Simplify for Success - Conversation with Lewis Eisen
Lewis Eisen was on #SimplifyForSuccess, a podcast series presented by Meru Data and hosted by Priya Keshav
Lewis delved deep into the topic of understanding privacy policies. He further spoke about what organizations can do to improve their policy drafting, in light of the forthcoming regulations. Thank you to Fesliyan Studios for the background music.
*Views and opinions expressed by guests do not necessarily reflect the view of Meru Data.*
Transcript:
Priya Keshav:
Hello everyone, welcome to our podcast around simplifying for success simplification requires discipline and clarity of thought. This is not often easy in today's rapid paced work environment. We've invited a few colleagues in data and information governance space to share their strategies and approaches for simplification. Our guest today is Lewis Eisen Yes, and we will be talking about privacy policies. The New York Times had reviewed readability and understandability of privacy. Policies of major companies. They observed the complexity in most policies exceeded the complexity of college textbooks or legal or medical documents. This might not come as a surprise to anyone we've all seen. Policies that are too long were not simple and filled with legal and technical jargon. The GDPR and other privacy regulations have required policies to be written in clear and plain language. Companies are making efforts to be responsive to these requirements. Our podcast today will discuss how policies can be written to enhance readability and simplicity. Lewis is a policy drafting expert, international bestselling author, and I'm sure it will be a great conversation with Lewis today. Hi Lewis welcome to the show.
Lewis S. Eisen:
Thank you Priya. How are you?
Priya Keshav:
I am good and it's I'm very excited to have.
You on the Show today to talk a little bit about privacy policies or notices and just get your perspectives on what you think and how it can be more useful. Friendly, but maybe we should just get started with the name itself. Is it really a policy? Or a notice I mean. I know everybody if you go to their website kind of says policy. But is there a difference between the two? Does the name matter?
Lewis S. Eisen:
No, actually there is a difference and the fact that people confusingly call it a policy is a symptom of what they confusingly call generally policies in their office. So there's a difference between a document that you've approved that sets out the decisions you have made. In your office about what you do, that's your policy. And another document that explains to people what they need to know about a subject that's a notice. So most people when they write policies generally they write this policy and they put everything in the kitchen sink into it so that everybody understands every little piece of information. But that's not really. The policy that's the manual if you like that. So when it comes to privacy policies, there are two separate documents. There is a privacy policy which is an internal document. That you write where you. Add to whatever legislative requirements are required and set out the decisions you need to make. And then there's a privacy notice which is an external. Document where you explain to the world. What their say rights obligations. What happens when they interact with your site? When it comes to privacy of their information?
Priya Keshav:
Now you bring up a really good point and I think I was reading something that I was intrigued about as well. Which is, , some of them, yes, they have a notice and they call that a policy. But then I've also seen versions of it where somebody has sort of mixed their privacy notices with the terms and conditions. For terms of service because it would kind. Of, say, at the end of it. Ask somebody to say I agree and acknowledge and make it more of an agreement as opposed to a notice and this person who had written this article was talking about, a terms and conditions and differentiating between terms and conditions and policies or notices. I'm confusing it again. And differentiating between. Terms and conditions and notices. By saying that when you have a terms and condition, it's a contract. that both of us agreed to and those conditions you have to abide by. But notice, it doesn't mean that you can give a notice to say, I do X and do something different, because that can be deceptive, but it's not a agreement. It's more a disclosure, and there's a difference, and there's some. Level or less liability or protection from not making your notice and agreement by making people sign it, but it just goes back to your comment, right? That's like maybe we don't think twice before we sort of start putting things and it makes sense to . Maybe think that, hey that. Way I have ensured that somebody is ready. Then I have a legal document that sort of proves that they have agreed. But then they confuse and sort of make a notice something different.
