How humane privacy policies should be written (and in compliance with GDPR)

It is a readable PP, but also rather long. I wonder if it can’t be made a bit shorter without weakening it.

On 3rd-parties I found something interesting wrt GDPR… though this article could provide more helpful info, it shows that even when using Google Analytics you have to be very careful to not be in violation:

1 Like

More thoughts about Siempo’s privacy policy.

It seems to me that parts of the privacy policy actually constitute site-usage policy. It would be much better for Siempo’s site users to be provided information on site usage on a separate page–rather than having that language clutter up the privacy policy.

Some sites I’ve visited expressly say they use cookies and that the visitor, by using the site, consents to this.

Maybe Siempo could develop this idea further by articulating its site-usage policy in a clear, friendly way and then refer the visitor to its privacy policy for details.

1 Like

Good point! You read with the eye of a proofreader :slight_smile:

I also noticed an error, a wrong URL:

Any defined terms used but not defined in this Privacy Policy are defined in the Terms of Use located at siempo - Kênh hỗ trợ giải đáp thắc mắc của người chơi.

This points to itself (and siempo.co redirects, so need not be mentioned anymore, maybe)

1 Like

Thanks for this feedback!

We can certainly give the page some design love.

We can certainly work with our lawyers to make some of the language more consumer friendly and still be legally sound, as @aschrijver suggests. Could you share which phrases in particular you found inhibiting?

1 Like

We will consider breaking it out :slight_smile:

1 Like

Happy to help with suggestions; thanks for asking…

Interesting article in Bloomberg:

https://www.bloomberg.com/news/articles/2018-04-20/uber-paypal-face-reckoning-over-opaque-terms-and-conditions

And discussion on HN: https://news.ycombinator.com/item?id=16885000

1 Like

Just found this privacy policy composed by the Center for Plain Language:

Aloha Andrew,

Here are some of the things I found. I put your original language in italics and my suggested revisions in bold.

Any defined terms used but not defined in this Privacy Policy are defined in…
Any terms used but not defined…
Comment: original is not logical.

Except as specifically stated in this Privacy Policy…
Except as stated in this Privacy Policy…
Comment: adverb is not needed.

you may be unable to access certain parts of our Services
you may be unable to access certain Services
Comment: concise language is better.

This helps us serve more relevant content and information.
This helps us provide you with more relevant content and information.
Comment: serve is ambiguous here. Revision provides an object for the verb (you) and clarifies the action and who is benefitting.

We may use subcontractors, vendors, or other third-parties in order to efficiently provide our Services to you (“Service Providers”). Service Providers may provide services including, but are not limited to, providing data hosting and credit card processing services. Some Service Providers will collect information directly from you. Information collected directly from these Service Providers is governed by their privacy policies. You should view the privacy policies of Service Providers before providing information to them.
We may use subcontractors, vendors, or other third parties [hyphen not needed] in order to provide our Services (“Service Providers”). Service Providers may provide services including, but not limited to, providing data hosting and credit card processing services. Some Service Providers will collect information directly from you. Information collected directly by [not from] these Service Providers is governed by their privacy policies. You should review [not view] the privacy policies of Service Providers before providing information to them.

We may disclose Usage Information and aggregated information that cannot be used to personally identify you without restriction.
Comment: curious about what “without restriction” means in this case.

Notwithstanding anything to the contrary in this Privacy Policy, we may disclose or share your Personal Information in order to comply with any court order, law, or legal process, including to respond to any government or regulatory request, or if we believe disclosure is necessary or appropriate to protect the rights, property, or safety Siempo, our customers, or others.
We may disclose or share your Personal Information in order to comply with any court order, law, or legal process; to respond to any government or regulatory request; or to ensure the protection of the rights, property, or safety of Siempo, our customers, or others.
Comment: parallel construction is better in a case like this. Revised language is clearer, stronger, less wordy.

We may disclose your Personal Information in order to enforce or apply our Terms and other agreements, including for billing and collection purposes.
We may disclose your Personal Information to such agencies in order to enforce or apply our Terms and other agreements, including for billing and collection purposes.
Comment: verb needs object.

Disclosed when Collected: For any other purpose, when that purpose is disclosed by us at the time that you provide the Personal Information.
Comment: suggest moving this. It is a general statement that should not be embedded in a list.

