1. Know thyself, know thy data.
Before drafting a policy, find out what's important to your customers. "Our support team is in regular contact with our user base, so I knew five to six key items I wanted to make sure were addressed," says Steve Hartert, CMO of form builder JotForm in San Francisco. Those include an explicit commitment to privacy, a promise not to sell users' information, and the ability to manage subscriptions "at a micro level. For example, subscribe to our newsletter but opt out of promotional emails," says Hartert.
2. Start smart--write your own draft.
To save on legal fees, generate the first draft of your policy yourself. "We drafted our policy in-house and then asked legal counsel, 'Is there anything we're missing?' " says Case Sosnoff, chief compliance officer for the Chicago brokerage Tastyworks. "That also helps you understand the verbiage, the legality behind it all."
Hartert looked at his competitors' policies and those of similar companies in the E.U., Asia, and Australia. While they may be good models, don't copy them verbatim, says Robert Braun, a partner at Jeffer Mangels Butler & Mitchell in L.A. "No two businesses are exactly alike. There's a reason why you're someone's competitor," he says. To ensure your policy will reflect your unique needs, get input about current and future privacy concerns from your leadership team. "Our vice president of customer operations, our vice president of product, our CTO, and our vice president of finance all collaborated," says Ankur Nagpal, founder and CEO of Teachable, a teaching platform based in New York City. "At the end of the day, the policy will affect all those stakeholders."
3. Put it on paper.
When it comes to reviewing and revising your policy, your lawyer should understand your business intimately. That's why Luke Pulverenti turned to one of his own users when he needed legal advice for Emby, his Cornelius, North Carolina-based media-management app. "Having used the software, knowing how it works, is paramount," says Jeffrey Neu, Pulverenti's attorney. "I actually know what's happening instead of just hearing what an engineer or developer tells me."
Since your policy can have such a broad impact on your company's fortunes, ask the right questions. "Go way beyond their substantive knowledge," says James Beckett, co-founder and CEO of Louisville-based legal, tech, and services consultancy Qualmet Legal. "Ask, 'What's your understanding of business risk? How are you held accountable by other clients?' Have those conversations." When working with counsel, set a maximum budget up front. "No offense to the legal profession, but it's in their best interest to keep the process going as long as possible," Nagpal says. "Getting an upfront quote can save thousands, if not tens of thousands, of dollars."
4. Make privacy a part of your marketing.
You'll be surprised at how powerful a strong stance on privacy can be, says Craig Lurey, co-founder and CTO of Chicago password-management software maker Keeper Security. "Tech users go on the App Store and talk in detail about it," he says. And when everyday users ask their IT geeks for help, Keeper Security's name often comes up.
At Emby, which catalogs and streams customers' media to multiple devices, "users constantly tell us privacy is one of the reasons they choose us," founder Luke Pulverenti says. But don't say you're doing something you're not doing. This may seem obvious, yet a surprising number of privacy policies are inaccurate. "A typical case is, someone will ask me to review their policy, and it will not reflect what they do," says Robert Braun of Jeffer Mangels Butler & Mitchell. If your information-gathering processes have changed over the years, your policy is probably insufficient. Make it a priority to update policies often.