DIY privacy policies

Legal blogger Eric Goldman posted something provocative this week about privacy policies - provocative to lawyers, anyway.

He suggests you now have to be a bona fide privacy law expert in order to draft privacy policies for clients:

"Unlike the good ol' days, the average competent lawyer--and even the sophisticated cyberlawyer who dabbles with privacy issues--may be unintentionally treading towards the malpractice line given the number and complexity of the applicable laws and technology."

It's going to take me a couple cycles to figure out what I think of Eric's position.

WwdixonIn the meantime - or by way of turning one cycle - I want to express a contrarian view about when it is preferable to engage no lawyer, not even the most expensive from the biggest firm who practices nothing besides privacy law.

You are better off having your CTO, a product manager or VP of marketing punch out some common sense bullet points about how your service collects, uses and protects (or doesn't) personal information, than putting any lawyer to the task without giving her access to service specs, engineers or the product roadmap.

That is a very long way of expressing the first principle we covered in yesterday's post about Path, Facebook and Twitter: your privacy policy should describe, not aspirations, but what your company actually does with personal information.

Drawing: W.W. Dixon, Lawyer, Butte, MT, image taken from p 35 of Cartoons and Caricatures of Men in Montana (1907) by E.A. Thomson / Butte-Silver Bow Public Library / Flickr.


blog comments powered by Disqus