ellipsis flag icon-blogicon-check icon-comments icon-email icon-error icon-facebook icon-follow-comment icon-googleicon-hamburger icon-imedia-blog icon-imediaicon-instagramicon-left-arrow icon-linked-in icon-linked icon-linkedin icon-multi-page-view icon-person icon-print icon-right-arrow icon-save icon-searchicon-share-arrow icon-single-page-view icon-tag icon-twitter icon-unfollow icon-upload icon-valid icon-video-play icon-views icon-website icon-youtubelogo-imedia-white logo-imedia logo-mediaWhite review-star thumbs_down thumbs_up

Best practices for a brand's privacy policy

Best practices for a brand's privacy policy Brandt Dainow

This article is about privacy policies, but don't stop reading just yet. My aim here is to change how you think about them, maybe even show you how they can be interesting (really). Your privacy policy is how you communicate to consumers what you do with their data and how you get their buy-in to it. This is rarely considered a part of the online sales or marketing process. Most digital sales and marketing people see a website's privacy policy as irrelevant; it's a small document stashed at the back of the website which is required for legal compliance. We all know that it has to be available for consumers to read, and we all know they never even glance at it. The only people who will bother to read it are conspiracy theorists who think Dan Brown was a whistle-blower, not a fiction writer, and unless we're selling nuclear bunkers or survival kits, those people won't buy from our site anyway. In many cases, the privacy policy was written by the legal department and you have to be a lawyer to understand the terminology. If we're super advanced, we might have a privacy policy which has been translated into understandable language, but that's about the level of sophistication most of us are at.

Best practices for a brand's privacy policy

Big mistake! Just prior to 9/11, online privacy was the No. 1 concern of U.S. citizens. After 9/11, being blown up by a terrorist naturally became a more pressing worry, but online privacy concerns never went away. As terrorist threats have become a regular part of life, online privacy worries have started to resurface. With the revelations about Verizon, PRISM, and the NSA, online privacy is back at the forefront of consumer worries. I've looked into the stats for sites I analyze and found that since the PRISM news broke, the chance of someone abandoning an online purchase after viewing a privacy policy has quadrupled. In other words, people are taking the content of the privacy policy much more seriously. The time on these pages has also tripled, which means (OMG!) people are now reading our privacy policies and reacting to the content! Your privacy policies now have a direct impact on your bottom line.

There seems to be a disconnect between much of the digital marketing fraternity and consumers. For many marketers, this whole irritating privacy/tracking business is only a concern because stupid consumers simply don't understand the benefits of behavioral targeting. Surely if we explain it to them, these morons (our customers) would calm down. The industry solution has therefore been an education campaign, something which various industry bodies have been attempting for years. These "campaigns" have been ineffective and under motivated, uncoordinated and poorly supported. They show nothing like the push or enthusiasm which could be expected of even a mediocre product launch. In fact, they're so dull and uncreative, and it's hard to believe they were the work of marketing professionals at all. Not surprisingly, the result of this "campaign" to allay public fears has been zip. 

Even if the marketing community had made any real effort to educate consumers, it wouldn't have helped. Consumer privacy concerns are not something that can be dealt with by facts because they're not purely intellectual. Consumer privacy concerns are about trust, and trust is based on emotion as much as reason. Anyone who's tried to improve consumer trust knows you'll get nowhere with long intellectual arguments.

Privacy concerns are seen as a burden by marketers because they are not seen as offering any benefit. However, it's perfectly valid to see privacy as part of CRM, as a way of ensuring you gather optimal consumer data while also improving the bottom line. When we do this, we stop thinking about a privacy policy as a static document and start thinking of it as a communications strategy.

Addressing consumer privacy concerns

A good privacy communications strategy is multi-functional; it addresses consumer concerns on multiple levels and produces a range of benefits for the organization in return. There are three levels we need to take into consideration when developing a privacy strategy; the cultural, the emotional, and the intellectual.

Privacy concerns vary from culture to culture. Generally speaking, the more uniform a culture is, the more worried people are about online privacy. The U.S. is considered a multi-cultural society -- much of the population is only a generation or two away from an immigrant, so people are constantly encountering citizens with different cultural backgrounds and norms. The result is that people have to give each other space and tolerate a wide variety of social behavior. Australia, Britain, and Canada have similar cultural make-ups (and tolerance) for the same reason. By contrast, countries like Japan and Germany have a fairly homogenous culture, unaffected by immigration, and expect most people to behave and think in a similar fashion. Multi-cultural societies are much less worried about online privacy than more homogenous ones, though no one is sure exactly why.

