Executive Perspectives

Going Public About Privacy: A Six Part Series

This is the third of a multi-article series by FireEye’s Chief Privacy Officer, Shane McGee in which Shane explores six fundamental steps to building an effective privacy program. While there are many critical pieces to consider, Shane chose to highlight the following:

1.    Give Privacy a Voice

2.    Follow the Data

3.    Communicate Clearly, Carefully and Candidly

4.    Become Part of the Process

5.    Build a Culture of Privacy

6.    Rinse and Repeat

 

Communicate Clearly, Carefully and Candidly

In the first article of this series, I wrote that privacy professionals could, at one point, boil best practices down to a single phrase: “say what you do and do what you say.” While privacy regulation and best practices have evolved to become more complex than can be captured in a simple adage, this concept still represents a necessary part of any privacy program. Stated another way, a good privacy program requires a company to set (“say what you do”) and meet (“do what you say”) its customers’ expectations with respect to the way it collects, stores, uses and shares data. 

Setting customer expectations with regards to privacy is vital, and a failure to communicate privacy policies and practices clearly will inevitably result in confused, unhappy customers. For that reason, when your company communicates about privacy – whether it’s in a privacy policy, customer contract or marketing piece – it’s best to do so in an easily digestible format. That means using plain English, making the communication as succinct as possible, and giving real-life examples to explain difficult concepts. 

Unfortunately, many companies publish privacy policies written more like complex legal agreements than a customer-facing communication. A 2011 study by TRUSTe found that the average privacy policy was almost twice the length of the Declaration of Independence, and written six grade levels higher than the average U.S. reading level of 8th grade. Regulators and consumer groups alike frown on such policies, arguing that average users don’t take the time to read them and probably wouldn’t understand them if they did.    

It almost goes without saying that you need to be careful when drafting privacy policies. When drafting these policies, many companies fail to consider how their data practices will change over time. It’s important to talk to your team about the roadmap for future products and services, because if you change your privacy policy every time an offering evolves or a new product or service is introduced, you’ll have to treat all the data collected under that new policy differently than the data collected under the previous policy. However, if you draft a policy that addresses current and future data practices, you’ll be able to treat all your data consistently without segregating or purging it.     

Being candid is another seemingly obvious piece of advice, though one that companies frequently ignore. The FTC is tasked with protecting consumers in the U.S., and the vast majority of its privacy-related investigations and settlements are based on its jurisdiction to police ‘deceptive’ trade practices. The large number of settlements negotiated by the FTC for those deceptive practices demonstrates it is common for companies to say one thing and do another. It can be an expensive mistake – Google paid $22.5 million to settle FTC charges that it misrepresented privacy promises to users of Apple's Safari browser.

I should have added another word to the title: consistently. After all, publishing differing messages on privacy doesn’t set expectations with customers – it confuses them. Moreover, from a strictly legal perspective, if a company publishes different privacy policies, a plaintiff or regulator can cherry-pick the message that supports his or her position and use it against you. As I indicated in my first article, the best way to avoid these problems and to promote a consistent message is to make certain your company has a single voice when it comes to privacy issues.

Setting expectations is a key to success in many endeavors, and privacy is no different. Make certain you’re setting those expectations appropriately by ensuring that your privacy message is clear, carefully drafted, consistent and candid.