Unshakeable Salt

The problem is I’ve got privacy policy fatigue. I’ve read so many recently I can’t remember what’s in each of them. They theoretically should all contain the same content. I should just have to scan down a list of Opt-in and Opt-out check marks, but unfortunately not so. What has happened is that the lawyers, solicitors and marketing people have got involved.

Instead of unity, we now have new long reference documents missing the intrinsic content of what the GDPR was supposed to bring. Instead of a transparent list in an easy to read format, we now have legal speak trying to masquerade how companies make profit from your data.

Now I changed the Unshakeable Salt privacy policy about 6 weeks back, something I should have done sooner. I only did it this late because I had spent the last few months writing other peoples. I wasn’t looking to lead by example, but like many, I’ve been waiting for the best practice advice to surface. This means that I’ve been reading many iterations of many documents since I passed my ITBITQ EU GDPR exams. That’s 16 months of reading very similar documents. I am truly now looking forward to the final hurdle and to recover from this

How to avoid privacy policy fatigue

You should already know how you handle data. Imagine you’ve gone out to a corporate networking event and having had a few beverages, you find yourself talking to someone who knows nothing about your business nor IT. In a slightly tipsy way (I may have under sold the ‘few beverages’) could you describe where your data goes? Who else gets access to a copy and how they will use it? Imagine trying to describe it in this most simplistic way in a way that someone who might not be fully capable of receiving/remembering the information as you provide it.

The way you describe your services and how you gain consent are not just a requirement of the GDPR but have been legal requirements for more than 20 years. The Privacy and Electric Communications Regulation (PECR) was born in 2003 and amended in 2004, 2011, 2015 and 2016. The biggest of these changes came in 2011 (back when I was working on one of the UK’s biggest websites that handled medical data). What most people dubbed ‘the cookie law’, it went to great measures to describe how businesses must describe how they gather information and how they must describe its use.

So what is good?

Just The Facts

Sgt Joe Friday from the 1950’s cop show Dragnet. Keeping it to just the facts

Policies are meant to be interpretations of law, readable by all and not binding contracts only understandable by those in the legal professional.

If you want to avoid your customers experiencing privacy policy fatigue, remember to keep it simple. Given them the basics in a way that that they can absorb. To paraphrase Sgt Joe Friday, keep it to “Just the Facts Ma’am”. Avoid common mistakes like thinking you need something different to your competitors. Don’t think it has to be written in way that it stands alone in a court of law.

Word it in such a way that a 13-year-old can understand it within 30 seconds. If you can’t present it like that, then you’ve probably got the wrong content.


Director of Unshakeable Salt, an Information security specialist who first started contracting in 1997.

Next Post