What If Privacy Polices Were As Easy To Read As IKEA Instructions?

I was building a wardrobe closet from IKEA the other day and I realized something remarkable after following the directions, page by page - and there must have been at least 25 pages of directions. Though the closet is over 9 feet tall and at least 8 feet wide, with hundreds of screws, washers, shelves, frames, tracks and bolts, I was able to easily follow the directions to a successful completion - and I am not very handy, let me say - without the directions ever posting a single word. Everything, and every page of instruction was a simple line drawing.

I began thinking about how other people with no privacy background, interest or expertise feel when they look at what we do in the privacy space. That is, how average users of websites and apps feel about the privacy policies that they come across or, god forbid, ever dare to read.  According to a recent study released by the digital branding firm Siegel+Gale, most users of Facebook and Google had fundamental gaps in understanding, even after reading the posted privacy policies, of what the websites were saying in those policies or what they did with customer information.  Think about what that says about the privacy profession and its ability to communicate a coherent message!!? Can you imagine any other industry in which its primary user base or target audience doesn't understand its products? Anyone you know buy a bicycle and not know how to ride it? Because of difficult to read and understand privacy policies, readers of those documents walk away from the policy with no more understanding of what is happening with their data then when they started. If that is the case, then you, as the writer of that policy, have failed your customer.

Years ago, the privacy role was taken by the General Counsel who was typically appointed the Chief Privacy Officer one day because she had written the privacy policy sometime before. It goes without saying that the document was probably a bog of legalese; a vague and deliberately obtuse read that only served to cover the company's metaphorical ass. Then, someone in the company heard that there was a Chief Security Officer in the building. Eureka! So now he should also in charge of security along with privacy. (They are the same things, no?). That worked out well for a while but then it was soon realized that the CISO's primary duty is to protect data so that no one gets to it. That didn't do the marketing folks any good, let alone customers who wanted control over their own data.

As time has elapsed, consumers matured, and our appreciation of the treasure trove that we call our database of customer and employee data begins to rise, I believe that the role of the privacy professional is now converging to a middle ground. The role is moving from the polar extremes it previously inhabited towards an individual with a skill set that is a confluence of three core proficiencies: first, an appreciation of the law, second, respect and understanding of security, and finally, a practitioners eye for the use of data and real world operational understanding of the business. When a privacy policy is written by someone with this kind of resume, an average user who reads it will know exactly what the company is doing with the data they collect and use. Maybe, someday, that privacy policy will be as easy to follow and understand as the directions for building an IKEA closet.