1. Do What You Say and Say What You Do
This means that you will need to look at not only how the website currently functions, but also how the website is reasonably expected to operate in the future. If the policy includes any affirmative or negative commitments, then those must be understood and fully incorporated into your company’s operations prior to the launch of the policy.
2. Policy Templates Are Only a Starting Place
3. Never Say Never
Some people may think that absolute terms like “always” and “never” sound friendlier to your customers but they are also fertile grounds for problems. We frequently see policies use absolute terms to express sincerity, as in “of course we would not share your information in a way that you would not appreciate,” instead of as purely factual statements of what the company does or does not do.
It is rare that something is entirely one way or the other and absolute terms should be used sparingly. When you see absolute terms, it is a good opportunity to ask what exceptions, if any, would make the statement untrue.
Absolutes are also frequently found in internally inconsistent statements included within privacy policies. For example, “We never share your information with third parties, except as provided in this policy.” The policy then goes on to list all of the numerous ways that information is shared with third parties. While grammatically correct, these types of internally inconsistent statements are more likely to confuse the reader than clarify your privacy practices and should be avoided.
4. Finalizing the Policy Is Just the First Step
For example, a website designer may be looking to incentivize website visitors to submit their email addresses to sign up for your company’s newsletter. Under the entry field they might add, “We will never share your email address” thinking that it is a nice thing to say or that is consistent with the company’s practices. However, this type of statement is probably inaccurate at the outset because the email addresses are likely shared with a number of third-party service providers that help the company market its products or services.
These types of statements that are added in an ad hoc fashion to a website or tucked into a countertop sign are also less likely to undergo comprehensive review. Your company’s internal review procedures need to provide and your business teams need to be trained to make sure that any statements that implicates the organization’s privacy practices are reviewed and approved in advance. Once used, it may be difficult to claw back imprecise statements without setting aside and treating differently information that was collected while those statements were in place.
So Be Warned
ABOUT THE AUTHOR – Christopher Avery is a practicing privacy and data security attorney who works with companies big and small to elevate their privacy programs and solve their data security challenges. Christopher is also the founder of his own startup, LastLtr.com.