The answer: between 181 and 304 hours with an average loss of $5,038 in productivity.
But, if you are conscious of the current privacy climate, you do want your customers to read it. For the sake of transparency (and the avoidance of frivolous lawsuits), ethical businesses don't just produce Privacy Policies - they also produce documents real people can read.
At the same time, it doesn't (always) replace the extended policy. Instead, it's a jumping off point to provide the essential information and inform anyone who might then go on to read the whole thing.
Research shows that brief, well-written Privacy Policies benefit user awareness among almost all consumers.
A short policy isn't an excuse to spend less time and money on your policy. Rather, you choose the right words to describe the key components of your policy to summarize it concisely but still accurately.
- The types of data collected
- How the data is collected
- Where and how the data is stored
- Whether the data is shared with any other parties
All these clauses need to directly reflect your data practices.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
The best way to illustrate this is with an example:
Dropbox, the file sharing service, includes a Digital Millennium Copyright Act policy in its agreements because Dropbox allows users to upload, store, and share information using its service.
Because it allows users to upload property, it runs the risk of users uploading and using intellectual property that doesn't belong to them. Dropbox must then use a DMCA to uphold its responsibility to protect copyright holders and avoid liability if and when its users upload media that doesn't belong to them.
Dropbox's DMCA policy notifies users of its intent to uphold the DMCA and provides infringed parties a process for notifying Dropbox of potential infringements.
Short Privacy Policies don't just impact entire clauses that only apply to specific businesses. Functionality also plays a key role in those CalOPPA and GDPR-mandated clauses like what data you collect and how you collect it.
Facebook's policy starts by listing all the data it collects in a clause titled "What kinds of information do we collect?" The full list includes but is not limited to:
- Information and content provided by users including metadata
- Network and connection data (i.e., people, accounts, hashtags, and groups connected to users' accounts)
- Data uploaded, synced, or imported from a device
- Usage data (types of content viewed, features used, actions taken, accounts interacted with, Facebook camera data)
- Information about transactions (game purchases, donations, etc.)
- Things other users do in relation to your profile (others' comments on a photo of you, messages, and contact information)
- Device information (device attributes, device operations, identifiers, device signals, data from device settings, network connections, and cookie data)
- Information from partners about users' off-Facebook activity (whether or not the user has a Facebook account)
As expected, Facebook collects a huge amount of data - more than the average business - because it collects data from both users' time on the site or app and from their time away from it.
Can your business use one? It depends on whether your current policy can be satisfactorily condensed without skipping out on essential clauses.
In addition to paying attention to the length, keep an eye on the way the language changes. Short examples tend to use vocabulary the average user can understand and leaves the legal jargon to the extended version.
Let's start with Ecquire, a customer research management organization with one of the best short Privacy Policies out there.
The first paragraph states that Ecquire doesn't collect or store user data. However, it doesn't stop there. The policy goes on to explain the mechanisms involved in dealing with data because the team works with data hounds like Salesforce and Google Docs:
Ecquire explains new data tools used like Mixpanel and that allow them to see macro events, but they don't see granular data like contacts and messages:
The company also notes that it does save email addresses provided by users to create an account. You can't run an account-based service without collecting and saving emails at the point of account creation. Ecquire stores emails in Helpscout, and requesting data removal requires only a quick email to support:
Finally, Ecquire goes on to explain its Chrome extension and why Google provides such a broad warning. The team says that Chrome covers its bases because of the sheer number of extensions, but Ecquire isn't interested in data beyond the data users ask it to collect:
The whole thing clocks in at just under 400 words.
There are two reasons.
Second, the author wrote the policy in such a way that the most important legal issues are framed as being a high priority, and all the essential questions are answered. Plus, they did so without relying on legal jargon to do so.
The short form policy is only two pages long, and it includes the basics:
You can see that this clause doesn't describe exactly what data is collected. Rather, Cirencester Friendly keeps it general here and then goes into greater depth and detail in the long form policy.
Here's the relevant section from the long form version:
The long form policy describes the specific type of data collected by the group rather than who provides the data.
This puts the reader on notice that if they're concerned about having their information shared, they should check out the full version policy to find out more, which they will in this clause:
The short policy works well because it provides information in a way that is informative without being wordy or jargon-heavy, but lets readers know just enough important information that they need to know.
Interestingly enough, both versions are very, very short. Here they are in full, displayed next to one another:
Both versions carefully explain:
- What data is collected
- How the data is used
- Whether and how the data is shared
The short one is is written in slightly simpler language and doesn't tell as many specific details. However, due to the placement here, a reader can easily jump over to the long version if something in the short version makes him want to learn more about a point.
Brevity is an important quality, but so is framing and language.
As a result, you need to ensure that you include sensitive and important information in any policy and disclose it in language the reader can understand.