Lewis S. Eisen:
No, I think you're right, and I think what you're actually highlighting are three different types of documents that an organization would use, and you're also highlighting the role of the legal team in this so terms and conditions are contractual, absolutely, and the legal team is what helps you with that and You would set it up in a way that if somebody does not consent to the terms or conditions, they're invited to leave, and by continuing they are deemed to have agreed to the terms and conditions. A policy is a separate document. A policy is a statement of what are the decisions you have made internally, about how you are handling things. That's what your policy is. And it isn't. If the legislation requires you, for instance, to collect information AB&C and secure it, that's not your policy. That's the law. No, it's not your policy to follow the law. Your policy would. Be something like This part of our Program is managed by the HR group or by the IT Group, and so and so the head of this group is responsible for reporting on it once a year. Those are your policies, how they affect your organization, and then the third document is your explanation. To the public And that's really that explanation should be in plain language, right? That's a we see a lot of moves towards plain language. And what happens is people start to get very defensive with it, and so they try and. Back it up with. Sort of legalese and make it sort of semi. Official, but that's not the purpose. For the notice, the notice is just as you say, it's to give people information that they should know about. It's not meant to make a contract.
Priya Keshav:
I'm not sure what Prompts a lot of legalese in some of these documents, right? Yes, privacy laws talk about consent, and then they talk about, , disclosure and of course, consent can be implied by the fact that you've made someone aware of it. They know, and they still chose To do something, either give you some data. Or do some business with you and through that process gave you some data or it it can also be more explicit where they have to either sign some documents or provide something affirmatively right or maybe just verbal is enough, but the idea is that the consent needs to be freely given specific informed. And unambiguous, but the whole idea of maybe the law requires it, and the fact that you have to get it right maybe makes it much easier for us to sort of add more. Legal terms or make it? Very, , legalese That's supposed to, , 8th grade English.
Lewis S. Eisen:
That's true, but it's also a very defensive attitude, so if we look at what we're doing with policy, we're introducing rules for the benefit of our customers. This is for their protection. It's to help them so we really don't want to be writing these documents. In a way that is meant to cover our butts in case something goes wrong. Like that's not the right approach. That might be the approach for the terms and conditions, because that's your legal side, but in terms of the notice, the notice is not there, just in case you get an argument. That's not what it's about. The notice is there to tell people. What you're doing, and for most organizations, it's an opportunity to assure people that you are taking their best interests into account.
Priya Keshav:
So it comes back to choice. Of words, right? So when I say your privacy is very important to us, but then I take a defensive approach to what I document. Then I'm not communicating that their privacy is important to them. I'm simply communicating. That I am doing this because I'm legally obligated to do this.
Lewis S. Eisen:
I think that's right. I think you're sending that message that if you're quote your privacy is important to us and therefore I have to do what the law makes me. Yeah, I agree. I think that's the message you're sending. There's also an interesting point. Somebody actually I'd love to tell you I made this myself, but somebody brought this to my attention that when often we write these notices with very good intention, we write them explaining them, and we take them to the lawyers and the lawyers tighten them up. And when I asked the lawyer about it, the answer was it's because people bring me stuff in pseudo legalese. So I have to fix it to real legalese if they didn't do that. If they just wrote the notice like they were communicating with the public, I wouldn't have an issue. It's interesting.
Priya Keshav:
I never thought of that, but that makes sense. No, that makes sense, right? Like because you've got you if you write. It into the legalese. You have sort of made it complicated for the lawyer to not fix it, correct?
Lewis S. Eisen:
That's basically right. You've you're inviting that piece of the puzzle to come in where it and the lawyer has his own piece of the puzzle, which is the terms and conditions. And this is an opportunity for us, I think, to show that we are. Not just show that we're following the law, 'cause I think people expect us to be good core, but to. State we actually. Do care about people's privacy and one other area. Priya and I'm sure you encounter this a lot. that legal privacy is. Around today as a result of ethical issues around privacy, which were raised a few years back, right? So for a long time when privacy issues came up, they were ethical issues and 'cause the law didn't require it. We had this enormous disparity in the way people treated the. Information, so now laws require certain things and we have more conformity, but there are still ethical issues that you may deal with, so you as an organization may choose to take a position with respect to certain information or with respect to handling information. That is above and beyond what the law requires. And that's the kind of thing you. Can put in your notice.
Priya Keshav:
Is it Maybe because I have. I mean there are many ways to kind of look at this, right? So I'm probably going to just blurt out all my thoughts on it. It might not be well organized, but part. Of it is I. Am explaining something very complex and maybe lengthy, , because there's so many things that are happen. And so I don't know how to put it all in paper in a very nice, easy fashion. So I complicated by trying to kind of be defensive where I have maybe simplified it with big lease. That's one scenario the other could be that maybe I'm afraid, like. For example, let's say I'm collecting some data and I'm just afraid that if I told you I'm collecting data like the way I'm supposed to, maybe you will not share it with me, so I presume that you won't, and so I am more defensive with my posture. Or thought it just might be just not intentional at all, but a the case. it's it seems like. Part of it is. One of the three scenarios why we don't end up with notices that are easy to use.
