Do You Need a Short Privacy Policy?
In 2008, Aleecia M. McDonald and Lorrie Faith Cranor asked a question: how long would it take for the average internet user to read every single Privacy Policy for every web service they use each year?
The answer: between 181 and 304 hours with an average loss of $5,038 in productivity.
It's no wonder that 52 percent of internet users misunderstand the idea of a Privacy Policy entirely.
Your full-length Privacy Policy runs for pages or even longer if you collect a ton of data. You know that few people - maybe just lawyers and privacy junkies - are going to read the whole thing.
But, if you are conscious of the current privacy climate, you do want your customers to read it. For the sake of transparency (and the avoidance of frivolous lawsuits), ethical businesses don't just produce Privacy Policies - they also produce documents real people can read.
A short Privacy Policy accomplishes this task for you.
Short Privacy Policies offer a clear, concise version of your extended Privacy Policy. They feature a lower word count that's readable on small screens like phones, tablets, and wearables.
At the same time, it doesn't (always) replace the extended policy. Instead, it's a jumping off point to provide the essential information and inform anyone who might then go on to read the whole thing.
Do you need a short Privacy Policy? It depends on your business because above all, your Privacy Policy must be functional for your data use..
Can You Use a Short Privacy Policy?
Research shows that brief, well-written Privacy Policies benefit user awareness among almost all consumers.
A short policy isn't an excuse to spend less time and money on your policy. Rather, you choose the right words to describe the key components of your policy to summarize it concisely but still accurately.
Every Privacy Policy needs to include points on:
- The types of data collected
- How the data is collected
- Where and how the data is stored
- Whether the data is shared with any other parties
All these clauses need to directly reflect your data practices.
Your Privacy Policy Must Be Functional Above All Else
Any Privacy Policy you generate needs to function for your business.
Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:
- Click on "Start creating your Privacy Policy" on our website.
- Select the platforms where your Privacy Policy will be used and go to the next step.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
-
Enter your email address where you'd like your Privacy Policy sent and click "Generate".
And you're done! Now you can copy or link to your hosted Privacy Policy.
The best way to illustrate this is with an example:
Dropbox, the file sharing service, includes a Digital Millennium Copyright Act policy in its agreements because Dropbox allows users to upload, store, and share information using its service.
Because it allows users to upload property, it runs the risk of users uploading and using intellectual property that doesn't belong to them. Dropbox must then use a DMCA to uphold its responsibility to protect copyright holders and avoid liability if and when its users upload media that doesn't belong to them.
Dropbox's DMCA policy notifies users of its intent to uphold the DMCA and provides infringed parties a process for notifying Dropbox of potential infringements.
Does your site allow users to upload or share content? If not, the DMCA policy means little to you and you likely won't need it in your Privacy Policy.
As you can see, functionality is key. Dropbox's liability risk would be sky high without a DMCA policy, and it takes up a good portion of the Privacy Policy.
Short Privacy Policies don't just impact entire clauses that only apply to specific businesses. Functionality also plays a key role in those CalOPPA and GDPR-mandated clauses like what data you collect and how you collect it.
To see why, let's look at Facebook's recently revamped Privacy Policy:
You can see the difference between Facebook's Privacy Policy and the Privacy Policies of businesses that are less data-oriented almost immediately.
Facebook's policy starts by listing all the data it collects in a clause titled "What kinds of information do we collect?" The full list includes but is not limited to:
- Information and content provided by users including metadata
- Network and connection data (i.e., people, accounts, hashtags, and groups connected to users' accounts)
- Data uploaded, synced, or imported from a device
- Usage data (types of content viewed, features used, actions taken, accounts interacted with, Facebook camera data)
- Information about transactions (game purchases, donations, etc.)
- Things other users do in relation to your profile (others' comments on a photo of you, messages, and contact information)
- Device information (device attributes, device operations, identifiers, device signals, data from device settings, network connections, and cookie data)
- Information from partners about users' off-Facebook activity (whether or not the user has a Facebook account)
As expected, Facebook collects a huge amount of data - more than the average business - because it collects data from both users' time on the site or app and from their time away from it.
Your Privacy Policy data collection section won't need to include all this data unless you collect all this data.
The Bottom Line on Short Privacy Policy Use
Organizations like Facebook struggle to get away with a short Privacy Policy because their data practices are far too complicated. Using simple language would deceive the user, and it would cause legal headaches for the team at Facebook by opening it up to privacy violations and consumer lawsuits.
Can your business use one? It depends on whether your current policy can be satisfactorily condensed without skipping out on essential clauses.
To get a better sense, read through short Privacy Policy examples to see if you recognize your policy in short form.
Short Privacy Policy Examples
We curated a list of examples to use to illustrate what a short Privacy Policy is, how it compares to long-form policies, and whether you can successfully use one.
In addition to paying attention to the length, keep an eye on the way the language changes. Short examples tend to use vocabulary the average user can understand and leaves the legal jargon to the extended version.
Rudd Studio
Let's start with Rudd Studio, which has a super short Privacy Policy that still tells you everything you need to know.
The first paragraph states that Rudd Studio doesn't collect or store user data. Super clear and simple. The second and final section of this short Privacy Policy informs users that Rudd Studio does work with a third party platform that uses cookies, and provides a link to that third party's Cookies Policy so users can find out more easily if they wish to.
This is clear, transparent, and written in language that's easy to understand, with no legalese. By Rudd Studio linking to the third party's policy, this really boosts transparency and shows that the company truly cares about privacy and its users.
If you don't collect much data or share it with other parties, then your Privacy Policy can be shorter by nature.
Cirencester Friendly
Cirencester Friendly is a UK-based finance firm with an incredibly short Privacy Policy. The firm has used a traditional Privacy Policy format to create both a short form policy and a long-form version.
The short form policy is only two pages long, and it includes the basics:
You can see that this clause doesn't describe exactly what data is collected. Rather, Cirencester Friendly keeps it general here and then goes into greater depth and detail in the long form policy.
Here's the relevant section from the long form version:
The long form policy describes the specific type of data collected by the group rather than who provides the data.
Here's another example. The short Privacy Policy includes a quick notice about how information may be shared:
This puts the reader on notice that if they're concerned about having their information shared, they should check out the full version policy to find out more, which they will in this clause:
The short policy works well because it provides information in a way that is informative without being wordy or jargon-heavy, but lets readers know just enough important information that they need to know.
VeryNiceHomes
VeryNiceHomes is a Colorado realtor and mortgage broker firm with both a short and long version of its Privacy Policy.
Interestingly enough, both versions are very, very short. Here they are in full, displayed next to one another:
Both versions carefully explain:
- What data is collected
- How the data is used
- Whether and how the data is shared
The short one is is written in slightly simpler language and doesn't tell as many specific details. However, due to the placement here, a reader can easily jump over to the long version if something in the short version makes him want to learn more about a point.
Should you Have a Short Privacy Policy?
A short a Privacy Policy helps your users get straight to the point when it comes to your privacy practices. However, you should never skip sections of the policy for the sake of a word count. It's more important for your policy to be functional and representative of your data practices than for it to be short.
Brevity is an important quality, but so is framing and language.
As a result, you need to ensure that you include sensitive and important information in any policy and disclose it in language the reader can understand.
Depending on how data-driven your business is, your best bet may be to have a full-length Privacy Policy and also provide a short summary policy. Conversely, if your business is more simple and you don't deal with data extensively, your Privacy Policy will end up being shorter by nature and that's ok.
