Rethinking privacy policies


Increasingly, I find it very difficult to see the point of overly legalistic privacy policies normally hidden behind a tiny link at the bottom of a webpage. The reason for this increased concern is of course the Protection of Personal Information Bill and the duties which it places on businesses who use (or for that matter just collect or store) personal information.

The Bill does not provide much direct guidance on the content of privacy policies per se. However, many of the bill's obligations such as informing the consumer that personal information is being collected and the purpose for which personal information is required. This means that the emphasis is moving away from indemnifying the business to being transparent and keeping consumers informed.  

What is clear already is that the Bill will occasion a rethink of the way in which privacy policies are written. Luckily we are not the first and we are not alone. The UK's Information Commissioner's Office has issued a code of practice on privacy notices which would be an incredibly good place to start and provides examples of good (and bad) privacy notices. Bearing in mind that POPI resembles the UK Data Protection Act, 1998 this may prove to be a valuable source moving forward.

I was recently confronted with a change in the privacy policy of Linkedin. This is probably the best and most innovative privacy policy (employing multi-media and graphic design elements in a legal document - who would have thought!) that has crossed my path recently. Making use of a pop-up in order to communicate that there has been a change in the policy on a particular date is also something which South African companies (who will all have to change their policies) may want to consider. Read it and weep.  

[As an aside: On 13 May 2013 the ICO indicated that it would be examining 250 privacy policies to establish whether they are in plain language and whether they clearly indicate how personal information will be handled.]