It might be the oldest topic in the IAPP canon: What makes a good privacy notice? In fact, while attendees of Privacy. Security. Risk. were mingling in San Jose, California, the U.S. Federal Trade Commission was discussing that very topic in Washington, DC, as part of their workshop series.

Somehow, though, there remains grist for the mill. The panelists at P.S.R.’s “Making the Grade: Moving Beyond Compliance into Data Stewardship,” moderated by the IAPP’s Jedidiah Bracy, CIPP, even found something to disagree about in a lively session that looked at what privacy industry leaders are doing to inform consumers and engage with them.

In particular, there was the discussion of announcing a change in privacy policy. Of course, change management is difficult in any organization, but changing a privacy policy, and making those changes known to the public is something of an art form.

Online Trust Alliance Executive Director Craig Spiezle ramped things up with a question: “How many of you date stamp your privacy policies online”?

Many hands went up. He then wondered if those same people provided archives of the old ones. There were fewer hands.

“What good is saying it changed,” he wondered, “without a redline and contextual ways to help people understand what changed and why?”

However, Lauren Gelman, consultant to many start-ups and smaller companies as part of her work heading Blurry Edge Strategies, noted that “redlining” a new privacy policy isn’t as easy as it sounds.

Some companies might be doing a privacy restart, Lauren Gelman argued, and posting some kind of bloody document wouldn’t seem to help very many people.

Further, “A redline might actually be confusing if you’re changing definitions and that’s changing terminology throughout the whole document,” she said. It might be more of a distraction, or even make changes for consumers’ betterment seem nefarious in some way.”

Some companies might be doing a privacy restart, she argued, and posting some kind of bloody document wouldn’t seem to help very many people. However, she agreed, “I think that it’s reasonable if you’re changing the policy you need to tell people what you changed.”

The question is how. Gelman recommended getting the marketing team in early. They’re experts at communicating what the business is doing to constituencies, and are more likely to make privacy policy changes sound like a net positive.

“If you get an email and it just says, ‘We’ve made our processes better,’ and it’s so generic that it’s not actually informative,” that’s not going to be well received, Gelman said. It's more likely you'll be successful in working with the marketing team to describe something that’s actually useful to the customer, and the business should be comfortable with that kind of active reach out.

Kalinda Raina, CPO at LinkedIn, agreed this might be a bit easier at larger companies with larger privacy teams, where privacy has had a chance to work its way deep into the business. There’s also “a disconnect,” she said, “between what’s legally required and what consumers care about.” Avoiding liability by making sure the notice has a set of items in it isn’t necessarily consistent with informing consumers in the way they’d like to be informed.

However, Spiezle countered that it doesn’t have to be as hard as some companies make it out to be. “I think it’s an opportunity for marketing to articulate the value proposition and provide some context,” he said. “I’m finding that hundreds of small companies in the IoT space are saying that redlining is easy and that it makes sense to do that. We’re not talking about pronoun changes, here. People have really embraced it.”

Regardless of what solution your firm comes up with, all of the panelists agreed that efforts to standardize the language in notices have all come up short so far. Companies remain out on their own a bit.

Perhaps that FTC workshop moved the needle?