OneTrust_Square Banner_300x250_DD_ROS_01_19

Munur_ MehmetBranam_SarahMrkobrad_ Matt
By Mehmet Munur, CIPP/US, Sarah Branam and Matt Mrkobrad, CIPP/US, CIPP/G

Privacy policies have become long legal documents that most attorneys, let alone the average consumer, have difficulty understanding. They are meant to provide notice to individuals about data collection, use and disclosure policies. However, they are often complicated, long, unintelligible and, as a result, rarely read by the average consumer. It is important to change this reality. Below are a few best practices in drafting plain-language and multi-layered privacy policies that should help reverse this trend and help the average consumer read and understand your privacy policy.

Align privacy practices with privacy promises by conducting factual and legal due diligence.

Your organization’s privacy practices must align with its privacy promises to minimize legal liability. You can do so by conducting factual and legal due diligence. The factual due diligence allows you to determine what information your organization uses. The legal due diligence allows you to determine what laws govern the use of that information. You need to understand both in order to competently draft a privacy policy that minimizes legal risk for your organization.

Arguably, the largest legal risks to an organization resulting from statements in the privacy policy are risks arising from misalignment of privacy promises with actual privacy practices. A material difference between what the organization says in its privacy policy and what the organization does can result in enforcement actions by regulators or class-action lawsuits by consumers.

As a result, no privacy policy should be drafted in a factual vacuum. Rather, you should draft the privacy policy only after conducting due diligence about your organization’s collection, use, sharing and retention of information. You will need to find out if you only collect information from individuals or if you collect information about individuals from third parties such as service providers. You will need to find what types of information you collect from these sources and how you share it with others. You will also need to find out for what purposes you use the information and disclose those practices accordingly.

You should also avoid drafting your privacy policy in a legal vacuum. Your factual due diligence may lead you to realize that you may be collecting different types of data: personal information, automated information, healthcare information, financial information or even children’s information. Different laws, regulations or private obligations will apply to the use of this information. You may draft more precise privacy promises by finding out the exact requirements of these laws and how they apply to your organization. In fact, you may even find that your organization is not legally required to make some statements—even though it may choose to do so.

However, this is easier said than done. Many organizations have to deal with a large number of websites, products or services. Where products and services develop faster than policies and procedures regarding their governance, privacy policies may be outdated in a short period of time. Therefore, you should put in place policies and procedures to conduct due diligence early on in the product lifecycle and on a continual, ongoing basis.

Depending on feasibility, conduct a privacy impact assessment or a privacy risk assessment. At the very least, seek review of the policy from the website, service or product managers. This type of involvement from the entire organization results in a better final product. It also provides a good opportunity to educate various website, service or product managers on the details of the policy and ensures that the product and policy statements align.

In addition, it is crucial to strike a balance between providing detailed information to consumers while providing room for the business to grow. Consider whether it is in your organization’s best interest to state that you may use the information for one purpose when your organization has plans to do so in the future—though it currently does not. In fact, you even can try to anticipate changes in the law, which may require your organization to make additional promises, during your legal due diligence. This prevents a potential misrepresentation in your privacy policy and allows you to plan ahead.

Use multiple layers. Carefully determine what goes in each layer.

Having conducted the due diligence, you should then prioritize the disclosures in different “layers.” Your first layer should be the shortest and the simplest. Commonly called the highlights notice or privacy policy highlights, it should be the first policy that the consumers see and should be directly linked from your privacy policy link. It should have multiple links to the second layer, the full policy. See, for example, IBM, Microsoft, Nat Geo, P&G, Walmart or USPS highlights policies.

Aim for two layers, possibly supported by a third layer of FAQs or links to sections that provide more information about technical topics. The most common elements in the first layer are scope; uses and disclosures; rights and choices; important information, and contact information. Do not focus on practices that are commonly accepted or engaged in that are also consistent with your interaction with the consumers. In its final privacy report on protecting consumer privacy, the Federal Trade Commission noted this notion of commonly accepted practices. For example, fulfillment, fraud prevention, internal operations, legal compliance and public purpose and most first-party marketing would be anticipated by the consumer and would usually not require choice. Therefore, do not feel the need to disclose this information on the first layer of your privacy policy; place these in the second layer. Instead, focus on elements that may not be obvious to your consumers.

Under some circumstances, however, focusing on the common elements may be necessary. For example, this may be the case where your organization’s use of the consumer’s information is not consistent with the context of their transaction. This may also be the case if you do not have many uncommon uses of information. Therefore, carefully determine what information you need to place in the first layer of your privacy policy.

Include the full details of your privacy policy in the second layer. While some regulators have advocated for up to three layers, each with more detail than the previous one, this is uncommon in practice. This second layer should include all information: the obvious, the technical and all the information appropriate to educate your consumers about the use of their information. The particulars of the policy will be determined by the laws applicable to your websites, products or services. However, feel free to use a checklist or other industry guidance documents, such as the AICPA Generally Accepted Privacy Principles, to ensure that you covered all bases.

