The problem with privacy policies
Articles 13 and 14, along with other provisions of the EU General Data Protection Regulation (the GDPR), require businesses to provide individuals with comprehensive information about the processing of their personal data. One of the most important instruments for informing individuals about the handling of their personal data is privacy notices, often referred to as privacy policies. Since the GDPR came into effect six years ago, privacy policies have become a standard feature on nearly every website. Initially, compliance with transparency requirements was poor because many privacy policies used vague language. For instance, they described data processing purposes merely as “internal administration” or “business purposes” and stated that data would be stored “no longer than is necessary to achieve the specified purposes” without clear definitions.
Although such issues still occur, they are now much less prevalent. There is a clear trend towards crafting privacy policies that are more detailed and precise. However, it would be too early to assert that individuals are properly informed about the processing of their data. Only a small fraction of website visitors actually read these privacy notices, let alone understand them. The privacy notice link is clicked by a small percentage of visitors, and those who do visit the page spend so little time there that it is challenging to claim genuine access to and understanding of the information provided.
The reason behind this may be that, in practice, the focus is more on achieving formal compliance rather than genuinely informing individuals. It appears that privacy policies are crafted more to satisfy the requirements of supervisory authorities rather than to inform individuals whose personal data is being processed.
Organizations are creating long, precise, and detailed privacy policies but pay less attention to how such a large amount of information is presented to individuals and whether they are capable of understanding it. Such practices are hardly compatible with the GDPR’s concept of transparency, which the European Data Protection Board emphasizes as “user-centric rather than legalistic” in its guidelines on transparency. Therefore, when deciding between absolute legal accuracy and completeness of information versus enhanced readability with minor compromises in precision, the latter is advisable.
The main purpose of privacy notices is to help individuals understand how their personal data is processed rather than just to avoid fines from supervisory authorities. Moreover, penalties can be imposed not only for missing some kind of information in the privacy policy but also for presenting information in a way that is too complex and fails to consider the understanding capabilities of the intended audience. Balancing the comprehensiveness of information with its understandability may not be an easy task. However, there are effective methods to make privacy notices more “human” while ensuring they meet the requirements of the GDPR. This balance can be achieved through the application of legal design principles in the creation of privacy notices.
What is legal design?
Legal design is an approach that applies design thinking principles to the field of law, placing the user at the center of the process. The main goal of legal design is to make the law more understandable and engaging to everyone, not just legal professionals. Legal design goes far beyond document or information design. It is also used to enhance the effectiveness of legal systems, processes, or services.
Legal design emphasizes the necessity to:
How can legal design make privacy notices more effective?
Legal design principles can be effectively applied to privacy policies using the following strategies:
Audience analysis. To ensure that a privacy notice is comprehensible, it is essential to understand the target audience and who will be reading the document. While there are instances where the notice might target professionals with specialized knowledge, these cases are relatively uncommon. Typically, the language should be clear and straightforward, accessible to individuals with a basic education. For more vulnerable groups, such as children, the language should be further simplified and can include visual elements or even comics to aid understanding and make privacy notices more fun. Of course, this should be done carefully without distorting the meaning of the message.
Focus on structure. A lengthy, 20-page PDF document that even lacks keyword searchability is likely to be read only by supervisory authorities, competitors, and curious lawyers. The information architecture must be more user-friendly to ensure the privacy notice effectively reaches and engages its intended audience. Right from the outset, it should be immediately apparent where specific information can be found. For larger documents, it’s beneficial to break down the content into separate sections that address distinct issues, incorporate techniques like jump links to facilitate navigation, and present information in clearly defined layers. Utilizing tools to identify the information most commonly sought by readers and prominently displaying this information at the beginning of the policy can be highly effective. Additionally, creating a Frequently Asked Questions (FAQ) section that addresses these common queries can further enhance the policy. On the other hand, it is crucial to maintain a balanced structure to ensure that important information is not obscured. For instance, it is advisable to avoid configurations where only positive details are highlighted in the initial layers while critical information about risks, data transfers to third countries, etc., is relegated to subsequent layers. Such practices can mislead the reader and diminish the transparency of the policy.
Text isn’t the only communication method. It’s important to remember that information can be presented in a variety of ways, including illustrations, icons, videos, and even interactive game elements. While these visual and interactive formats cannot completely replace written text, they serve as excellent complements, significantly enhancing the understandability of information.
“Testing” privacy policies. To make privacy policies more effective, it’s beneficial to “test” them before they go live. This doesn’t necessarily require extensive user research. A simpler approach involves colleagues who are less familiar with data protection laws reviewing the draft policy. They can provide feedback on its clarity and suggest enhancements to make it more user-friendly or engaging. AI tools can also provide valuable insights and enhance the privacy policy. After publication, it is beneficial to regularly review the metrics such as how often the policy is read, the time spent on it, which sections are most engaging and so on. This data can then be used to further improve the privacy notice.
Effective management changes. Privacy policies usually contain a fictitious provision that the controller can change the privacy policy at any time, so the visitor should re-read it from time to time. Given that only a small proportion of visitors to a website even turn to the privacy policy page, the chances that they will go to see if and what has changed are close to zero. To help data subjects navigate through the changes, changes to the privacy policy could be accompanied by a notice in the website’s news section that summarizes the changes, or by other measures to draw the attention of data subjects to the substantive changes.
Conclusion
These strategies are just examples of how legal design can make privacy notices more reader-friendly. However, there is no universal or one-size-fits-all practice for what a good privacy notice should look like, and it probably cannot be. The choice of specific measures to make privacy notices more effective will depend on the nature of the data subjects (the audience), the scope of the privacy notice (how many issues the notice is intended to cover), the culture of the organization and nature of its activities, the functionality of the website, and other relevant factors.
Viktorija Stančikė, Senior Associate
Originally published in USLAW Magazine Summer 2024