Publishers of technology books, eBooks, and videos for creative people

Home > Articles > Web Design & Development > Usability

Web Design Reference Guide

Hosted by

Web Writing That Works: How to Write a Privacy Policy—If You Must

Last updated Oct 17, 2003.

By Jonathan and Lisa Price

As soon as your site asks my name, I get suspicious.

Then, if you ask for my address, phone number, credit card number, bank names, account numbers, health history, or current job info, I worry about what you're going to do with all that information, and I'm likely to nudge legislators around the world to order you to protect my privacy.

If your site mines raw transaction data to identify me, come up with new offers, sell my name to eager merchandisers, or run a more sinister scam, you are going to have to explain how you "share" that information within your own family of companies and outside, or else you will be hearing from the lawyers.

How can you avoid lawsuits, and reassure your guests?

Go Ahead, Reassure Me!

Most Internet users are willing to accept a guarantee that you won’t abuse their privacy. "We guarantee that we will not violate your privacy."

Just the statement is enough--very few of these folks actually read privacy policies.

Of course, about a substantial fraction of the Web population feels extremely nervous about the way personal information might be used, and these folks are not likely to be placated with a simple statement.

For the rest of the Web world, though, assertions are often good enough. Put a link to your privacy policy on every page. Make a big deal out of going to your secure server when a customer makes that leap. And, whenever you ask someone to fill out a form, put your guarantee of privacy right up there.

Does this strategy make you feel a little anxious, as a writer? You might want to make sure that your company really will protect the consumer’s privacy before you scribble the announcement.

An interesting way to probe your organization’s honesty would be to volunteer to write an in-depth explanation of its privacy policy. Your boss’s reaction will tell you more than the policy does.

Reward Me For Exposing Myself To Danger

If your firm really needs my personal information, give me a reason to take the risk--and to spend the time.

Almost two thirds of the folks out on the Internet have parted with their e-mail address and "real" name in order to get access to a site’s content, special e-mail newsletters, affinity points on purchases (such as frequent flyer miles), or a chance to enter a sweepstakes.

If you offer the opportunity to personalize the site, 87% say they will give you their real name for that convenience.

People swap info for benefits. So, write up the benefits on the page on which you are asking folks to respond to a question, complete a form, or opt into an e-mail.

Let Me Out

Give me access to my personal profile or account, and let me delete myself. If you give people the opportunity to edit their information, oddly, they provide even more. Almost no one destroys his or her data.

So, as soon as you display the personal information, write labels indicating that they can edit it—and offer a button to go right into editing.

Since one of the biggest invasions of privacy is spam, make sure that you allow people to opt into your e-mail newsletter twice (once by clicking the checkbox and Submit button, again by responding to the e-mail notification that they can subscribe if they reply).

Double opt-in makes it more likely that people know what they are doing when they volunteer for the e-mail. But let them unsubscribe, and write clear directions for that in every issue of your e-newsletter.

You really don’t want to end up testifying in front of some group like the U.S. Federal Trade Commission on something they call UCE--"unsolicited commercial e-mail."

Write A Privacy Policy That People Can Understand

Unfortunately, most privacy policies are written by lawyers, with headlines inserted by marketing veeps. The tone is schizophrenic. The big type says, "We would never tell," and the fine print inserts exceptions, excuses, and bland generalities that leave anyone wondering, "Are they sincere?"

Avoid the "We-we’s"

We do this, we do that, but what about me, the user?

"We use advanced technology and well-defined employee practices to help ensure that customer data is processed promptly, accurately, and completely," says American Express.

Thank goodness.

American Express feels much better now, but I don’t.

Those employee practices, in particular, give me an eerie feeling that something isn’t being told; for instance, why aren’t those practices actually spelled out here, if they are so well defined? And what difference do they actually make to me?

Stop Boasting

Politically, you may have a hard time getting rid of bogus phrases like:

"Our policy is simple."

"The security of your personal information is of the utmost importance to us."

"We are in the forefront of the critical issue of privacy."

But make the effort. A 10-page legal document is not simple. Making money is probably more important than privacy. So don’t make bogus claims, or you violate the whole purpose of the policy, which is to build trust.

