You don’t give all your children the same name. If they’re all named “Dave,” then they’d all come running at the same time when you called.
By the same logic, if you call every document you produce a “Policy,” then you can’t distinguish policies from other document types.
Wrong name for that document.
What I am being asked to consent to are new contractual terms, and I am happy to do that. But those new terms are not a “policy.”
Once I consent, those terms form a binding “contract” between them and me. I consent to those terms the same way I consent to terms when I contract freely with any organization. Documents containing those terms are properly titled “Contract,” “Agreement,” or “Terms and Conditions.”
Paragraph 32 of the GDPR specifies that an
“informed and unambiguous indication of the data subject’s agreement to the processing of personal data”
must be obtained by “controllers and processors” (= the companies that we give it to). It doesn’t specify what the document containing those terms needs to be called.
Let’s not forget the most fundamental distinction in policy writing: the distinction between documents that set the rules and documents that restate them. Policies are the former.
The incorrectly titled “Instagram Data Policy” is not a policy because it doesn’t set the rules; it merely restates them in a way I can understand. The “Data Policy”—if there is one—would be the document that actually establishes those rules, signed off by the higher-ups in the organization.
We know that people get confused when looking at different policy instruments. Failure to distinguish policies from contracts exacerbates the problem. What would be helpful is if we didn’t call a document a “Policy” unless it really is one.
Or we could just call all our children “Dave.”