What is an acceptable use policy, and when do I need one?
An acceptable use policy (AUP) is a document that explains the ways in which a website, computer network or other online service may and may not be used.
While this seems like the norm for most legal documents, data privacy laws like the General Data Protection Regulation (GDPR) are cracking down on policies that could mislead consumers or fail to properly disclose their data processing practices.
Article 12 of the GDPR states that businesses must disclose how they use people’s personal data in “concise, transparent, intelligible and easily accessible form, using clear and plain language…”
But what exactly constitutes “clear and plain language” and how does one write in it?
Using convoluted and vague language could also make your business look intentionally deceptive and even manipulative towards younger internet users.
Regardless of how big or small your business is, we’ve put together some writing tips you can follow to ensure your policy is easy to understand.
A recent study carried out by The New York Times found that most privacy policies exceed the college reading level, which excludes the majority of internet users from being able to understand what they’re actually agreeing to.
While many privacy policies are written by and for lawyers, you should write with your customers in mind to ensure they are fully informed of what you do with their data and what actions they can take to protect it.
Consider their age and the type of information they share with you. Are they children who need shorter and simpler sentences with lots of illustrative examples, elderly people who aren’t as technologically savvy, or a business owner who shares a lot of sensitive business data with you?
Instead of writing one huge wall of text, you should divide your policy into clearly-labelled sections so readers can jump to the relevant information they need to read about.
To help readers scan your policy quickly and easily, you can use information design elements like bullet points and headings to visually break up your policy’s content.
While it’s tempting to fit as much information as possible in one breath, try to keep one key idea or piece of information to one sentence.
To avoid confusing readers with too much legal or technical terminology, try to rephrase words into layman’s terms or provide a simple definition that your audience can understand.
To make your policy more engaging for readers, try to write with a conversational tone and use the active voice.
A sentence that uses the active voice is arranged so that the subject performs the action described, whereas a sentence that uses the passive voice focusses on the object which receives the action. Let’s take an example from Facebook’s Data Policy:
Active voice: You can find additional tools and information in the Facebook settings and Instagram settings.
Passive voice: Additional tools and information can be found in the Facebook settings and Instagram settings.
As you can see from the above examples, sentences that use the active voice tend to be simpler in structure and more engaging for readers.
The GDPR is a set of requirements that certain organisations must comply with to lawfully process the personal data of people based in the European Economic Area (EEA). “Processing” includes actions like the collection, recording, storage, transfer, editing, or disclosure of someone’s personal information.