Physical crowding also plays a role. The more people are crowded in on each other, the more private they become. Most European or Asian homes would fit inside the typical American kitchen. Imagine the entire U.S. population crowded into Texas. To be invited to someone's home in the U.K. or Germany is a big deal. It's possible to be friends with someone for years in these countries and never see the inside of their home or know anything about their family. People in countries like Australia and the U.S. have more physical space to get distance from each other and so tend to be more psychologically open about their personal lives. As a result, knowing that someone has three children is no big deal in Australia, but can be a violation of personal privacy in Germany.

Concerns also vary according to the type of government. People in countries such as China or Vietnam are not concerned about the government or companies snooping on their data; they know that's happening. However, they are worried about their data being stolen and misused by corrupt officials or criminals, so they're more concerned about safety of the data storage than it being used in advertising. A good privacy policy in China doesn't worry about third party advertising but does go into detail about data encryption. Europeans and Americans also have different attitudes to governments and companies. With a strong socialist tendency, Europeans distrust capitalism and look to their governments to protect them from "evil" corporations. U.S. citizens reverse this, with higher trust in the market than Europeans and a great deal less trust in the government. When Google says "don't be evil" in Europe, most Europeans react with "how can you avoid it -- you're a profit-making company."

Some of these cultural variations are enshrined in national laws. For example, data privacy is a constitutional right in France and Germany. This means French and German people regard personal privacy the way Americans regard freedom of expression. German laws may be the toughest in the world in this respect. It's illegal for a commercial website to use Facebook "like" buttons in much of Germany because of how Facebook handles user data. U.S. companies are forever being prosecuted in Germany for violating German data protection laws. This is more serious than many realize -- Germany may not seek extradition, but U.S. executives have been arrested when passing through German transit lounges and jailed over such cases.

Tips for developing a privacy strategy

If you run multi-national campaigns, or have an international web presence, you need to develop privacy policies that account for these cultural and legal variations. The best solution is not to store all customer data centrally, but to keep it on servers within each country. Problems only arise when customer data is moved from one country to another. The general attitude of both governments and citizens is that data about someone will be handled in accord with the laws and customs of that person's own country, not the country in which the website is situated. T&Cs which state everything is subject to the laws of the U.S., or California, or some other specified jurisdiction, are considered legally meaningless by most courts.

Even though consumers perceive the internet as offering a number of benefits, there is good research to show that the internet magnifies the uncertainties involved with any purchase process, so people believe online purchases are more risky than offline. However, few consumers can state clearly what they are worried about; people just have a general lack of trust regarding what you will do with data about them. 

Building trust is essential online. Trust is one of the major determinants of whether someone will buy from your site. All those compelling product descriptions are worthless if no one believes them. In order to build online trust, you need to cover four bases. First, people need to believe you are telling the truth about your data policies. Next, they need to see that you will keep them safe. This means they need to know what you do with their data won't hurt them. They probably don't know how they could be harmed; they just have a vague fear. Third, they need to know you have the ability to deliver what you promise. Finally, they need to feel that the company behind the website is a generally ethical organization worthy of trust.

You therefore need a privacy policy that takes care of people's emotional processes as well as their intellectual concerns. No one will develop trust in your site unless they can understand the privacy policy. Something written in 50,000 words of legalese is incomprehensible and will only increase distrust. Parking the privacy policy behind a tiny link at the bottom of the page communicates to the consumer that either you don't think their concerns are very important or that you want to hide what you do with their information. 

Examples of privacy communication

The need for an understandable privacy policy means a layered privacy policy is best. A layered privacy policy usually has a summary layer linking to a detailed layer. Microsoft and the U.S. Postal Service websites have examples of layered privacy policies. The summary layer contains simple statements like, "We collect personal information directly from you and your transactions with us" (Postal Service) or "We collect information when you register, sign in and use our sites and services. We also may get information from other companies" (Microsoft). These pages then link to more detailed documents.

The privacy policy on the Skipity website shows how important emotion is and how unimportant the intellectual content is. Skipity uses a layered privacy policy. The top level focuses purely on emotion. It seeks to build trust with humor, plain language, and absolute honesty:

"While most other companies are concerned with protecting your privacy, we care about profiteering and violating it when expedient or useful…You have no privacy with us. If we can use any of your details to legally make a profit, we probably will.  We will track and log everything we can about all the dirty (and clean) things you do…We are serious about all of the above. So don't go trying to sue us later with some nonsense like 'I thought that was all satire.' All your privacy belongs to us. We mean it."