On the other hand, some information may be better described in a third layer. For example, detailed information relating to cookies, data retention, international data transfers and use of data centers in multiple locations may require additional explanations that you may want to include in FAQs or a separate policy outside the first two layers of the privacy policy. If you are bound by the revised E-Privacy Directive in the EU, you may choose to include a separate policy listing your cookies, which is linked to your privacy policy. However, you should also generally refer to these issues in the second layer.

Be sure that the different layers, FAQs or any other extraneous statements relating to your privacy policy do not conflict with the full privacy policy. For example, if the first layer of your privacy policy states that you do not sell your consumers’ personal information and the second layer of your privacy policy—your full privacy policy—states that you may sell or transfer this information as part of a business transfer, then you may confuse your consumers and face potential enforcement actions.

Finally, note that a layered approach, while advocated by regulators and shown to be consumer-friendly, has not yet been tested in litigation. Implement this approach carefully, and make sure that the hyperlinks work as intended. If done right, it should achieve the dual purpose of providing easy-to-understand privacy notice to consumers and limiting liability through complete and accurate disclosure.

Choose your words carefully. Cut out the fluff.

Carefully choose the words you use. Use simpler, more familiar terms and avoid defined terms and legalese whenever possible. Remember, consumers are not attorneys and likely will not understand legal concepts.

Inevitably, you will need to use words of art, such as cookies, local shared objects, HTML5 or data controller. In those instances, include hyperlinks to the explanations or the FAQs that provide meaningful explanations. There is no need to define every concept with quotation marks, especially if they are self-explanatory and there is little ambiguity. If your privacy policy applies to a website, you need not state that the “privacy policy applies to this website.” Your privacy policy should be simple enough that there are very few definitions.

If you define a concept, do so carefully. If you exhaustively define “personal information" and your privacy policy applies only to personal information, then you may end up with categories of information for which you do not have a privacy policy. This is fine, so long as it is your intention. However, trends in technology, privacy and enforcement are making disclosures relating to unique IDs, cookies and IP addresses more important. Therefore, be sure that your privacy policy achieves its objective of informing your consumers of the use of their information—whether sensitive, personal, personally identifiable, automated, anonymized or otherwise.

A word of caution—you may not want to tell your consumers how much you care about the privacy and security of their information. Complaints from class-action lawsuits and the FTC enforcement actions are littered with companies who have told their users how much they care about the privacy and security of their personal information when the company suffered a breach. Instead, describe your privacy and security in general terms. Twitter took this route when it revised its original privacy policy after the 2010 FTC enforcement action to remove provisions relating to the concerns for its users’ security—perhaps realizing a little too late that it was not legally required to make those promises.

Use short sentences, active voice and bullet points.

Your privacy policy should also be organized and easy-to-read. Shorter sentences that use active voice are easier to understand. Use a table of contents with hyperlinks to the major sections of the policy. Each section of the privacy policy should then link back to the table for easy navigation. Use bullet points when you find yourself listing many items. This can be especially useful when listing types of information collected or the purposes for which information is used. Bullet points can create easier-to-read sentence structure and aid appearance.

Review your work. Publish accordingly.

You should have the privacy policies reviewed by others. To ensure that the policies are simple enough to read, have colleagues who are not in the privacy or security field read them. You need not hire focus groups—though that is not a bad option either. Be creative. If you or your colleagues have young adults in your family, have them review your policies.

Also, be sure to read up on the issues relating to publicizing your privacy policy revisions before publishing the initial or updated version of your privacy policy.

Following the recommendations above should help you draft more understandable privacy policies. Your consumers—and hopefully courts and regulators—will appreciate your efforts in communicating more clearly with them.

Mehmet Munur, CIPP/US, is an attorney at Tsibouris & Associates, LLC; Sarah Branam is the privacy manager for Epsilon, and Matt Mrkobrad, CIPP/US, CIPP/G, is the privacy manager and bank secrecy act officer at Alliance Data.

Read more by these authors:

Five considerations before publicizing privacy policy updates


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

IAPP-OneTrust Website Scanning & Cookie Compliance Tool

Scan your website for cookies, tags, forms and policies and create a custom, dynamically updated cookie policy based on the results of your scans.

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

More Resources »

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds and unparalleled programs—plus a whole new spin on Active Learning!

Canada Privacy Symposium 2017

The Symposium returns to Toronto! Take advantage of Early Bird rates before March 31 and join your fellow privacy pros for a stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is SOLD OUT and the wait list is closed. If you got on the wait list, we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Join us in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

We're bringing the best of the best in privacy and infosecurity to sunny San Diego. Early registration for P.S.R. opens in May.

Europe Data Protection Congress 2017

Your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Registration opens in early June.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»