4 Steps to an Honest and Lovable Privacy Policy

Privacy policies, every company has one, but how many are actually read? In the EU 18% of visitors fully read privacy policies in full. This problem has been consistent across industries. Although privacy concerns are on the rise and awareness of data collection practices is increasing, many are still reluctant to really read privacy policies.

We at Rita, are always thinking about our users’ privacy. We find it essential for users to know what they are getting into when interacting with a company. Giving our users a clear understanding of data collection practices lies at the heart of Rita’s mission and is the underlying goal of many of our features.

The Goal:

Make a privacy policy that people enjoy reading and understand.

Challenges:

A first point that must be clarified is two tensions companies face when setting up a Privacy Policy.

Some companies don’t want people to read it.

Many companies want nothing more than people simply ignoring their Policy. No company wants customers to leave their website or app because they don’t trust them. If a company thinks the customer will oppose their data practices they are incentivized to either make the privacy policy unclear, hard to read and hard to find.

We believe a solution to this issue is to build systems truly private-by-design. If a company always has the users’ privacy in the back of their mind when building the technology, they’ll have nothing to hide in the privacy policy.

Transparency vs Understandability

If a company decides to be honest in their data practices, as companies are increasingly doing, they will face the following tension: How transparent should we be vs how understandable?

Using personal data usually involves technical processes within a legal framework. These two fields consist of a lot of jargon, which makes it easy for the reader of a policy to get lost. In many cases, the more transparent a policy is, the harder it is to understand for a non-technical reader.

Any privacy policy faces this tension but this can be mitigated in two ways: Understanding the reader and providing both a clear overview in addition to an in-depth version.

Our Approach:

Step1: Review industry standards and literature

To start this project our team reviewed industry standards such as described in the GDPR and followed suggestions output by academics. However, blindly following standards were soon perceived as inappropriate to us. Every company has different practices and a different audience. Additionally, most industry standards missed a lack of contextual suggestions.

The template provided by the https://gdpr.eu/, became our structural starting point.

Step 2: Look at good and bad examples

Next, we looked at privacy policies to better understand what some do so well, and where others fail. Some notably successful examples were:

• https://coronalert.be/en/
• https://www.bbc.co.uk/usingthebbc/privacy/

Less notable examples were found among data brokers and other data-driven companies out of the public eye.

From reviewing over 35 examples our 3 key takeaways were:

• Work with expandable elements
• Reader questions as subtitles
• Focus on user-friendly transparency

Step 3: Consult multiple perspectives, Legal, Technological

Following this review, we consulted 6 legal experts working and researching the intersection between GDPR and Technology. It was interesting to see the discrepancies in their suggestions. Some spoke about a lack of contextualisation and simplicity, while others told us there were important legal framing and elements missing. Again, the tension of transparency vs understandability was clearly perceivable.

Step 4: Ask for community feedback

Our community means everything to us. That’s why this was such an important step in the process. We worked with 4 interactions of the privacy policy, which were each reviewed by members of the Rita community. The first feedback was provided through a panel with 6 active members. Follow-ups took place on telegram in individual messages.

A challenge at first was to meet the needs of our diverse user group. Rita has attracted a wide range of individuals with multiple backgrounds. However, some interesting points came out.

• Not using “Privacy policy” as a title
• Use illustrations
• Understandable in 1min
• Concise overview but provide more depth if one is curious
• Transparency on the revenue model

Our results:

Inspired by our community feedback we’ve worked out a summary consisting of the most important elements in a presentable format. Additionally, users can click on “Learn more” if they want to be additionally informed.

We view the optimization of our Policy as an ongoing process. We’d like to ask any reader to review our work and give us feedback, on anything you would improve.

Here is a full version of our Rita’s Privacy Policy:

Anyone can comment in the file, please let us know if there is any way we can improve!

Conclusion:

For many entrepreneurs, a privacy policy can be something painful to set up. However, don’t fall for the trap of copying industry standards, because the majority of companies aren’t doing it perfectly. Be honest, transparent and ask your communities for feedback. Nobody can build a “perfect” privacy policy. But let’s collectively aim for improvements.

Rita Personal Data Team