Skipity survives by getting people to register in order to monitor their search patterns, so it has to manage consumer privacy concerns very well in order to survive. It has found that by handling the emotional issues of trust and uncertainty, people will sign up. The intellectual component, what the company actually does with the data, is of no importance provided the company is seen as honest.

Channel4.com's privacy strategy is probably the best in the world and handles both the emotional and intellectual elements of privacy communication extremely well. Channel4.com is the website for the largest commercial TV company in the U.K. It was an early adopter of online streaming and initially offered open usage, but moved to a registered user system a few years ago. It's free to register, but registration is compulsory to access the service. You would expect that switching from open to a registered user system would reduce access, but Channel4 has increased its user base from 2 million to 7 million users since introducing registration. It has achieved this with a best-of-breed privacy strategy which makes the rest of us look like we're stuck in the 1980s.

Channel4 doesn't have a privacy page; it has a "For Viewers" multimedia section. This contains all its subscriber communications, including social media buzz, FAQs, and competitions. Privacy is central in this section, occupying the most prominent link locations, and contains the most content. In addition to a layered privacy policy, it has a page that explains in simple terms why it needs to gather data at all. This includes a video by British chat show host, Alan Carr. The choice of Alan Carr is central to the emotional aspect of the communication. There's no real equivalent in U.S. TV to someone like Alan Carr, who manages to combine youth appeal with all-round family acceptance, but if Robin Williams' Mrs. Doubtfire had her own chat show, she'd come close. The mere presence of Alan Carr in this video will be enough to gain the trust of most U.K. viewers

Privacy communication is controlled at Channel4 by Steve Forde, head of viewer relationship management. Forde told me that privacy communication should be seen as part of an organization's data strategy. The team at Channel4 that handles privacy communication is also the team responsible for gathering viewer data and distributing it to other branches of the organization, such as product development and advertising sales. Forde sees privacy communication as providing the ability to change the relationship with the customer, to improve trust and increase long-term viewer engagement.

Forde put it like this:

"To survive these days you need data about people, but you also need a relationship with them based on mutual trust. We use our own talent to communicate these issues because our talent resonates with our viewers. But you also need to put viewer concerns first and make sure you communicate clearly, in a manner they can understand, how what you do with their data has a benefit to them."

It's useful to contrast Channel4 with CBS. Both TV companies are trying to achieve the same aim and both show signs of serious effort. However, CBS's privacy section only addresses the intellectual  aspects of consumer concerns, not the emotional. While it does use a layered policy and most of it is in plain English, the visual design is tedious while the text is long and detailed. It's spread over literally dozens of pages, with confusing links between different sections and is almost guaranteed to reassure no one.

These three privacy policies show us the extremes in how to handle privacy communication. Skipity focused on the emotional to the exclusion of all else, while CBS ignores the emotions and just worries about getting the intellectual content out. Channel4 covers both with a combination of layered text and reassuring video. Just as importantly, Channel4 doesn't stick privacy behind some insignificant link -- it's the center of the viewer communications section, right next to FAQ's and this week's viewer competitions. This central location reflects the place privacy communications holds within the Channel4 organization. Privacy is seen as a core part of customer understanding and sits at the center of its business intelligence.


You can regard your privacy policy as a hassle or as unimportant -- most people in our line of business do. However, if you're wise, you'll regard it as a really important tool for gaining trust and improving your customer data. In order to make your privacy policy a valuable tool, you need to think of it as a strategy, not a webpage. An effective privacy communications strategy understands the concerns of consumers and how they are influenced by their own cultural background. It recognizes the need to deal with the emotional aspects as much as the intellectual concerns and makes an effort to reach out to people on their level. A properly implemented privacy section can significantly increase your customer intelligence. All it takes is some thought and a little effort.

Privacy policies can be a small hassle or a big asset; it's up to you.

Brandt Dainow is the CEO of ThinkMetrics.

On Twitter? Follow iMedia Connection at @iMediaTweet.

"Businessman protecting with a little black umbrella" image via Shutterstock.


Brandt is an independent web analyst, researcher and academic.  As a web analyst, he specialises in building bespoke (or customised) web analytic reporting systems.  This can range from building a customised report format to creating an...

View full biography


to leave comments.