The answer: between 181 and 304 hours with an average loss of $5,038 in productivity.
But, if you are conscious of the current privacy climate, you do want your customers to read it. For the sake of transparency (and the avoidance of frivolous lawsuits), ethical businesses don't just produce Privacy Policies - they also produce documents real people can read.
At the same time, it doesn't (always) replace the extended policy. Instead, it's a jumping off point to provide the essential information and inform anyone who might then go on to read the whole thing.
Research shows that brief, well-written Privacy Policies benefit user awareness among almost all consumers.
A short policy isn't an excuse to spend less time and money on your policy. Rather, you choose the right words to describe the key components of your policy to summarize it concisely but still accurately.
- The types of data collected
- How the data is collected
- Where and how the data is stored
- Whether the data is shared with any other parties
All these clauses need to directly reflect your data practices.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
The best way to illustrate this is with an example:
Dropbox, the file sharing service, includes a Digital Millennium Copyright Act policy in its agreements because Dropbox allows users to upload, store, and share information using its service.
Because it allows users to upload property, it runs the risk of users uploading and using intellectual property that doesn't belong to them. Dropbox must then use a DMCA to uphold its responsibility to protect copyright holders and avoid liability if and when its users upload media that doesn't belong to them.
Dropbox's DMCA policy notifies users of its intent to uphold the DMCA and provides infringed parties a process for notifying Dropbox of potential infringements.
Short Privacy Policies don't just impact entire clauses that only apply to specific businesses. Functionality also plays a key role in those CalOPPA and GDPR-mandated clauses like what data you collect and how you collect it.
Facebook's policy starts by listing all the data it collects in a clause titled "What kinds of information do we collect?" The full list includes but is not limited to:
- Information and content provided by users including metadata
- Network and connection data (i.e., people, accounts, hashtags, and groups connected to users' accounts)
- Data uploaded, synced, or imported from a device
- Usage data (types of content viewed, features used, actions taken, accounts interacted with, Facebook camera data)
- Information about transactions (game purchases, donations, etc.)
- Things other users do in relation to your profile (others' comments on a photo of you, messages, and contact information)
- Device information (device attributes, device operations, identifiers, device signals, data from device settings, network connections, and cookie data)
- Information from partners about users' off-Facebook activity (whether or not the user has a Facebook account)
As expected, Facebook collects a huge amount of data - more than the average business - because it collects data from both users' time on the site or app and from their time away from it.
Can your business use one? It depends on whether your current policy can be satisfactorily condensed without skipping out on essential clauses.
In addition to paying attention to the length, keep an eye on the way the language changes. Short examples tend to use vocabulary the average user can understand and leaves the legal jargon to the extended version.
This is clear, transparent, and written in language that's easy to understand, with no legalese. By Rudd Studio linking to the third party's policy, this really boosts transparency and shows that the company truly cares about privacy and its users.
The short form policy is only two pages long, and it includes the basics:
You can see that this clause doesn't describe exactly what data is collected. Rather, Cirencester Friendly keeps it general here and then goes into greater depth and detail in the long form policy.
Here's the relevant section from the long form version:
The long form policy describes the specific type of data collected by the group rather than who provides the data.
This puts the reader on notice that if they're concerned about having their information shared, they should check out the full version policy to find out more, which they will in this clause:
The short policy works well because it provides information in a way that is informative without being wordy or jargon-heavy, but lets readers know just enough important information that they need to know.
Interestingly enough, both versions are very, very short. Here they are in full, displayed next to one another:
Both versions carefully explain:
- What data is collected
- How the data is used
- Whether and how the data is shared
The short one is is written in slightly simpler language and doesn't tell as many specific details. However, due to the placement here, a reader can easily jump over to the long version if something in the short version makes him want to learn more about a point.
Brevity is an important quality, but so is framing and language.
As a result, you need to ensure that you include sensitive and important information in any policy and disclose it in language the reader can understand.