Most privacy policies are too complex and unhelpful for end-users.
Although privacy policies are meant to protect end-users, they are typically written in a way that protects the entities responsible for creating and sharing products. These policies have a lot of technical and legal information that is written at a college reading level, even though the average person reads at a middle school level. The content is often modeled after existing commercial products, which might contain terms that are not best practice or are difficult for smaller-scale entities to follow. Policies are usually hidden at the bottom of a web page and information that is relevant or actionable to the end-user is not easily visible.
Privacy policies that are difficult to find, read, and understand can cause end-users to feel overwhelmed by the information and as though they have no control over their privacy.
Worst Case Scenario: A Privacy Policy that is Uninformative and Unapproachable
View larger
A well-designed privacy policy can be informative for end-users.
Privacy policies that are written in plain language can help end-users at all reading levels understand how their data is handled. Visually emphasizing how the policy content relates to the end-user, presenting this content in a logical flow, and showing what step-by-step actions they can take if they have concerns, will give end-users more agency over how their data is used. Having these simplified materials also ensures apps and websites comply with ethical review board requirements, federal regulations, and international privacy laws.
Best Practice: Privacy Policy
View larger
What to prepare?
Step 1
Create a privacy policy that is easy to digest and engaging to read.
The content of the policy should be at an appropriate reading level (e.g., middle school) for participants. Present the information in a logical, step-by-step flow based on how the information is used for the study. Include visual elements and narrative language that is centered around the participant, instead of having a “wall of text”. Make sure the policy is easy to find.
Step 2
Incorporate the privacy policy into informed consent procedures.
For research studies, have new participants review the privacy policy during the consent process. This step will give participants the opportunity to ask questions and confirm their understanding of the policy.
Step 3
Ensure that the terms of the privacy policy can be followed.
The terms that are stated in the privacy policy must be followed. Discuss and decide what procedures are feasible and realistic for your team members, developers, and other stakeholders involved.
Resources
Case Studies
Digital Medicine Society's Privacy Policy
An example that achieves a middle school reading level
mPower's Privacy Policy
Sage Bionetworks
Twitter's Privacy Policy
An Example of a Good Policy Summary
Privacy Policy Analysis
Center for Plain Language
Making Privacy Policies Not Suck
Aza Raskin
A Quick Primer on Readability
Meg Doerr
Resources
Privacy Policy Patterns