Opinion

Reflections on Writing a Privacy Policy

Written by
Eve Maler
Published on
May 24, 2024
Blog
Technology

I faced a rare opportunity a few weeks ago. I got to craft Venn Factory’s privacy policy.

Every site’s got to have one, right? But people mostly ignore them. Honestly, what can they do about the situation? Pew Research says more than half of Americans click “Agree” without reading them.

I’m one of the weirdos who care, having spent a long time working on workable alternatives to traditional consent, and I do read privacy policies.

Back in 2008 I settled on a formula for all the ways we pay for personalized service online: a combination of money, attention, and personal data. In 2010 I connected the formula to privacy policies. What if companies had to be upfront about monetization to this degree? Here’s what my snarky proposal looked like.

In recent times, the conversation has only gotten more pointed. I naturally looked to Internet Safety Labs as one source of inspiration. (Disclosure: I am on its board.)

ISL is a unique organization focused on enhancing online product safety, which encompasses privacy and much more. Its executive director, Lisa LeVasseur, and I had penned an article in 2019 for IEEE’s Communication Standards Magazine called Beyond Consent: A Right-to-Use License for Mutual Agency, so I knew we’d be highly aligned on such topics.

Lisa and I talked about the three-part formula, which she’d made the subject of a great ISL Flash Guide primer a few years back. (I love the #TANSTAAFL hashtag on her article!) The topic also came up in some LinkedIn interactions with the inimitable Jamie Smith recently.

ISL’s own privacy policy is a model of clarity and transparency, but of course it would be, since it has no incentives to monetize personal data. As the proprietor of a very small B2B services company, I also have the luxury of being extremely clear on how each morsel of personal data is collected, used, and shared.

I set out some design principles:

  • Achieve a Goldilocks length (is it short enough and also long enough to convey real credibility?)
  • Be empathetic with the reader (is it readable, but also, does it answer the questions on the reader’s mind?)
  • Say how I gain value from data (does it explain ”how I make money” and how data supports my business?)
  • Ensure I can live with myself (can I be proud of it?)

Did I achieve my goals? I think so, but you may have your own opinions — and there’s something else you need to know.

Even if you have the purest of intentions, it’s hard – to the point of impossible – to have a truly clean, exemplary policy for the handling of personal data. If you use any third-party services at all, you incorporate some risk. It’s not just a matter of cookies and websites. ISL’s App Microscope tool goes a long way to explaining all the avenues for mischief; here’s its entry for Grammarly, just as an example.

I ended up including a clause that might as well be a giant shrug – but it helps me sleep at night.

😱 We may store your data on servers provided by third-party software or hosting vendors with whom we have contracted, and these vendors may have their own privacy policies that may interfere with our control, as well as your own control, of your data’s storage, usage, and further sharing.

I hate being at the mercy of third parties – and I hate having my control interfered with. Wouldn’t it be interesting if we had a standard or even mandated way to pass a “Do Not Sell” signal down the chain of services?

This is a topic I hope to explore in a couple of upcoming talks during identity conference season.

If you’re attending, come over and say hello!

Share this post
Technology
Identity
Security
Privacy

Stay Informed with Our Newsletter

Subscribe to our newsletter for the latest blog posts and insights in the identity space.

Thank you! Your subscription has been received!
Oops! Something went wrong. Please try again.