We strive to provide you with choices regarding the information you provide to us. We have created mechanisms to provide you with the following control over your information:
We strive to provide you with choices regarding the information you voluntarily share with us. The following mechanisms enable you to have control over your information:
Comment: revision is clearer, stronger. The word provide should not be used as the verb in each main clause because its meaning shifts.

If you do not wish to have your email address used by us to promote our own services or third parties, you may opt-out of receiving to such promotional messages by selecting the “unsubscribe” button as provided on any email communication from us.
If you do not wish to have your email address used by us to promote our Services [capitalize as elsewhere] or those of third parties, you may opt out of receiving such promotional messages by selecting the “unsubscribe” button provided on any email communication from us.
Comment: small errors corrected.

We have implemented measures designed to secure your Personal Information from accidental loss and from unauthorized access, use, alteration, and disclosure. Unfortunately, the transmission of information via the internet is not completely secure. Although we do our best to protect your Personal Information, we cannot guarantee the security of your Personal Information transmitted on the App. Any transmission of Personal Information is at your own risk. We are not responsible for circumvention of any privacy settings or security measures contained on the App.
We have taken measures to secure your Personal Information from accidental loss and from unauthorized access, use, alteration, and disclosure. However, the transmission of information via the internet is not completely secure. Although we do our best to protect your Personal Information, we cannot guarantee the security of your Personal Information transmitted on the App. Any transmission of Personal Information is at your own risk. We are not responsible for circumvention of any privacy settings or security measures contained on the App.
Comment: this really belongs in a site-usage or terms-of-service page. There is a kind of warning latent in the language that may bother the reader. You don’t want to introduce such a disruption, especially late in the policy.

We operate the App from the United States. If you are located outside of the United States, please be aware that information we collect will be transferred to and processed in the United States. By using the Services, or providing us with any information, you fully understand and unambiguously consent to this transfer,
We operate the App from the United States. If you are located elsewhere, please be aware that information we collect will be transferred to and processed in the United States. By using the Services, or providing us with any information, you understand and consent to this transfer,
Comment: redundancy doesn’t improve clarity. Language should be clear, simple. Adverbs aren’t needed.

It is our policy to post any changes we make to our Privacy Policy on this page. If we make material changes to how we treat our users’ Personal Information, as determined in our sole discretion, we will notify you by email to the email address specified in your account and/or through a notice on the App. The date the Privacy Policy was last revised is identified at the top of the page.
On this page, we post any changes we make to our Privacy Policy. If we make material changes to how we treat your Personal Information, we will notify you by email to the address specified in your account and/or through a notice on the App. The date the Privacy Policy was last revised is identified at the top of this [not the] page.
Comment: start with important part first, “on this page.”

To ask questions or comment about this Privacy Policy and our privacy practices
To ask questions or comment about this Privacy Policy
Comment: strike practices because it implies there are things that are important but not included in the policy.

2 Likes

My personal home brew privacy policy.

What about lines and cost for access to data like the results of all these surveys?
line order and time value accounting prices affect the cost and wait for accessing results of survey data for this project. No financial cost is required, but you must spend time to fill out forms and provide more data identifying yourself and your data access reasons and use. You must pay a 100% per minute of data access for any real or augmented human attention minutes. Possibly more if others have override the default project data cost of 100% minute match royalties in their personal profile. The cost of your minutes or hours of attention to the data are automatically paid forward to the person or persons who created the data as royalties. If someone looks at your form results to look at data, then you will receive notification and royalties for others who wish to access to your consolidated or individual “data access history”. Copying or reproduction of HEOP data is prohibited unless allowed by and payment made to the data creators with a valid receipt specifying prices for verification and enforcement of data theft if needed.