Lewis S. Eisen:
Yeah, I think that makes sense from the notice. , one of the things I guess. One of the attributes that people seem to think is important is comprehensiveness, and as I said, throwing everything in there and the kitchen sink. I mean, you want your contracts to be comprehensive, but your notice is directed to your audience. So part of that is your assessment. About the sophistication of your audience and how much detail do they really need? And I'm sure you've seen, as I have a number of sites where they actually have sort of two levels of notice A very general light fluffy notice with would you like more information? Here's where you can dig deep. You've probably seen some of those, no.
Priya Keshav:
Yes, I have. Yep.
Lewis S. Eisen:
So that to me answers the do we know our audience question and that's an appropriate? , approach to take with your notices. 'cause your notices are reader focused, your policies on your on the other hand, those are internal documents they're not meant to be written. They're not meant to be written and shown to the world at large. That's not what they're for.
Priya Keshav:
So what do you think about? The tone and the choice of words like , using double negatives. Or, sometimes I am I observed, but I'm no expert at this, but sometimes I read documents and I can follow what I'm saying in my I can obviously. My attention, it . Stays with the document because of the choice of. Words and then. The same topic, I'm reading another document and I seem to sort of zone out, , in a in in a couple of words because of just the way the document is written, so I know the tone and the voice and the choice of words make a big difference in terms of how people feel or being able to kind of understand. The subject matter that is being discussed in that particular article.
Lewis S. Eisen:
Right, so I mean it's. A good point. I think the tone of the notice, particularly which is what we're looking at here, has to be helpful. Right, not defensive and One of the, uh, a very simple example, might be something that says you've got a notice, says do not put your Social Security number in communications. Well, that's a very instructive command, but it's not particularly helpful. So if you wanted to be helpful, you would say something like. We can't protect your Social Security number if you put it in communications. We advised you not to do it. I mean that to me sounds like you're more interested in helping them.
Priya Keshav:
Makes sense, any thoughts on choice of using double negatives?
Lewis S. Eisen:
I'm always a proponent of positive. Sometimes we have to ask people not to do things. So I tend to like words like please refrain from or avoid this. And if you use those words, you can. , refrain from sending personal information, tells you that we have a negative. Thing that we're asking you. To be aware and not do, that's what those words mean Avoid and refrain. I generally think language should be in the positive because heavy negatives in a text have a subconscious. Impact on the reader and it makes you look inflexible. We not this and don't do this and can't do this and this is not allowed. It makes you sound like you don't care, you're just inflexible. You don't care about accommodating and I think when you ask people. You, you ask, the companies are, are you willing to accommodate? They said, absolutely, we're here to help. We really do want to help our customers, but your language didn't sound like that. Because of all those negatives you have, it's sounded like you're just putting up a defensive posture.
Priya Keshav:
Makes sense, I think. Pretty much everybody is thinking about revising their policy because of all the new laws that are going to go into effect in 2023. But this has been an area where almost nobody would kind of ever say hey my privacy policy. Looks good, they feel like There's a lot of room for improvement. And part of it when I say privacy policy, I should be saying privacy notice part of it is it's lengthy. There is a lot of fear in terms of if you don't provide all the details somehow, you look like you haven't complied because there is a need to disclose and you're talking about. Some very complex things that you're talking about. What happens to the data from the time it is collected? which includes what is being collected all the way till it is kind of. Gone from your system, which can. Be a lot of. Detail to put into it so you have some very, very good advise in terms of trying to sort of stay simple. Try to have a simple structure where I really like the idea Of being it to. Where you have a high level one and then you're Able to drill down into the details that makes sense to me and the other I like a lot is making it contextual. I know it's sometimes difficult to make it context. No, but it is much easier for me to understand. , if you are going to collect my health data for or even my phone, when they put all of the different privacy options in one place, I'm just overwhelmed with the number of buttons. I mean, at some point I'm tired because , there's. 50 choices that even Apple asks me and then and then I'm. I'm like maybe the first five. I pay attention and then after that I start selecting something so that I can get out of it. But whereas if I'm as I'm trying to do something if it prompts me with the right kind of message telling me hey, this is what I'm collecting from you. Do you want me to collect it? That makes sense and also you don't know the other aspect of it, right? Like I mean I always encounter. This, especially with my phones, which is I've maybe turned off Geo location tracking. I've turned off a whole bunch of things because I want to be privacy conscious. But what I forgot is what I'm losing as a result of me turning off. Maybe my Google Maps doesn't work anymore, which means I couldn't possibly ask for directions to any location because it doesn't know where I. Am and so then I'm. I'm trying to kind of figure out how to turn it on and I have. No way how to, I mean at least. Some of this? Used to be true. I think it's improving quite a bit, but then I'm trying to go back to the privacy. choices and then start looking at OK. What did I turn off and how do I turn this on and? And if I turn it on, is it for everything or is it just one thing it's just all the complexity that goes with it that just makes the notice a lot more difficult on both sides.
