How to Draft a Privacy Policy

How to Draft a Privacy Policy

Table of Contents

Introduction

Today, I’m excited to give you a behind-the-scenes look at how I drafted TortieBear’s first Privacy Policy. Although TortieBear is relatively new, the journey of its Privacy Policy has unfolded over many years, evolving alongside rapid advancements in today’s tech world and the Generative AI Renaissance.

Below is a tale of learning, planning, and dedication to understanding TortieBear’s values that evolved into its Privacy Policy.

TLDR

In this blog, I’ll outline my process for drafting TortieBear’s first Privacy Policy, focusing on creating an operationally efficient document that can evolve with any project. Key motivations for a Privacy Policy include:

  • Legal compliance
  • Building user trust
  • Ensuring transparency in data practices
  • Managing risk
  • Facilitating global operations
  • Empowering users

Disclaimer

I am not a lawyer. This blog shares my journey in crafting a Privacy Policy from technical, ethical, and operational standpoints, not as legal advice. For drafting a legally-binding Privacy Policy, I recommend consulting a legal professional.

Process

0. Iteratively Build Up Privacy

Tortiebear.com began with a focus on privacy. From the first line of code, I integrated privacy-focused decisions, like robust encryption in data storage solutions. Ideating on a Privacy Policy early on was part of Building Up Privacy for me - the Privacy Policy is technically Tortiebear’s Project 0!

1. Learning and Research

My Academic Introduction to Data Ethics

My college experience, particularly a course in Data Ethics 1, laid the foundation for my understanding and evangelism of data ethics. This course highlighted the real-world impact of data-driven decisions and the importance of ethical considerations in data governance. Two notable Data Ethics case studies are the Destruction of Charlottesville’s Vinegar Hill 2 and Ivan Illich’s Critique of Paternalism 3. See the Appendix for more on these case studies!

Research Into Data Privacy Frameworks

I delved into data privacy frameworks like GDPR and CCPA, aiming to understand and implement the most stringent privacy standards.

I find tabular comparisons between frameworks particularly helpful. For instance, in comparing GDPR 4 vs CCPA 5, I tend to lean towards GDPR’s broader definition of Personal Data (“Any information relating to an identified or identifiable individual”).

Comparison Table Example:
  • Scope of Personal Data:
    • GDPR: Broadly defines personal data.
    • CCPA: More specific in scope.
  • User Rights:
    • GDPR: Offers extensive user rights including access, rectification, deletion, and portability.
    • CCPA: Focuses on the right to know, delete, and opt-out of the sale of personal information.
  • Jurisdiction:
    • GDPR: Applicable to all EU residents, regardless of where the data processing occurs.
    • CCPA: Applies to businesses operating in California.

2. Reflection

This ✨creative✨ phase 6 involved brainstorming user touchpoints with TortieBear, recognizing that every user interaction has privacy considerations. I critically assessed Tortiebear features and processes, contemplating the types of data collected and their implications for user privacy.

Reflection Example

For example, in the case of subscribing to the Tortiebear Newsletter, I rigorously questioned the types of data we collect and the reasons behind it. This approach led to identifying core privacy values:

brainstorm =
  Key considerations include:
  - All promotions/paid opportunities will be clearly denoted
  - User email (data) will never be sold
  - The option to unsubscribe from the Newsletter should always be available
  - It is the user's right to know what they are signing up for

Reflection Benefits

This process:

  • Helps prioritize project work related to Privacy
  • Works as a Privacy review, especially for projects with limited resources
  • Aids in understanding of Privacy posture

Reflection Results

The end result of the reflection is:

  • touchpoints: a list of user touchpoints and their relationship with Privacy
  • brainstorm: scribbled brainstorming around core Privacy values as touchpoints are demonstrated

3. Crafting the Privacy Policy: Core Values 🤝 Research

The heart of the drafted Privacy Policy lies in the end result of the Reflection. With these insights and the research in mind, there is enough context to write some Privacy Policy drafts. To be clear, the process culminates with the following context:

  1. knowledge: Any external learning/research done around Privacy
  2. reflection:
    • touchpoints: a list of user touchpoints and their relationship with Privacy
    • brainstorm: scribbled brainstorming around core Privacy values as touchpoints are demonstrated

From here, this knowledge can be synthesized in many ways, including the use of generative AI 7!

4. Looking Ahead

Because the Privacy Policy and its process is well-defined, the project is better documented and set to scale well.

For example, while currently not engaged in paid promotions, our Privacy Policy anticipates future changes. We commit to maintaining the same integrity and transparency in all our future endeavors.

5. My Invitation to You

I invite you to read Tortiebear’s Privacy Policy. It’s a promise to Tortiebear users and a reflection of TortieBear’s values. Feel free to reach out with any questions or thoughts at paige@tortiebear.com.

Appendix

Footnotes

  1. A Data Ethics course I took in college, led by Associate Professor Gretchen Martinet at UVA, covered a range of topics at the intersection of data use and ethical considerations. The curriculum focused on how data-driven decisions affect individuals and communities, emphasizing the responsibility of data handlers. ↩

  2. Case Study: Destruction of Charlottesville’s Vinegar Hill This case study highlighted how data-driven urban renewal led to the displacement of a historical Black community, underscoring the societal impact of data decisions. Source: “Urban Renewal and the End of Black Culture in Charlottesville, Virginia” by James Robert Saunders and Renae Nadine Shackelford, published by McFarland, 1998. ISBN: 978-0786404411. ↩

  3. Case Study: Ivan Illich’s Critique of Paternalism: Illich’s work provided insights into the unintended consequences of well-intentioned data policies, teaching the importance of critically examining intentions and impacts in data use. Source: “Deschooling Society” by Ivan Illich, published by Marion Boyars Publishers Ltd, 1971. ISBN: 978-0714508795. ↩

  4. GDPR (General Data Protection Regulation): An EU regulation that sets stringent guidelines for data protection and privacy. It has a broad definition of personal data and emphasizes user consent, rights to access, and rights to be forgotten. Source: “The EU General Data Protection Regulation (GDPR): A Commentary” by Lukas Feiler and Nikolaus Forgó, published by Oxford University Press, 2020. ISBN: 978-0198826491. ↩

  5. CCPA (California Consumer Privacy Act): A California state statute aimed at enhancing privacy rights and consumer protection. While similar to GDPR, it has specific provisions relevant to California residents.Source: “California Consumer Privacy Act (CCPA): An Implementation and Compliance Guide” by Lothar Determann, published by Wolters Kluwer, 2020. ISBN: 978-9403517645. ↩

  6. During the Reflection phase, I deeply explored every user touchpoint with TortieBear. This included examining both product features and project processes, especially in the early stages of the project lifecycle. ↩

  7. In drafting the TortieBear Privacy Policy, I leveraged generative AI tools to assist in the process. These AI tools were used for various purposes, including generating initial drafts based on my Reflection process. ↩