These days, I find it very difficult to see the point of overly legalistic privacy policies normally hidden behind a tiny link at the bottom of a webpage. Apart from the fact that I am on a permanent plain language mission, my obsession with privacy policies is also fuelled by the notification requirements in section 18 of the Protection of Personal Information Act.
First things first, I don’t like calling them privacy policies. It is confusing, because most people associate the word ‘policy’ with internal policies. We prefer calling them privacy notices.
POPI does not provide much direct guidance on the content of privacy notices. POPI requires that people (whether they are just visiting a website, are customers, employees or suppliers) must be informed about what personal information is being collected, what it is used for, who the information is shared with etc. The traditional way of providing this information is through a privacy notice at the point of collection (typically a website or a form).
But it would be a mistake to think that POPI is the only reason to inform people about information processing activities. Transparency breeds trust. Trust in turn ensures that people are willing to provide comprehensive and correct information.
POPI will occasion a rethink of the way in which privacy policies are written. Luckily we are not the first and we are not alone. The UK’s Information Commissioner’s Office has issued a code of practice on privacy notices which is an incredibly good place to start and provides examples of good (and bad) privacy notices. Bearing in mind that POPI resembles the UK Data Protection Act, 1998 this may prove to be a valuable source moving forward.
As sad as this may seem, I have a favourite privacy notice: LinkedIn. Not because there is anything special about the content, but because it employs multi-media and graphic design elements (in a legal document – who would have thought!) and is really reader focused. Making use of a pop-up in order to communicate that there has been a change in the policy on a particular date is also something which South African companies (who will all have to change their policies) may want to copy.
One could probably write a book on tips for new privacy policies. Oh wait, we did. Here are some free tips:
- It must be in plain language and it must be prominent.
- If you need to get consent for something, don’t do it in the policy. That should be done while you collect the information. Always remember, it is hardly ever required and you should not ask for consent if you don’t need it. It is one of the most enduring myths created by some of my less-learned ‘colleagues’. If you do need consent for something (for instance direct marketing which in many cases will be required) keep in mind that valid consent in terms of POPI must be ‘voluntary, specific and informed expression of will’.
Above all, if it is simple, keep it simple. Our own privacy notice is a good example of this.