Companies that think of their Privacy Policy as a “Legal” or “Compliance” function will have their lawyers write it, and it will be incomprehensible to users. That’s Legal’s job: to write documents for judges and other lawyers to read.
I’d argue that companies should think of their privacy policy as not a legal document but as a product feature, and let product managers (or whoever is responsible for feature ideas) write them. The audience then would be the user and the wording would more likely be understandable. Most companies’ product teams are better equipped to articulate the benefits and trade-offs to end users.
The problem is when product managers use language that is understandable to most people but leaves a lot of loopholes and results in lawsuits.
Writing legal documents is a lot like writing code— you are trying to leave no room for ambiguity (or bugs), need to cover all the edge cases, and the code is inevitably at least as complex as the domain in which it operates.
Depends on your legal system. It doesn't have to be letter of the law, which is how the US operates, leading to abominations of phrasing like "damages including but not limited to foo, bar, baz" etc. In other jurisdictions, spirit of the law is good enough, so you can just write "damages" and something like a reasonable person test is applied.
Example: In the US, rent agreements can be dense, 30 page affairs and still be legally binding. In Europe or Australia, 5 pages or less usually suffices, and longer documents may simply be ruled unreasonable.
I’d argue that companies should think of their privacy policy as not a legal document but as a product feature, and let product managers (or whoever is responsible for feature ideas) write them. The audience then would be the user and the wording would more likely be understandable. Most companies’ product teams are better equipped to articulate the benefits and trade-offs to end users.