You may change your default data pricing and privacy options in your account setting. And opt out of receiving low value offers to purchase your data at any time. Aggregate statistics and consolidated information may be saved as snapshots, however, most aggregate statistics and consolidated information is re-created on demand using the most current data pricing and privacy decisions of the data providers. So if you mark your data private later, it will be removed from future data summaries and aggregate calculations when possible. Data handling practices an fines for data misuse or misrepresentation are handled by the hOEP internal Time Value Accounting system with jury verdicts for violations of our terms and conditions of access leading to steep re-active adjustments to the prices you paid in minutes for the receipts in which you stole data. We will charge you the back due amount for dishonest data usage and if you knowingly copy data with a price set to (1 million wait line minutes/copied use and attention minute) then you can and probably will be charged up to 1 million wait line minutes for your accidental copying of the data. Fines for theft and fraud attempts are 10 times the value involved and there is a bounty reward for crime spotting of 5 times the value. In addition to hOEP Verification and enforcement of our terms and conditions, you may be liable for other legal and civil penalties and court mediated actions. Link to survey on the HOEP project data access, costs, wait time, and pricing practices.

If you know or suspect someone has accessed your data and survey results in violation of our terms and conditions. Complete a 15 minute form detailing your reasons for suspicion after checking your receipts and making sure you didn’t sell the data to them at your specified rate. The form will talk you through the details about time and data to allow us to automatically attempt global receipt inspection to detect and find the violator appropriately. You can also invest additional resources of time and a jury to investigate further at very reasonable prices in hours of your time.

– from the google doc “hOEP (hOurs Equals Price) hacks the pizza line” a crowdsourced hackathon project.

Wow, I can’t thank you enough for applying such a critical (+ grammatical and humane) lens to this! As mentioned, we started with a boiler plate version, so I’m thrilled to get this feedback on how we can make things more crisp, clear and user friendly.

2 Likes

Very happy to help! Thanks for the opportunity :slight_smile:

Hi @andrewmurraydunn, I just found the link in this post that is interesting for PP’s for humans:

How can researchers unite?

1 Like

One other policy to look at (the one I’ve spent most time sweating over):
https://wikimediafoundation.org/wiki/Privacy_policy

I find the format and structure of the document helps align people’s thinking about what privacy is and should be for; a good policy is something you are glad to have read, not just a potential minefield you have navigated.

2 Likes

This is excellent. We will draw inspiration from it.

Thanks for sharing this. I was lacking some good examples, but had this in mind for a partner and myself who are putting together a voice skill right now. Our aim is to be compliant, establish a clear legal framing, and most of all be clear to our users what the upshot is since our skill does involve sharing audio with other people.

I’ll add more examples if I can find them.

2 Likes

Wordpress’s cookie policy is very good. Sharing in case you folks want to check it out:

Hi @andrewmurraydunn!

I couldn’t help but notice that you did not yet updated your Privacy Policy. I can imagine that with all the activities that come with a young startup company, the PP is not highest on your priority list.

Maybe you’d be helped by using a Privacy Policy generator. A quick search showed that there are multiple choices that can deliver GDPR-compliant PP text. You could try those and maybe the only additional thing that is needed is a quick glance by your lawyer, and you are ready to go.

The site Termly looked promising to me:

Free Privacy Policy Generator (U.S.)

Generate a customized privacy policy for your website, mobile app, and Facebook app. Crafted by attorneys, our software can help you comply with state, federal, and international laws like the GDPR. Create your policy for free, or sign up for a premium account to access even more compliance features and upgrades.

I did not vet the site for how they use the information you provide when generating the PP. Maybe, if you decide to using a PP generator site, you could do that and report your experience to this forum?

Edit: Just tried Termly 6 months after posting this. It is terrible. You go through a complete form with questions about what you track. Then when ready… you have to register with them to get the text.

Thanks for bumping this up. It has been a challenging few months for apps in our space since the Apple/Google announcements, and now Apple cleansing us out of the App Store. We paused operations and had to let people go during this time but are planning on updating the PP once we get up and running again :slight_smile:

Thanks to Nathan Kinch (and @m3me) of Greaterthanlearning I came upon this resource:

Summarizing from their GDPR project:

Nobody reads privacy policies. They are too long and too complex. However, we are constantly asked to declare to “have read and understood the terms”. With the simple click of a button, we may consent to unwanted uses of our personal data. Visual communication can help people to navigate and make sense of cumbersome legal texts. To this end, the General Data Protection Regulation (GDPR) recommends to provide information about data practices in combination with icons. […]

With our project, we aim to provide an answer to these and related questions.

They have developed an icon set (licensed CC-BY-SA-4.0) with which GDPR privacy policies individual sections can be summarized and communicated in more clearly understandable format: