Do You Need a Short Privacy Policy?

Do You Need a Short Privacy Policy?

In 2008, Aleecia M. McDonald and Lorrie Faith Cranor asked a question: how long would it take for the average internet user to read every single Privacy Policy for every web service they use each year?

The answer: between 181 and 304 hours with an average loss of $5,038 in productivity.

It's no wonder that 52 percent of internet users misunderstand the idea of a Privacy Policy entirely.

Your full-length Privacy Policy runs for pages or even longer if you collect a ton of data. You know that few people - maybe just lawyers and privacy junkies - are going to read the whole thing.

But, if you are conscious of the current privacy climate, you do want your customers to read it. For the sake of transparency (and the avoidance of frivolous lawsuits), ethical businesses don't just produce Privacy Policies - they also produce documents real people can read.

A short Privacy Policy accomplishes this task for you.

Short Privacy Policies offer a clear, concise version of your extended Privacy Policy. They feature a lower word count that's readable on small screens like phones, tablets, and wearables.

At the same time, it doesn't (always) replace the extended policy. Instead, it's a jumping off point to provide the essential information and inform anyone who might then go on to read the whole thing.

Do you need a short Privacy Policy? It depends on your business because above all, your Privacy Policy must be functional for your data use..

Can You Use a Short Privacy Policy?

Can You Use a Short Privacy Policy?

Research shows that brief, well-written Privacy Policies benefit user awareness among almost all consumers.

A short policy isn't an excuse to spend less time and money on your policy. Rather, you choose the right words to describe the key components of your policy to summarize it concisely but still accurately.

Every Privacy Policy needs to include points on:

  • The types of data collected
  • How the data is collected
  • Where and how the data is stored
  • Whether the data is shared with any other parties

All these clauses need to directly reflect your data practices.

Your Privacy Policy Must Be Functional Above All Else

Any Privacy Policy you generate needs to function for your business.

Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:

  1. Click on "Start creating your Privacy Policy" on our website.
  2. Select the platforms where your Privacy Policy will be used and go to the next step.
  3. PrivacyPolicies.com: Privacy Policy Generator - Select platforms - Step 1

  4. Add information about your business: your website and/or app.
  5. PrivacyPolicies.com: Privacy Policy Generator - Add your business info - Step 2

  6. Select the country:
  7. PrivacyPolicies.com: Privacy Policy Generator - Add your business info - Step 2

  8. Answer the questions from our wizard relating to what type of information you collect from your users.
  9. PrivacyPolicies.com: Privacy Policy Generator - Answer questions from our wizard - Step 3

  10. Enter your email address where you'd like your Privacy Policy sent and click "Generate".

    PrivacyPolicies.com: Privacy Policy Generator - Enter your email address - Step 4

    And you're done! Now you can copy or link to your hosted Privacy Policy.

The best way to illustrate this is with an example:

Dropbox, the file sharing service, includes a Digital Millennium Copyright Act policy in its agreements because Dropbox allows users to upload, store, and share information using its service.

Because it allows users to upload property, it runs the risk of users uploading and using intellectual property that doesn't belong to them. Dropbox must then use a DMCA to uphold its responsibility to protect copyright holders and avoid liability if and when its users upload media that doesn't belong to them.

Dropbox's DMCA policy notifies users of its intent to uphold the DMCA and provides infringed parties a process for notifying Dropbox of potential infringements.

Intro clause of Dropbox's DMCA Policy

Does your site allow users to upload or share content? If not, the DMCA policy means little to you and you likely won't need it in your Privacy Policy.

As you can see, functionality is key. Dropbox's liability risk would be sky high without a DMCA policy, and it takes up a good portion of the Privacy Policy.

Short Privacy Policies don't just impact entire clauses that only apply to specific businesses. Functionality also plays a key role in those CalOPPA and GDPR-mandated clauses like what data you collect and how you collect it.

To see why, let's look at Facebook's recently revamped Privacy Policy:

Intro clause of Facebook's Data Policy

You can see the difference between Facebook's Privacy Policy and the Privacy Policies of businesses that are less data-oriented almost immediately.

Facebook's policy starts by listing all the data it collects in a clause titled "What kinds of information do we collect?" The full list includes but is not limited to:

  • Information and content provided by users including metadata
  • Network and connection data (i.e., people, accounts, hashtags, and groups connected to users' accounts)
  • Data uploaded, synced, or imported from a device
  • Usage data (types of content viewed, features used, actions taken, accounts interacted with, Facebook camera data)
  • Information about transactions (game purchases, donations, etc.)
  • Things other users do in relation to your profile (others' comments on a photo of you, messages, and contact information)
  • Device information (device attributes, device operations, identifiers, device signals, data from device settings, network connections, and cookie data)
  • Information from partners about users' off-Facebook activity (whether or not the user has a Facebook account)

As expected, Facebook collects a huge amount of data - more than the average business - because it collects data from both users' time on the site or app and from their time away from it.