Lewis S. Eisen:
I agree you raising two very you're 2 separate issues that are intertwined here, but I I wonder if I can focus on them separately for a moment.
Priya Keshav:
I know.
Lewis S. Eisen:
First is option fatigue. If I can call it. You talked about having so many options to choose from, and that when you have to do it in one fell swoop you get overwhelmed, right? , open here are the 50 privacy options you get to choose. And please set all this configuration now and then. We go forward. Absolutely, very overwhelming. But you did talk earlier about the policy stuff being contextual, and I think that is key. What amazes me is the number of sites I go to that have this privacy notice about all the how they're going to handle my information and they're not going to sell it, et cetera. But when I look at the site, they don't actually collect information. Not much, they're just putting a notice up. 'cause like they borrowed it from the site down the street. And I just had my own website done recently actually, and to my surprise they threw a privacy notice up there that I had no input on and their answer was, oh, we give everybody this privacy notice. That's pretty useless. OK, that that doesn't help. So the privacy notice does have to be contextual both to what you're doing and to the interaction that the client is having. And at the moment you are asked to give a particular piece of information. I think that's fair. And at that point to tell them how this information will be used. I defer to people with your expertise about how to approach the questions of aggregation and masking. Because , even though any individual piece of information you might be willing to give when you supply it in bulk, it might be enough to identify you. Right, so I don't know the best way to set that up. To set up the context so it's both clear. Uh, but makes sense for the for the benefit for the site, so I always defer to people like you for that. How as we move forward. I think that. It's probably fair that they like to say a lot of people will just say yeah, fine, just collect the info and a lot of people said I want to do anything and they lead their take an all or nothing approach. But part of this is knowing your audience. And I guess knowing your audience and having some respect, appreciation for the. The privacy requirements around the different types of information they'll give you. If you were to take a site like a book selling site, or bookstore or something where they're keeping track of the most popular books, we keep track of that information, but we can anonymize it. Right, so even a little statement on that page that says something like when you choose this, we, we let people know, but it's anonymized. Something to that effect. It doesn't need to be one whole page with everything in it.
Priya Keshav:
No, I absolutely agree. So we couldn't talk about notice without talking about you brought up some really good thoughts, right? So the whole fatigue. And also choices and obviously we've been talking with you. with respect to. The intention of the corporation being that , we do want. And to make sure that we're doing the right things, which is most of us want to want our customers to know what we do and we care about how we're handling the data And we care about the fact that they need to understand and they accept it because end of the day. Most corporations pretty much believe that customer. Is the focus. Them, but sometimes maybe the when you see some of the choices in terms of I, I would kind of go to the cookies as a great example and consent as a great example right where if you kind of saw the first versions of them, they pretty much came. With the accept all button with, no choices for a reject all's or if you had to kind of do the reject. All you had to go select a whole bunch of options and at some point you don't know what. They're doing and so. And obviously there was something that was called off called by many people or the regulators as dark patterns and there was a need to sort of add. The reject all. At the same level as accept all but I I'm coming. I'm using this as an example to kind of talk. About the policy too right? Which is that maybe some of it is based on the fact that if I gave you a reject all maybe many people will choose the reject all. So I don't want to. Kind of provide that as an easy option for people to choose. Instead, I want to talk about the benefits of letting me collect your data, which maybe influences some of my decisions around how I how I draft my notice. But in some ways I'm kind of assuming the worst of my customers. Whereas the opposite should be true.
