8.6 Privacy Notices
For mobile apps, this type of privacy information is generally less available. Comparatively smaller screens and other device restrictions constrain how users can be given notice about and control over data practices.
A number of studies have demonstrated that most current privacy notices are ineffective at informing users and providing choice, although recent regulations such as GDPR are tending to correct this. These studies cite a number of factors as likely reasons for the ineffectiveness of current privacy notices [SCHA17]:
Conflating requirements: Companies are faced with a number of requirements in the design of their online privacy notices. Users want clear, easy-to-understand, and brief statements about a company’s privacy practices and privacy controls. Companies need to comply with legal and regulatory requirements concerning the content of the privacy notice, such as defined in Europe’s General Data Protection Regulation (GDPR), the U.S. Health Insurance Portability and Accountability Act (HIPAA), and the California Online Privacy Protection Act (CalOPPA). In addition, companies use privacy notices to demonstrate compliance with privacy laws and regulations other than those related to the privacy notice itself and in an attempt to limit liability by promising more than they are legally required to promise.
High burden/low utility: Most users are not willing to invest the time required to read and understand all of the privacy notices they routinely encounter, much less take the time to make choices via user controls. This problem is compounded by the lack of user-friendliness and the lack of choices.
ISO 29184 (Online Privacy Notices and Consent) provides a list of requirements that an organization should satisfy in developing a notice policy, consisting of the following:
Obligation to provide notice: The organization must determine what circumstances require that notice be provided to PII principals. This includes conforming to regulatory and legal requirements, contractual obligations, and concerns with corporate image.
Appropriate expression: The notice should be clear and easy to understand by the targeted PII principals.
Multilingual notice: The notice should be provided in the language(s) most appropriate to the context.
Appropriate timing: Typically, organizations should provide notice just prior to the collection of PII.
Appropriate locations: It should be easy for PII principals to find and access privacy notices.
Appropriate form: The notice structure should be clear and appropriate for the context, taking into account the means by which PII principals access notice information. For example, a mobile phone presents a limited interface and may call for a different structure of notice compared to access via a PC. Notice structure is discussed subsequently.
Ongoing reference: Organizations should retain versions of notices for as long as they are associated with retained PII.
Accessibility: Organizations should accommodate PII principals who have accessibility issues (e.g., vision-impaired or blind individuals).
There is broad agreement among a number of organizations about the required topic coverage of a privacy notice. See for example [CDOJ14], [MUNU12], [OECD06], and [BBC19].
Table 8.4 lists the topics covered by three representative policies: those of Google, which provides a variety of online applications and services (see https://policies.google.com/privacy?hl=en&gl=us); JPMorgan Chase Bank, which provides online banking services (see https://www.chase.com/digital/resources/privacy-security/privacy/online-privacy-policy); and the International Association of Privacy Professionals (IAPP), which is a membership organization (see https://iapp.org/about/privacy-notice/).
TABLE 8.4 Privacy Notice Topics
JPMorgan Chase Bank
Information Google Collects
Why Google Collects Data
Your Privacy Controls
Sharing Your Information
Keeping Your Information Secure
Exporting and Deleting Your Information
Compliance and Cooperation with Regulators
About This Policy
Related Privacy Practices
Data Transfer Frameworks
Use of Information
Disclosure of Information
Understanding Cookies, Web Beacons, and Other Tracking Technologies
Opting Out of Online Behavioral Advertising
Linking to Third-Party Websites
Updating Your Information
Data Protection Officer
How We Collect and Use (Process) Your Personal Information
Use of the iapp.org Website
When and How We Share Information with Others
Transferring Personal Data from the EU to the US
Data Subject Rights
Security of Your Information
Data Storage and Retention
Changes and Updates to the Privacy Notice
Questions, Concerns, or Complaints
The California Department of Justice has developed one of the clearest statements of what topics to cover in an online privacy notice [CDOJ14]. Its recommendation covers the following topics:
Data collection: Describe how you collect PII, including other sources and technologies, such as cookies. Describe the kind of PII you collect.
Online tracking/do not track: Make it easy for the user to find the section of your policy that relates to online tracking. Describe how you respond to a do not track (DNT) signal or similar mechanism. Disclose the presence of other parties that collect PII on your site or service, if any.