Your Privacy Policy data collection section won't need to include all this data unless you collect all this data.

The Bottom Line on Short Privacy Policy Use

Organizations like Facebook struggle to get away with a short Privacy Policy because their data practices are far too complicated. Using simple language would deceive the user, and it would cause legal headaches for the team at Facebook by opening it up to privacy violations and consumer lawsuits.

Can your business use one? It depends on whether your current policy can be satisfactorily condensed without skipping out on essential clauses.

To get a better sense, read through short Privacy Policy examples to see if you recognize your policy in short form.

Short Privacy Policy Examples

Short Privacy Policy Examples

We curated a list of examples to use to illustrate what a short Privacy Policy is, how it compares to long-form policies, and whether you can successfully use one.

In addition to paying attention to the length, keep an eye on the way the language changes. Short examples tend to use vocabulary the average user can understand and leaves the legal jargon to the extended version.

Ecquire

Let's start with Ecquire, a customer research management organization with one of the best short Privacy Policies out there.

It's short and sweet - and Ecquire knows it. That's why they call it "The World's Greatest Privacy Policy."

Ecquire Privacy Policy intro with 2018 update

The first paragraph states that Ecquire doesn't collect or store user data. However, it doesn't stop there. The policy goes on to explain the mechanisms involved in dealing with data because the team works with data hounds like Salesforce and Google Docs:

Ecquire Privacy Policy: Section on data movement

Ecquire explains new data tools used like Mixpanel and that allow them to see macro events, but they don't see granular data like contacts and messages:

Ecquire Privacy Policy: Mixpanel section

The company also notes that it does save email addresses provided by users to create an account. You can't run an account-based service without collecting and saving emails at the point of account creation. Ecquire stores emails in Helpscout, and requesting data removal requires only a quick email to support:

Ecquire Privacy Policy: Section covering email addresses, billing information and contact information

Finally, Ecquire goes on to explain its Chrome extension and why Google provides such a broad warning. The team says that Chrome covers its bases because of the sheer number of extensions, but Ecquire isn't interested in data beyond the data users ask it to collect:

Ecquire Privacy Policy: Section covering Google Chrome extension's request to access data

The whole thing clocks in at just under 400 words.

Why can Ecquire get away with a short Privacy Policy?

There are two reasons.

First, because of its commitment to privacy and limited data use practices, a short Privacy Policy remains functional and useful for both the company and users.

Second, the author wrote the policy in such a way that the most important legal issues are framed as being a high priority, and all the essential questions are answered. Plus, they did so without relying on legal jargon to do so.

So, if you don't collect much data or share it with other parties, then your Privacy Policy can be shorter by nature.

Cirencester Friendly

Cirencester Friendly is a UK-based finance firm with an incredibly short Privacy Policy. The firm has used a traditional Privacy Policy format to create both a short form policy and a long-form version.

The short form policy is only two pages long, and it includes the basics:

Cirencester Friendly Short Form Privacy Notice: The information we collect clause

You can see that this clause doesn't describe exactly what data is collected. Rather, Cirencester Friendly keeps it general here and then goes into greater depth and detail in the long form policy.

Here's the relevant section from the long form version:

Cirencester Friendly Privacy Notice: Collecting personal data clause

The long form policy describes the specific type of data collected by the group rather than who provides the data.

Here's another example. The short Privacy Policy includes a quick notice about how information may be shared:

Cirencester Friendly Short Form Privacy Notice: Who we can share your information with clause

This puts the reader on notice that if they're concerned about having their information shared, they should check out the full version policy to find out more, which they will in this clause:

Cirencester Friendly Privacy Notice: Disclosing personal data clause

The short policy works well because it provides information in a way that is informative without being wordy or jargon-heavy, but lets readers know just enough important information that they need to know.

VeryNiceHomes

VeryNiceHomes is a Colorado realtor and mortgage broker firm with both a short and long version of its Privacy Policy.

Interestingly enough, both versions are very, very short. Here they are in full, displayed next to one another:

VeryNiceHomes Privacy Policies: Short and Long versions

Both versions carefully explain:

  • What data is collected
  • How the data is used
  • Whether and how the data is shared

The short one is is written in slightly simpler language and doesn't tell as many specific details. However, due to the placement here, a reader can easily jump over to the long version if something in the short version makes him want to learn more about a point.

Should you Have a Short Privacy Policy?

Should you Have a Short Privacy Policy?

A short a Privacy Policy helps your users get straight to the point when it comes to your privacy practices. However, you should never skip sections of the policy for the sake of a word count. It's more important for your policy to be functional and representative of your data practices than for it to be short.

Brevity is an important quality, but so is framing and language.

As a result, you need to ensure that you include sensitive and important information in any policy and disclose it in language the reader can understand.

Depending on how data-driven your business is, your best bet may be to have a full-length Privacy Policy and also provide a short summary policy. Conversely, if your business is more simple and you don't deal with data extensively, your Privacy Policy will end up being shorter by nature and that's ok.