by lawyers. Their objective is not to inform through short, clear language, but to protect through detailed legal language. That’s why, when faced with privacy policies on websites, we just click and accept, and hope for the best. After all, most of the time, it’s just legal boilerplate anyway.

GDPR’s transparency guidelines are poorly applied

GDPR requires communications to data subjects to be “concise, transparent, intelligible and easily accessible.”

Article 29 Working Party guidelines say that “The concept of transparency in the GDPR is user-centric rather than legalistic”, and that “the quality, accessibility and comprehensibility of the information is as important as the actual content.”

This means that information should be presented “efficiently and succinctly in order to avoid information fatigue”, so that people can “immediately access rather than having to scroll through large amounts of text searching for particular issues.”

In practice, however, these guidelines are rarely applied.

Three steps to clear privacy policies

There are three simple steps you can apply to improve your privacy policies:

Structure or layer them so that the following questions are clearly visible in large font:

What data do we need?
Why do we need it?
How do we use it?
How long do we keep it?
What are your rights?

2. For each question, summarise the essentials in 6–8 lines maximum, with a link to the full privacy policy.

3. Use the writing guidelines in this 10-page booklet called Get to the Point!, which you can download free from this business-writing website (no email required).

Lawyers should not be writing privacy policies

You wouldn’t want a layperson writing a contract, because they don’t have the legal skills. Similarly, you wouldn’t want a lawyer writing a privacy policy for GDPR, because they don’t have the communications skills.

The main objective of a privacy policy is to inform; its main criterion is clarity. It should therefore be written by a communications specialist, and then reviewed by a lawyer. And if it is written by a lawyer, it should be edited by a communications specialist.

Examples of good privacy policies

Here are a few examples of companies that have got it right:

Salesforce (good structure, but too much detail in the answers)
Oracle (good structure, though ruined by the lengthy legalistic introduction)
Privacy Perfect (perfect!)
Medair (perfect!)

In conclusion, transparency as required by GDPR requires a change in mindset from “this policy must be legally watertight” to “it must be easy to understand by a layperson”. After all, nobody has every complained that a privacy policy was too easy to understand.

Michael Gentle is the founder of The Balance of Privacy, based in Geneva. For similar articles by Michael, click here.