Ask any young litigation associate in a large law firm what the most important skill they learned in their first few years practicing was, and the honest ones will say “Control-c, Control-v.” Yes, Copy-and-Paste activities occupy an enormous portion of young associates’ time, for a number of reasons. They’re risk averse, so they want to find language that partners or judges have seen, and approved, before. They’re not great writers yet (if they ever will be), and so they don’t feel the need to improve on pre-existing formats. But mostly, they’re absolutely exhausted, strung out, near collapse, and just need to get this brief to the partner so they can go home by 3:00am tonight.
Yes, yes, I know – the partners are supposed to supervise and the clerks will spot plagiarism and the judges want original arguments. All of those things are true, except they are also not true in the least. Partners are under their own time crunch — part of the needless, endless cycle of billable hours that is crushing the profession — clerks are, typically, 26 years old and have never so much as argued a motion in court, and the judges have so many cases to review they aren’t going to notice (or even mind) repetition. Following a formula, for lawyers, is safety: if it worked before, it’s probably not malpractice now.
Which is why the vast, vast majority of legal documents produced by law firms in the privacy space look alike. They follow a pattern, a rubric, and they stick to it as long as it works and is not flatly rejected by a regulator. I’m not criticizing – sometimes, it really does make sense to use a formatted approach, because, for example, that’s what CNIL, the French Data Protection Authority has asked for, or because, to be PCI compliant, you have to submit certain materials in a certain way. It’s not per se wrong for a lawyer to follow a rubric. You just have to make sure they’re not simply filling in the blanks that someone else left for them.
Privacy Bot, Esq.
There is a portion of the policy generated that is the same, regardless of how any other inputs, which is to say that, no matter the other details you enter, the following language will always be the same:
This page is used to inform visitors regarding my policies with the collection, use, and disclosure of Personal Information if anyone decided to use my Service. If you choose to use my Service, then you agree to the collection and use of information in relation to this policy. The Personal Information that I collect is used for providing and improving the Service.
The Times Have Changed
The problem with that kind of thinking is that it reflects an approach to privacy that is, at best two decades old. In the last years of the 20th century, the proliferation of websites, FTC enforcement actions, and the EU’s Data Protection Directive — the direct predecessor of the GDPR — made privacy policies essential. A few enterprising lawyers devised a policy that covered a few points, and you let me know if this rings a bell:
- We collect data to provide services to you. By using this site you agree to our collection of data.
- We place cookies. Cookies are small text files that help us track your preferences. By using this site you agree to our placement of cookies.
- We don’t intentionally target children under 13. By using this site you represent that you are of legal age.
We can’t simply copy and paste the framework from an entirely different Internet and expect it to suffice today. For one thing, the Data Protection Authorities really do read the privacy policies to see if they pass muster under GDPR – it was Google’s convoluted and (get this) copy-and-pasted privacy policies that prompted CNIL to issue a $57 million fine earlier this year. And as the public becomes more aware of just how widely their personal data is shared, they are becoming increasingly concerned about being given adequate information.