U.S. Should Welcome EU Drive for Short Privacy Notices

Computerworld - U.S. companies should send a big thank-you note to the European Union. Why? The EU is pushing a plan for European businesses to adopt plain privacy notices displayed in a common format. If this idea catches on in the U.S., consumers may start reading privacy policies and making purchasing decisions based on them—particularly online, where U.S. companies dominate.

Earlier this month, the EU's Article 29 Working Party released its "Opinion on More Harmonised Information Provisions" (download PDF).The proposal calls for EU member states to adopt common rules for corporate privacy policies. What do the rules say?

First, privacy notices should be written in plain words, not lawyer language. In poll after poll, more than 75% of consumers say they want this.

Second, companies should display privacy notices in three layers. What the EU calls the "short" layer could be a brief statement posted where space is limited, such as on messages sent to customers via mobile phones or warranty cards. It could say something like, "The information we collect about you here will be used only within this program. View our full privacy policy at XYZCorp.com."

When you click on that privacy policy, you'd see what the EU calls the "condensed" layer, a half-page summary of the main points of the entire policy. The condensed layer would in turn link to the "full" privacy policy, which could be a multipage, exhaustive description of a company's privacy practices.

Why should U.S. companies hope this initiative is successful? Because U.S. legislation and numerous lawsuits have compelled U.S. companies to write the kind of privacy policies customers don't like: multipage tomes written in legalese. When our customers don't read or like our privacy policies, we lose opportunities to build trust and loyalty with them.

A successful EU standard could influence U.S. legislators to revise these mandates for the good of the American citizen.

A few U.S. companies have already started down this path (see story). I examined the top 50 most-visited Web sites in the U.S., and found two—Expedia and Bank of America—that post layered privacy policies. Several others use a top-level list of jump-links or a sidebar menu to help readers navigate the policy. But most remain your typical privacy policy: long and obtuse.

I also asked a group of chief privacy officers and privacy experts for their votes on the most-readable privacy policies online. It didn't take long for us to identify the short list of policies we'd recommend as models for their user-friendly formats (see table).

Why aren't more companies following their lead? The simplest explanation may be a lack of resource priority. It takes time and effort to design a good online privacy policy, and they're still one of the least-read pages on a typical Web site, anyhow. So privacy officers are focusing on other priorities.