Categories: informexplain

Layered Policy Design

Split privacy policies into nested, successively refined versions. Leave the legalese to the lawyers.


Split privacy policies into nested, successively refined versions. Leave the legalese to the lawyers.


A data controller offers detailed, legal explanations of their privacy and data protection policies.


Privacy policies may be difficult to understand and hard to read. What was initially conceived as an instrument to inform users is now almost useless, as they have become riddled with legalese and all sort of extraneous details. As a consequence, users do not read the privacy policies, for being long and cumbersome.

However, privacy policies are legally binding documents, which makes it difficult to get just rid of these legal aspects.


A short notice may provide a summary of the practices that deal with personal data, highlighting those which may not be evident to the data subject. Then, a longer policy may provide specific information, split into sections, detailing any uses of personal data. And finally, the whole legal text of the privacy policy can be specified.

Make users really understand what they can expect about their personal data from a data controller (in terms of which data is managed, for which purposes, etc.)


The use of this pattern fosters simplicity, transparency and choice.

However, two versions of the privacy policies coexist, which may introduce potential contradictions; in particular, the data controller must ensure that updates are performed in parallel and coherently.


See examples at Terms of Service Didn't Read. The average user would take 76 work days to read the privacy policies they encounter each year

[Known Uses]

  • An early example of layered privacy policy by TRUSTe and its mobile version, which are discussed in Pinnick, T. Layered Policy Design. TRUSTe Blog, 2011.
  • There are several sites that use this pattern nowadays, albeit not always with that name. One example is Banksia Villages, which provides a Simplified Privacy Policy as well as an Extended one.
  • It is recommended by British Information's Commissioner Office in its Privacy Notices Code of Practice (p.55)
  • This concept is quite similar to the Creative Commons license layers in the field of copyright management.