How to write a good privacy policy: lessons from the Article 29 WP

At the beginning of 2012, Google announced that it would be adopting one single privacy policy across all of its various services. Immediately, the EU data protection authorities launched an investigation to assess the compliance of Google’s privacy policy with the European Data Protection legislation.

The Article 29 Working Party (WP29) (European data protection authorities), has just released its recommendations to Google on how to comply with its legislation. They are proposing that in order to comply with EU data protection laws, privacy policies should be easier to find and understand, as well as include an exhaustive list of the type information being processed. These guidelines are not mandatory. Still, they are interesting in the sense that the industry will welcome additional practical guidance on how to draft and implement good policies. Also, these guidelines can be relevant for any organization, not just Google.

What are these recommendations?

Some of the WP29 recommendations did not come with much surprise. For instance, it is recommended that a privacy policy should:

  • be immediately visible and accessible from each service landing page
  • provide an address at which users can contact the company to exercise their rights (such as access rights, etc.)
  • have clear, unambiguous and comprehensive information regarding the type of information being processed (or “collected, used and disclosed” for Canadians)

One interesting recommendation provides that in the event that the privacy policy is too long, the policy should be personalized for the user, showing the authenticated user only what is relevant. For instance, upon a user using a specific service, the user should be able to have access to a shorter and more specific policy which would be relevant only for the specific service used.

Link to the: WP29 cover letter.

Link to the: WP29 guidelines for Google’s privacy policy.

 

This content has been updated on July 6, 2015 at 20 h 39 min.