Don’t Pontificate

Guests don’t think of you as a philosophy professor, so edit the heck out of the boss’s reflections on subjects like "consistent service quality." In fact, try not to sound like the boss.

The managerial perspective seems alien to most customers, even when couched in "you" phrases.

Take this sentence describing one of the "key values" of Bank One’s privacy policy: "Information must be shared to fulfill your requests, deliver products and services, administer and update accounts, reduce fraud and other risks, and to comply with laws and regulations."

True, but here we are looking at things through the eyes of an Information Technology Officer, or CIO, not a consumer.

Also, watch out for grandiose phrases reflecting:

Defensiveness (why we are forced to collect information about you)

Self-pity (the darn law makes us tell you these things)

Managerial duplicity (we reserve the right to sell your information anytime we feel like it, but we can’t admit that)

Lying, of course, is the biggest stylistic problem in privacy policies, and one reason so many people distrust these otherwise bland and boring documents.

As a mere writer, of course, you can only do so much to force your organization to be honest with consumers. But give it a shot.

And if you get a lot of jive talk back, maybe you should pull out your resume for a little update.

Explain Security Before And During The Transaction

Don’t just dash off a little paean to security somewhere in your general FAQ.

Explain what makes your server secure, and why that matters to me, as a consumer--before I have to enter my credit card number.

And put a condensed version inside any forms I have to fill out to complete the buy. Point out how your consumers can tell if they are really on a secure server (the change in the URL, the icons that show up on the status bar).

In other words, tell people what you take for granted, as obvious, about security. Say more than you think is really needed, and folks will be grateful.

Not Tooooooo Techie, Please

Take a shot at explaining encryption, and the Secure Sockets Layer, if you dare.

But concentrate on the benefits to the consumer.

Most online transactions are safer than a trip to the local dry cleaner (where they keep a paper copy of your information), and a lot safer than e-mail.

Trying to explain why your site is more secure than a local restaurant can be a challenge, though, particularly when you're really just writing a label on a form.

Sure, you can link to a fuller explanation in the FAQ or Privacy Policy, but first make a solid effort to capture the gist of those ideas at the moment of action, so most people don’t have to leave the page to learn what is going on.

Lead Up To The Jargon, Or Ax It

Too often, the authors of privacy policies assume that the reader knows acronyms like SSL, understands the subtle differences between internal and external sharing and selling, and enjoys hearing about encryption standards.

Using industry or in-house jargon without explanation simply makes readers suspect that you are trying to pull the wool over their eyes.

Sure, you may have to talk about your security precautions, but walk people through these safeguards in plain English before you mention IP addresses. Remember, a lot of people still think cookies are a great snack.

Phrase The Policy as a FAQ

People are used to FAQs on the Web, and one big advantage is that this approach breaks the information up into digestible chunks, in the give and take of a virtual conversation. Answer questions like these:

  • Why do you want to know my name and e-mail address?
  • Why do you want to know my credit card number and street address?
  • What other information do you keep track of, about me?
  • Do you collect information from children?
  • How do you verify parental consent for information about their children?
  • How do you make sure nobody steals my credit card information?
  • How do you use this information?
  • Do you share my information with other parts of your company?
  • Do you share my information with other companies?
  • Do you sell my information to anyone?
  • What do you do if one of your employees violates my privacy?
  • Can I see and change the information you have about me, personally? Can I review information you have about my child?
  • How can I start or stop receiving e-mail from you?
  • How do you protect the privacy of my e-mails to your customer support team?
  • Where can I learn more about my right to privacy?
  • Who can I talk to if I have a question about my privacy?

If you can answer most of these questions in plain English, you will surprise and please most consumers, even if your legal team has a fit.

If you must defend yourself against your own firm’s lawyers, do some user testing to show what people understand, and what they don’t, in their prose and yours.

Then make the case that the document claims to be addressed to the general public, not just lawyers, and so the norms, conventions, and standards of ordinary people are what the text must be judged by--not the stricter, but slippery language that is legally correct.