What does “clear and plain language” mean in a privacy policy?

One of the main reasons why people don’t read the privacy policy of a website or other online service is because they tend to be long, boring, and difficult to understand.

While this seems like the norm for most legal documents, data privacy laws like the General Data Protection Regulation (GDPR) are cracking down on policies that could mislead consumers or fail to properly disclose their data processing practices.

Article 12 of the GDPR states that businesses must disclose how they use people’s personal data in “concise, transparent, intelligible and easily accessible form, using clear and plain language…”

But what exactly constitutes “clear and plain language” and how does one write in it?

While the GDPR doesn’t provide a concrete definition, the Plain Language Action and Information Network (PLAIN) states that plain language is “communication your audience can understand the first time they read or hear it.” This is crucial, given that most users of a website or app don’t have the patience or motivation to read and re-read your privacy policy.

Using convoluted and vague language could also make your business look intentionally deceptive and even manipulative towards younger internet users.

Regardless of how big or small your business is, we’ve put together some writing tips you can follow to ensure your policy is easy to understand.

How to write in plain language

1. Identify your audience and write for them.

A recent study carried out by The New York Times found that most privacy policies exceed the college reading level, which excludes the majority of internet users from being able to understand what they’re actually agreeing to.

While many privacy policies are written by and for lawyers, you should write with your customers in mind to ensure they are fully informed of what you do with their data and what actions they can take to protect it.

Consider their age and the type of information they share with you. Are they children who need shorter and simpler sentences with lots of illustrative examples, elderly people who aren’t as technologically savvy, or a business owner who shares a lot of sensitive business data with you?

2. Structure your policy in easily digestible sections.

Now that you’ve identified who your audience is, you can design a privacy policy that addresses their key concerns and helps them take more control over their data. At a minimum, your privacy policy must include a number of legal clauses and disclosures to comply with the GDPR (see our earlier blog post on how to write your own privacy policy).

Instead of writing one huge wall of text, you should divide your policy into clearly-labelled sections so readers can jump to the relevant information they need to read about.

To help readers scan your policy quickly and easily, you can use information design elements like bullet points and headings to visually break up your policy’s content.

3. Simplify your sentences and avoid using jargon.

While it’s tempting to fit as much information as possible in one breath, try to keep one key idea or piece of information to one sentence.

To avoid confusing readers with too much legal or technical terminology, try to rephrase words into layman’s terms or provide a simple definition that your audience can understand.

4. Use the active voice and try a conversational tone.

To make your policy more engaging for readers, try to write with a conversational tone and use the active voice.

A sentence that uses the active voice is arranged so that the subject performs the action described, whereas a sentence that uses the passive voice focusses on the object which receives the action. Let’s take an example from Facebook’s Data Policy:

Active voice: You can find additional tools and information in the Facebook settings and Instagram settings.

Passive voice: Additional tools and information can be found in the Facebook settings and Instagram settings.

As you can see from the above examples, sentences that use the active voice tend to be simpler in structure and more engaging for readers.

What is the GDPR?

The GDPR is a set of requirements that certain organisations must comply with to lawfully process the personal data of people based in the European Economic Area (EEA). “Processing” includes actions like the collection, recording, storage, transfer, editing, or disclosure of someone’s personal information.

Given that the GDPR’s key purpose is to give consumers more control over their personal data, businesses are legally required to have a privacy policy that clearly explains their data processing practices to consumers.

Try our privacy policy generator

Writing your privacy policy in clear and plain language is about more than merely complying with the GDPR – it’s another way your business can build trust with your customers. To help you get started, we offer a range of Terms of Service and Privacy Policy templates.

All you need to do is fill out a form about your business and the types of data you collect. From there, you can instantly generate and download the documents you need for your website or app! Create your privacy policy now with GetTerms.io.