Turbocharging your privacy policies: maximising their effectiveness

In a world where attention spans are shrinking daily, how do you get your customers to read, let alone understand, your privacy policies? In this article - the second in a series of three - we set out some handy tips how.

In our previous article we discussed the recent draft guidelines from the European Data Protection Board on data protection by design and by default.

However, this isn’t the only guidance that is available to businesses. There’s plenty more (free) information out there which you can use to minimise risk and, all being well, gain a competitive advantage.

For example, earlier in the summer the Behavioural Insights Team (the government’s ex-‘Nudge Unit’) published a report on techniques for improving understanding of privacy policies: Improving consumer understanding of contractual terms and privacy policies: evidence-based actions for businesses. Since then, it seems to have fallen under the radar. (Perhaps publishing such handy stuff so close to the schools breaking up didn’t help?)

More’s the pity, as this report highlights various ‘low-cost, practical and scalable’ solutions to make policies better understood and more accessible to customers, giving them the ability to make informed decisions about how their data is used.

Frankly, it deserves to be better known.

The report sets out a number of simple or relatively simple techniques that can be implemented—without much fuss—to improve understanding:

• display key terms as FAQs (this improved understanding by 36%). You could, for example, add a question ‘what do you do with my data?’ at the checkout and then link to your privacy policy;
• use icons to illustrate key matters (improvement of 34%). The GDPR itself refers to the use of ‘standardised icons’ and, although none have yet been formally created, the ICO says, ‘you can still use icons effectively in the meantime’;
• show customers the policy in a scrollable text box instead of requiring a click to view it (improvement of 26%). That said, the ICO tends to favour a layered approach which typically requires clicking on text. This report says this slightly decreased understanding. Ultimately you should look to use whatever works best for your customers by road-testing your privacy policies, say by using a customer panel;
• provide information in short chunks at the right time (improvement of 9%). As the Team suggests, ‘use pop-up notifications or comments to the side of forms’. It adds that using such ‘just in time’ explanations, ‘improve customers’ understanding of how the terms or privacy policy affect them’;
• use illustrations and comics (improvement of 24%). Designing such comics can be resource-intensive so the Team also suggests using less expensive methods, such as black-and-white comics, stick figure illustrations and infographics.

The report then goes on to specify a number of techniques to encourage customers to open privacy policies:

• tell customers how long it will take to read the policy (this increased the number of people opening a policy by 105%). This is a massive change! By simply adding, ‘our privacy policy takes less than [x] minutes to read’ you can double customers’ engagement with it;
• tell customers when it is their last chance to read information before they make a decision (improvement of 41%), eg, ‘this is your last chance to read our privacy policy before signing up’.

The report then discusses what doesn’t work so well.

It is well worth perusing this section too so you can consider carefully whether you want to do any of the following:

• presenting key points in a summary table. This often means that customers then don’t look at the full policy;
• adding examples and icons to the full policy. This seems to ‘decease customers’ engagement’ with the rest of the policy;
• shortening the policy. Understanding is typically not increased;
• simplifying your policy. While this looks against the current direction of travel to present information in plain English, this is a bit more nuanced than it first seems. As the report notes, ‘we recommend testing comprehension, rather than assuming that simplifying a piece of writing will make it easier to understand’.

Finally, the report lists the ‘no no’s: techniques that, in its research, don’t work:

• making summaries expandable where customers click each summary point for more information. The upshot of this? Decreased understanding;
• adding emojis to policies. This seems to makes no difference;
• allowing customers to make choices related to the policies while reading them. This doesn’t help comprehension. It seems that if you have a privacy dashboard, this should be separate from your privacy policy.

The report concludes by saying, ‘human (and customer) behaviour is complicated and context-dependent. Trying to change customer behaviour requires care and consideration’.

This means that you should test how well your customer understands your privacy policy and make any necessary changes.

Individuals have the right to be informed about the collection and use of their personal data, at the point it is collected. Privacy notices are the typical way to inform customers and are therefore a key compliance tool for businesses to work towards GDPR compliance.

Getting this right helps you manage risk, stay compliant and have better informed and (all being well) happier customers. As the report says, ‘Better informing your customers can prevent complaints, disputes, and risks to your businesses’ reputation’.

In the next (and final) article in this series on privacy policies we’ll set out how you can out them into the context of your business.