Data use and sharing: Explain how you use and share PII, including:
Explain the uses of PII beyond what is necessary for fulfilling a customer transaction or for the basic functionality of an online service.
Explain your practices regarding the sharing of PII with other entities, including affiliates and marketing partners.
At a minimum, list the different types or categories of companies with which you share customer PII.
Whenever possible, provide a link to the privacy policies of third parties with whom you share PII.
Provide the retention period for each type or category of PII collected.
Individual choice and access: Describe the choices a consumer has regarding the collection, use, and sharing of his or her PII. Consider offering your customers the opportunity to review and correct their PII.
Security safeguards: Explain how you protect your customers’ PII from unauthorized or illegal access, modification, use or destruction.
ISO 29184 includes the following, more comprehensive, list:
Collection purpose: The organization should provide the following information relevant to the purpose of collection of PII:
The purpose(s) for which the PII is collected.
Information about the plausible risk to the PII principal from the processing of the PII.
If different purposes apply to different items of collected PII, the organization should make this clear to the PII principal.
PII controller: The organization should provide the identity and contact details for the PII controller. Typically, this is not an individual, but a department or office within the organization.
Specific PII elements: The organization should indicate what specific PII is being collected (e.g., name, address, and telephone number). It may be appropriate to display the actual value of an item to the principal prior to its collection.
Collection method: The PII principal should understand how his or her PII is being collected. Possibilities include:
Directly collected from the PII principal, such as through a web form.
Indirectly collected. For example, the organization may collect information from a third party, such as a credit agency, and combine that with PII collected directly.
Observed by the PII controller. Examples include browser fingerprint and browser history.
Timing and location of collection: For PII that is not directly collected, the notice should inform the principal of the timing and location of the collection.
Method of use: The organization shall indicate how the PII will be used. ISO 29184 gives the following examples:
Used as is
Used after some processing (e.g., derivation, inference, de-identification, or combining with other data)
Used by automated decision-making techniques (e.g., profiling, classification)
Geo-location and jurisdiction: The organization should indicate where PII will be stored and processed and the legal jurisdiction(s) that govern the handling of the data.
Third party transfer: The organization should provide detailed information about any transfer of the PII to a third party.
Retention period: The organization should indicate how long the PII will be retained and its disposal schedule.
Participation of the PII principal: The organization should indicate what rights the PII principal has with respect to collected PII, including consent, access to the PII, ability to correct PII, and ability to revoke permission.
Inquiry and complaint: The organization should inform the PII principal about how to exercise his or her rights and how to file a complaint.
Accessing the choices for consent: The organization should provide a means for a PII principal to review what permissions he or she has granted.
Basis for processing: The organization shall provide information about the basis by which the PII will be processed, which may be by consent, contractual requirements, or legal/regulatory obligations.
Risks: The organization should provide specific information about plausible risks to PII principals, where the impact to privacy and likelihood of occurrence (after mitigations are considered) are high or those risks cannot be inferred from other information provided to the PII principal.
Mobile App Privacy Notices
Readability and accessibility of privacy notices are significant challenges for mobile apps. The California Department of Justice makes the following recommendations [CDOJ14]:
Post or link to the policy on the application’s platform page so that users can review the policy before downloading the application.
Link to the policy within the application (e.g., from the application configuration, “About,” “Information,” or settings page).
The information the application obtains and how it is used. This includes user-provided information at the time of download and registration, plus automatically collected information, such as the type of mobile device you use, your mobile device’s unique device ID, the IP address of your mobile device, your mobile operating system, the type of mobile Internet browsers you use, and information about the way you use the application.
Whether the application collects precise real-time location information of the device.
Whether third parties see and/or have access to information obtained by the application.
Automatic data collection and advertising, such as whether the application is supported via advertising and collects data to help the application serve ads.
Data retention policy and information management.
Children. Avoiding soliciting data from or marketing to children under age 13.
This list is quite in line with recommended topics for web-based privacy notices. But organizations need to be concerned about effectively presenting this information on the small screens of mobile devices. To that end, the National Telecommunications and Information Administration has developed a recommended short form privacy notice [NTIA13]. The short form should provide brief information in the following categories: types of data collected, sharing of user-specific data, means of accessing a long form privacy notice, and the identity of the entity providing the app.
