Ask any young litigation associate in a large law firm what the most important skill they learned in their first few years practicing was, and the honest ones will say “Control-c, Control-v.” Yes, Copy-and-Paste activities occupy an enormous portion of young associates’ time, for a number of reasons. They’re risk averse, so they want to find language that partners or judges have seen, and approved, before. They’re not great writers yet (if they ever will be), and so they don’t feel the need to improve on pre-existing formats. But mostly, they’re absolutely exhausted, strung out, near collapse, and just need to get this brief to the partner so they can go home by 3:00am tonight.
Yes, yes, I know – the partners are supposed to supervise and the clerks will spot plagiarism and the judges want original arguments. All of those things are true, except they are also not true in the least. Partners are under their own time crunch — part of the needless, endless cycle of billable hours that is crushing the profession — clerks are, typically, 26 years old and have never so much as argued a motion in court, and the judges have so many cases to review they aren’t going to notice (or even mind) repetition. Following a formula, for lawyers, is safety: if it worked before, it’s probably not malpractice now.
Which is why the vast, vast majority of legal documents produced by law firms in the privacy space look alike. They follow a pattern, a rubric, and they stick to it as long as it works and is not flatly rejected by a regulator. I’m not criticizing – sometimes, it really does make sense to use a formatted approach, because, for example, that’s what CNIL, the French Data Protection Authority has asked for, or because, to be PCI compliant, you have to submit certain materials in a certain way. It’s not per se wrong for a lawyer to follow a rubric. You just have to make sure they’re not simply filling in the blanks that someone else left for them.
Privacy Bot, Esq.
And that is precisely where privacy lawyers and businesses trying to start privacy regimes start to run into trouble, because there is a lot of thoughtless copying going on. How can I possibly know? Consider the App Privacy Policy Generator. As you can probably guess, this is a macro that allows you to enter in a few details about your company and get a “custom” privacy policy in return. Rather than going through the process of having counsel sit stakeholders from the company, you literally hit a few keys and then you’re ready to go.
There is a portion of the policy generated that is the same, regardless of how any other inputs, which is to say that, no matter the other details you enter, the following language will always be the same:
This page is used to inform visitors regarding my policies with the collection, use, and disclosure of Personal Information if anyone decided to use my Service. If you choose to use my Service, then you agree to the collection and use of information in relation to this policy. The Personal Information that I collect is used for providing and improving the Service.
Without passing judgment, I’ll say that there are some issues with this language from a GDPR perspective. For instance, it provides only vague explanations of why data is collected (“improving the Service” is basically meaningless) and it relies on the highly-disfavored “by using the site you agree to everything” rubric. In short, even without addressing the rest of the auto-generated privacy policy from the site, there are some serious questions about this privacy policy from a regulatory perspective.
That’s not great news for the many businesses currently using this auto-generated policy for themselves. We checked: that exact language appears all over the Web, in that precise form, which means tens of thousands of businesses simply copied the policy without making changes to crucial language about consent and the purposes of their data collection. Presumably, their thinking was that there is strength in numbers, and that as long as they have any privacy policy, they are covered, or that by following someone else’s lead, they could shift blame if need be.
The Times Have Changed
The problem with that kind of thinking is that it reflects an approach to privacy that is, at best two decades old. In the last years of the 20th century, the proliferation of websites, FTC enforcement actions, and the EU’s Data Protection Directive — the direct predecessor of the GDPR — made privacy policies essential. A few enterprising lawyers devised a policy that covered a few points, and you let me know if this rings a bell:
- We collect data to provide services to you. By using this site you agree to our collection of data.
- We place cookies. Cookies are small text files that help us track your preferences. By using this site you agree to our placement of cookies.
- We don’t intentionally target children under 13. By using this site you represent that you are of legal age.
Yes, I know it sounds familiar: it was the privacy policy of every website you ever saw prior to May 25, 2018. It’s also familiar because, if you look at the privacy policies from the policy-generator bot up above, they’re remarkably similar. In other words, we’re still thinking about privacy in terms that were acceptable twenty years ago, even if the rest of the Internet has changed entirely.
We can’t simply copy and paste the framework from an entirely different Internet and expect it to suffice today. For one thing, the Data Protection Authorities really do read the privacy policies to see if they pass muster under GDPR – it was Google’s convoluted and (get this) copy-and-pasted privacy policies that prompted CNIL to issue a $57 million fine earlier this year. And as the public becomes more aware of just how widely their personal data is shared, they are becoming increasingly concerned about being given adequate information.
None of this is to say that you can’t have a template for a privacy policy, or that borrowing terms from exemplars is bad. Of course it isn’t, and it would be a waste of time to reinvent online privacy disclosures from scratch. But there is a clear difference between picking and choosing language that works to incorporate into your policies and duplicating an entire document or series of documents. It’s simply not possible to make the kind of straightforward disclosures and embrace the necessary transparency without an individualized effort. We can’t copy and paste our way to compliance.