Lewis S. Eisen:
Well, I think you actually the way you just worded. That is right to talk about the benefits of collecting my data. Absolutely, I would like to know what are the benefits of you collecting my data. And I can't overstate the simplicity. , I was at one site where their privacy notice was a single line. It said we do not sell your data period. Ever period any of it. That was it. That was the privacy notice. , OK, this tells me something about the values of that organization. How important it is to them that they make sure they by reducing it to just that single sentence they wanted to make sure that it would be drawn to my attention and I would realize that that's part of very core. Principle for them.
Priya Keshav:
That's also true, right? The better. And sometimes you can say the same thing in a short sentence that instead of a big paragraph and the short sentence is a lot more powerful than the long paragraph that just went on and on. On it about the same thing.
Lewis S. Eisen:
So part of this, the other piece I guess you talked a little bit before about saying one thing but doing another. So if one of the thing approaches about privacy, is that we really only ask you for the private information that we need? And let's say we need to know that you're an adult, but we asked you for your full birthdate. Well, we don't. Need to know your birthday? We only need to know. That you're over. A certain age. So it's a little incongruous, I think, to make a statement like that. We only ask you for what you need and yet have questions that elicit far more data than what you need. Asking me for a telephone number. Wouldn't you never call me? I know you're not going to call me.
Priya Keshav:
Makes sense. Any other thoughts on how or organizations can? Improve the privacy notice as they look at drafting. A new one to comply with the new regulations.
Lewis S. Eisen:
Yes, I'm one of the things I know. This is an area that you talk about. A lot is privacy by design and developing things right from the beginning. With privacy in mind And I think those are important pieces to add to your notice, because that sends very clear messages to people about your organization's approach to policy. And if you've taken that kind of like your notice to people, it's not just I got to tell you what the law says. I have to tell you it's I'm going to tell you how we really feel about how much effort we're going to make to protect your information. So where an organization does make efforts with respect to. Deliberate privacy by design with their apps or their program. They should be putting that up front in their notice.
Priya Keshav:
I like that right. I've in fact enjoyed reading some privacy notices that start with. These are our privacy principles, so this these are the principles that we stand for and this is what we're trying to achieve. Through our privacy program and here's our notice on how we're kind of upholding the principles that we've stated, so that to me makes sense, right? Because then I'm trying to understand. I mean, I think what you said kind of said the same thing which. Is ? You need to kind of explain what you are trying to do, and I think the privacy principles starting your notice with that makes a lot of. Sense to me.
Lewis S. Eisen:
Yeah, I, I think you. You put when you put your values on a table like that you. You take your cards away from your chest and you show them up on the table. I think you engender a lot more public trust than you do by simply listing off a bunch of legal terms. And the I mean even the way you just described that. And somebody here are our principles. What I'm hearing as you describe it isn't just that we. Care about privacy? See, but we want you to know how much we care and we're continuing to develop this, and we want to be flexible and accommodating. But and if we come up with a new principle, we're going to let . And we're going to adjust like you're getting all this messaging in the example that you just gave me.
Priya Keshav:
Yeah, I think so because that shows your heart is in the right place and it shows that you're trying. You're not telling that you're perfect. But you're trying to uphold to what you think is the right standard. Yeah, and I think in the area of privacy I'm going to pull this back to what I mentioned right earlier.
Lewis S. Eisen:
Privacy is one of the children feel like it was born of ethical concerns that bypassed legal concerns. Ethical concerns that got raised to the point where people say this isn't right anymore. We need to make laws about it. But just because we have laws about it doesn't mean that those ethical concerns have gone away. So the notion that we need to do the. Right thing and. Even if the law doesn't require X, if we believe it's the right thing because it protects the privacy, we're going to do that right? Those ethical messages are just as important now as they were before privacy notices were required.
Priya Keshav:
I can't think of a better way to end this podcast than with that. Thank you so much, Lewis, for your insights. I've enjoyed reading your book.
Lewis S. Eisen:
Now how to write rules that people want to follow?
Priya Keshav:
How to write rules that people want to follow and thank you so much for your insights. And thank you for being part of the show.
Lewis S. Eisen:
Welcome.
Bình luận