With respect to the types of data collected, the short form notice should state which of the following data categories the app collects:
Biometrics: Information about your body, including fingerprints, facial recognition, signatures, and/or voice print
Browser history: A list of websites visited
Phone or text log: A list of calls or texts made or received
Contacts: A list of contacts, social networking connections or their phone numbers, postal, email, and text addresses
Financial info: Credit, bank, and consumer-specific financial information such as transaction data
Health, medical, or therapy info: Health claims and other information used to measure health or wellness
Location: Precise past or current location of a user
User files: Files stored on the device that contain the user’s content, such as calendar, photos, text, or video
The short form notice should state whether the app shares user-specific data with any third-party entity that falls within any of the following categories:
Ad networks: Companies that display ads to you through apps
Carriers: Companies that provide mobile connections
Consumer data resellers: Companies that sell consumer information to other companies for multiple purposes, including offering products and services that may interest you
Data analytics providers: Companies that collect and analyze your data
Government entities: Any sharing with the government except where required by law or expressly permitted in an emergency
Operating systems and platforms: Software companies that power your device, app stores, and companies that provide common tools and information for apps about app consumers
Other apps: Other apps of companies that the consumer may not have a relationship with
Social networks: Companies that connect individuals around common interests and facilitate sharing
The National Telecommunications and Information Administration also provides guidance concerning how and when to display this data [NTIA13].
Privacy Notice Design Space
The content of a privacy notice is only one aspect of good privacy notice design. The article “Designing Effective Privacy Notices and Controls” from IEEE Internet Computing [SCHA17] presents a design space for privacy notices that encompasses four dimensions: the notice’s timing (when it is presented), channel (how it is presented), modality (communication model used), and control (how are the choices provided), as illustrated in Figure 8.6.
FIGURE 8.6 Privacy Notice Design Space
The effectiveness of a privacy notice depends a great deal on the timing of its presentation. If the web service or app presents the notice at a time that is inconvenient for the user, the user is apt to ignore it. “Designing Effective Privacy Notices and Controls,” from IEEE Internet Computing [SCHA17] lists six timing opportunities:
At setup: A mobile app can present the privacy notice once when the user is about to install the software. This enables the user to make an informed decision about purchasing the software. Typically, the app that uses this timing also provides a means for the user to review the privacy notice subsequently.
Just in time: A mobile app or web service can show the privacy implications of a requested transaction. This has the advantage that the user need only be shown privacy information related to that transaction.
Context dependent: A mobile app or web service can present a privacy notice triggered by certain aspects of the user’s context, such as location (e.g., in proximity to a data-collecting sensor) or who will have access to the information, or can warn about potentially unintended settings.
Periodic: A mobile app or web service may repeat a privacy notice periodically as a reminder. For example, iOS periodically reminds users of apps that access the phone’s location in the background.
Persistent: Persistent notices alert the user of ongoing data activity with privacy consequences. For instance, Android and iOS display a small icon in the status bar whenever an application accesses the user’s location; if the icon is not shown, the user’s location is not being accessed. Privacy browser plugins typically place an icon in the browser’s toolbar to inform users about the data practices or third-party trackers of the website visited.
On demand: Systems should enable users to access particular portions or all of a privacy notice on demand. A simple example of this is the standard practice of providing a privacy link at the bottom of each web page.
The channel dimension refers to how the privacy notice is presented to the user. A primary channel is the one in which the privacy notice is presented on the same platform as the one the service itself is provided with. For example, if a service is provided through a web interface, then the policy notice will be integrated as part of the web interface. A secondary channel uses another method, such as email, and a public channel utilizes publicly available platforms such as billboards and posters.
Modality specifies the way in which the privacy notice is communicated to the user (e.g., visual, auditory, haptic [vibration], machine readable). For online services, the most common modalities are visual presentation of the policies as texts and graphics. The other modalities may represent a supplemental effort to ensure that the user is aware of the privacy implications of various actions. An example of the machine-readable modality is IoT devices that broadcast their machine-readable privacy notices to smartphones or other devices, which then use other modalities for presentation to the user.
Control means providing users with decisions on possible control of their data. Options to opt in and opt out of data activity may be available to a user. A user might need to pause and make choices and therefore provide consent. Controls may wait for user action (blocking) or not (non-blocking), or they can be separate from the main notice (decoupled).