At least once a week I am asked whether it is acceptable to look at the policies developed by other organizations and copy them. After all, the logic goes, the privacy, cookies, accessibility, or any other policy topics are all about the same. I find this question surprising, as you would never do this in other areas of your life.
For example, when you need to purchase a new car, do you simply look at your neighbor’s vehicle and hand over the check? Or do you think about your transportation needs: your commute, gas consumption, passengers, gear, driving style, and personal preference for color and style? Based on these variables do you narrow down the list to test drive and then see what works best for you?
If you tend to buy things that others have without regard for budget, need, circumstance, or preference, then you might take the risk and copy another organization’s policies. But otherwise, your policies will likely differ from another organization’s because you will want to custom fit them to your:
- Need for predictable operations and how you control online behavior, in line with your unique culture and norms
- Processes around digital creation and management throughout the lifecycle
- Tolerance level for addressing digital risk (i.e. your insurance, cash reserves, and banked credibility with the public for overcoming a bad situation)
- Technology stack
- Geographical area of operations
Simply copying another organization’s policy will check the box and ensure you have some verbiage in place, but it won’t protect your organization legally in line with your business operating norms. Additionally, while subjecting you to copyright infringement risks for copying another organization’s intellectual property, you are unlikely to comprehensively address the specified policy with your unique needs in mind.
While I encourage you to look at the policies others have published to get an understanding of industry trends and standard practices, doing so should only be one source of input to your policymaking process. Stay true to your own needs and objectives in the policy arena and don’t take the copy-paste shortcut. This will allow your organization to feel confident that you have a sound program in place to suit your unique needs and risks that may arise from your online presence.