Graeme Johnston / 6 March 2022
A personal obsession over recent years has been to understand more about what Shosana Zuboff aptly calls “surveillance capitalism” and to avoid contributing to the problematic aspects of this while still running a modern technology business. Not easy, sometimes.
As a small part of this, we have over recent months rewritten our privacy notice. We published the new one a few days ago.
In case it helps others, I want to use this blog to explain how we approached the topic.
The first thing to say is that I find the area really difficult –
- the law is complicated and often so open to interpretation on crucial points that it seems to be a running joke among professionals specialising in the area that nobody is really compliant;
- the technology doesn’t make it easy (as a really simple illustration, did you know that using Google Fonts on your website in its default set-up has this impact on privacy?);
- there is a fundamental tension between the practices of the leading US tech providers we use and the expectations of UK and EU law;
- assessing the interaction of all that and turning it into an appropriate, clearly-expressed approach is anything but trivial.
Those issues are, at least, quite widely discussed and acknowledged.
Further points which we have a view on, but on which I don’t think there’s consensus, are:
- most people don’t read more than a few words (if that) when it comes to privacy documentation (e.g. privacy notices and cookie banners), let alone understand the full implications;
- we therefore think that notions of consent (let alone informed consent) ought to be approached with great caution if doing anything that goes beyond normal people’s expectations of what’s appropriate;
- this leads us to think that the onus is heavily on us to be substantively reasonable and respectful of people’s privacy and time – and that this is even more important than communicating well about it – though that matters as well;
- for people casually browsing our website, our view is that we just shouldn’t use cookies or track people in other ways;
- for other, more meaningful engagements with people (e.g. sales, job applications, using our product) we obviously will be using personal information, but should do so in ways that are substantively reasonable as well as lawful – and we shouldn’t be “pushing the boundaries” of normal people’s expectations by including subtle or tricksy language in our privacy documentation;
- the privacy notice should be as well fitted as we can make it to the needs of a busy person who’s likely unwilling to devote significant time to such a topic – so, the order in which information is presented and the rapidity with which the key points can be grasped, are key;
- succinctness and layout (e.g. ordering; layering; headlines, not just headings; tables, not just prose) are at least as important as vocabulary and syntax – “clear but too long” is a serious problem with modern notices and legal terms;
- although a pleasant modern layout is helpful, it’s fundamentally a boring but important topic, so we should be alive to the danger of distraction in making it too graphical or cutesy;
- the aims, in short, are to be substantively decent about this and to communicate it in an easy-to-grasp and accurate way.
Anyway, here it is. The annotated image talks you through the thinking on some points.
If you find this useful, feel free to use elements or take inspiration from it for your own purposes. We won’t assert any copyright or other IP in it, but bear in mind that
- It’s a first release – I’m sure we can and will improve it over time (suggestions welcome!)
- What you do will certainly vary from us – real effort is required to ensure that the substance of what you’re doing matches what’s described in the notice.
- It’s desirable to have some specialist help – I’m personally quite interested in the relevant tech, and in privacy law, and in writing and design, but wouldn’t call myself a specialist in any of these. I know enough to know how little I really know about these topics. Suffice it to say that we obtained excellent specialist help from a highly experienced independent data protection adviser outside our company, and that the final product also benefited from the work of the people who lead on engineering, design, security and compliance within our company. It’s been a team effort.