We live in an information economy.  While many companies have privacy policies and/or terms and conditions on their websites governing how they collect and use personal information, such policies are typically poorly drafted, fail to convey important information, or are simply inaccurate.  Class action suits have targeted dozens of companies for alleged failure to communicate what information they collect and why.

Website visitors typically provide information by typing it in the appropriate field and checking a consent box, or taking some similar step, but companies collect much more information without relying on the consumer’s help. Web analytics track consumers as they move from page to page within a site. Cookies store user histories and preferences as a file on the user’s browser. Third-party marketers mine for information about consumers habits. Even if the information gathered is not associated with a consumer’s name, privacy concerns may arise. So how can you be sure you’re sending clear messages about privacy and getting truly informed consent?

First, be as clear, concise and transparent as possible.  Your privacy policy should not read like a technical manual. While you may have to master terms like “query string,” “web beacon,” and “trace route,” those terms mean nothing to your audience. Also, many of these technical details change so regularly that your privacy policy will be out of date before it’s uploaded to the site.

Second, focus on information the consumer needs to make choices. Try to draft your policy from a “cause and effect” point of view. For example, “if you use the website, then we will collect X. If you create a registered account, we will require Y. If you give us this piece of information, we will share it with Z. If you have a question or complaint, then please contact us here.”  Third, your policy should be written as simply as possible, in plain language. Use common words over advanced vocabulary. Favor short, declarative sentences. Make it easy for the reader to find what he or she is looking for by using headings. If it fits your corporate culture, don’t be afraid to draft the policy in a fun, approachable way. Zynga Inc., the company behind FarmVille, created PrivacyVille. In PrivacyVille, gamers earn points by showing that they understand Zynga’s privacy policy.  Finally, the text of a privacy policy matters, but so, too, does its placement on the website. If the consumer has to follow a link, is the link easy to find? Is the font size large enough?

Best practices and customer expectations will change over time. So too must your privacy policy. Make clear to consumers how you will communicate changes to your privacy policy, and what constitutes their consent to such changes. A privacy policy is a contract, and a contract needs to be written clearly. Good privacy policies all start by knowing what to say, and how to say it. But above all, say it in plain English.