4 Tips for Creating a Reader-Friendly Privacy Policy


Have you ever actually, earnestly read a privacy policy?

No? I envy you. They’re pretty dry reading - and besides, most people don’t really feel they have a reason to, until something goes horribly wrong - like the 2017 Equifax data breach (they’re still dealing with the lawsuits).

But if you’re among the unfortunate minority that has, you’ll know that many privacy policies read like a contract. They can be full of technical words, complex sentences, and a bunch of cross-references that need you to scroll back and forth to make sense of everything.

Have you ever actually, earnestly read a privacy policy?

Privacy Policies are Consumer Facing

Primarily, Ontario’s Personal Information Protection and Electronic Documents Act (PIPEDA) is informed by certain guiding principles such as accountability, accuracy, openness and accessibility. Precisely none of those principles can be said to exist in your privacy policy if a user can’t even read it without getting a headache.

Keep in mind that unlike a regular commercial contract, a privacy policy requires a user (usually with limited legal knowledge) to unconditionally agree to the terms. If that’s the case, they should at least understand what they’re agreeing to!

If complaints about mishandling user data comes up, and your privacy policy is seen as intentionally unhelpful, PIPEDA imposes hefty penalties, not to mention the costs of litigation and loss of reputation which follow. In sum, a well written privacy policy is your first line of defence.

Make Your Privacy Policy Reader-Friendly

To that end, we have four tips to help make your privacy policy a more reader-friendly document. None of these tips are, by any means, revolutionary - but the simplest solutions are often overlooked!

1. Use a Table of Contents and Hyperlinks

Even prominent headers can start to blur together in a longer document, particularly if they have users frantically whirring mousewheels or swiping screens. In this case, hyperlinking cross-references and technical terms to their definition with a single click is a simple fix. In the same vein, users may appreciate a “Table of Contents” section or nav-bar which lines up with section headers, allowing users to jump quickly from section to section or page to page. This is particularly useful with longer documents.

This sounds very basic, but the law in many jurisdictions requires visibility of certain actions related to the handling of personal information. For example, identification of “third party processors”. Finding the section of the policy in which these third parties are identified should not be an “Easter Egg Hunt” - so a table of contents and hyperlinks can support quick and easy searching.

2. Create a summary section for the important stuff.

Many websites will start with a notification bar that shares information on the use of your information and “cookies” etc. This isn’t just a good practice but, in many jurisdictions, it’s now also the law. A summary section at the beginning of the privacy policy follows this best practice and can assist the reader to understand what the use of their information is, in summary form (similar to the notification bar). While this summary may not be required by law, it’s certainly helpful and makes the policy much more readable.

3. Keep It Simple - Avoid Jargon and Complex Sentences

“Keeping it simple” is easier said than done, since certain concepts in privacy are inherently complex, but this step may involve presenting that concept as simply as possible without losing the underlying meaning. It’s highly recommended to verify with a lawyer that this is indeed the case with any simplified language.

However, there are many good examples of privacy policies which are written simply, such as the BBC’s, which you can refer to so that you’re not reinventing the wheel. Of course, it’s up to you (and your counsel) to make sure that any specific policies affecting your business are captured in your case.

4. Support Your Users by Keeping it Specific - Avoid Vagueness

A bad privacy policy will drone on about things that users don’t care about, like the exact technical process used to back up user data, and gloss over what they actually care about, like what specific data is being collected and sold to third parties, if any.

Consider the case of Unroll.me, an add-on which helped users clean up their inbox by removing unwanted marketing and subscription emails. Their privacy policy simply stated: “We may collect, use, transfer, sell, and disclose non-personal information for any purpose.” What this meant, in practice, was that the company was mining users’ emails for purchase receipts and selling the data (e.g. selling Lyft receipt data to Uber).

To seasoned tech entrepreneurs, that might seem like common practice, but Unroll.me users were left feeling deceived. As such, make sure users understand what data you will be collecting (e.g. what is non-personal data) and illustrate, through example, how it can be used.

Get Started!

You may be interested in checking out a free Sample Privacy Policy which we created, following these tips! There are some nifty tools (like embedded annotations) you can use to better understand, personalize, and download the template.

Having a good privacy policy in place is a great first step, but it isn’t enough to merely have one. There must be measures in place to actually monitor, protect, back-up, and retrieve user data in accordance with your policy and PIPEDA - but that’s where the process crosses from the domain of law into tech.


Want to review your Privacy Policy with our legal team? Book a free scoping call here to get your document up to speed!

Written by Sahil. As Lead Content Analyst at Clausehound, Sahil puts his passion for research and writing, and his Law and Business major to good use developing easy to understand blog content and other eLearning materials for entrepreneurs, law students, and business students alike.