Home > Articles

  • Print
  • + Share This
This chapter is from the book

8.6 Privacy Notices

The most fundamental requirement for users to be able to make informed online privacy decisions is that they need to be aware of and understand the data practices of the service or company, including what personal information is collected, used, retained, and shared. The principal vehicle by which companies provide this information is the privacy notice. For web-based services, virtually all web pages have a privacy link at the bottom of their main page that goes to a page that states the privacy policy, which is focused on disclosure issues.

For mobile apps, this type of privacy information is generally less available. Comparatively smaller screens and other device restrictions constrain how users can be given notice about and control over data practices.

A number of studies have demonstrated that most current privacy notices are ineffective at informing users and providing choice, although recent regulations such as GDPR are tending to correct this. These studies cite a number of factors as likely reasons for the ineffectiveness of current privacy notices [SCHA17]:

  • Conflating requirements: Companies are faced with a number of requirements in the design of their online privacy notices. Users want clear, easy-to-understand, and brief statements about a company’s privacy practices and privacy controls. Companies need to comply with legal and regulatory requirements concerning the content of the privacy notice, such as defined in Europe’s General Data Protection Regulation (GDPR), the U.S. Health Insurance Portability and Accountability Act (HIPAA), and the California Online Privacy Protection Act (CalOPPA). In addition, companies use privacy notices to demonstrate compliance with privacy laws and regulations other than those related to the privacy notice itself and in an attempt to limit liability by promising more than they are legally required to promise.

  • Lacking choices: Most privacy notices offer little choice, especially for mobile apps and IoT devices. Many websites and apps interpret user access as consent to use, regardless of whether the user has seen, read, or understood the privacy policy.

  • High burden/low utility: Most users are not willing to invest the time required to read and understand all of the privacy notices they routinely encounter, much less take the time to make choices via user controls. This problem is compounded by the lack of user-friendliness and the lack of choices.

  • Decoupled notices: Privacy notices are generally separate from normal user interaction. Websites only link to a privacy policy at the bottom of the page; mobile apps link to a privacy policy in the app store or in some app submenu; privacy policies for IoT devices are only available on the manufacturer’s website.

Notice Requirements

ISO 29184 (Online Privacy Notices and Consent) provides a list of requirements that an organization should satisfy in developing a notice policy, consisting of the following:

  • Obligation to provide notice: The organization must determine what circumstances require that notice be provided to PII principals. This includes conforming to regulatory and legal requirements, contractual obligations, and concerns with corporate image.

  • Appropriate expression: The notice should be clear and easy to understand by the targeted PII principals.

  • Multilingual notice: The notice should be provided in the language(s) most appropriate to the context.

  • Appropriate timing: Typically, organizations should provide notice just prior to the collection of PII.

  • Appropriate locations: It should be easy for PII principals to find and access privacy notices.

  • Appropriate form: The notice structure should be clear and appropriate for the context, taking into account the means by which PII principals access notice information. For example, a mobile phone presents a limited interface and may call for a different structure of notice compared to access via a PC. Notice structure is discussed subsequently.

  • Ongoing reference: Organizations should retain versions of notices for as long as they are associated with retained PII.

  • Accessibility: Organizations should accommodate PII principals who have accessibility issues (e.g., vision-impaired or blind individuals).

Notice Content

There is broad agreement among a number of organizations about the required topic coverage of a privacy notice. See for example [CDOJ14], [MUNU12], [OECD06], and [BBC19].

Table 8.4 lists the topics covered by three representative policies: those of Google, which provides a variety of online applications and services (see https://policies.google.com/privacy?hl=en&gl=us); JPMorgan Chase Bank, which provides online banking services (see https://www.chase.com/digital/resources/privacy-security/privacy/online-privacy-policy); and the International Association of Privacy Professionals (IAPP), which is a membership organization (see https://iapp.org/about/privacy-notice/).

TABLE 8.4 Privacy Notice Topics

Google

JPMorgan Chase Bank

IAPP

Introduction

Information Google Collects

Why Google Collects Data

Your Privacy Controls

Sharing Your Information

Keeping Your Information Secure

Exporting and Deleting Your Information

Compliance and Cooperation with Regulators

About This Policy

Related Privacy Practices

Data Transfer Frameworks

Key Terms

Partners

Overview

Use of Information

Disclosure of Information

Understanding Cookies, Web Beacons, and Other Tracking Technologies

Opting Out of Online Behavioral Advertising

Linking to Third-Party Websites

Updating Your Information

Changes to This Online Privacy Policy

Introduction

Data Protection Officer

How We Collect and Use (Process) Your Personal Information

Use of the iapp.org Website

When and How We Share Information with Others

Transferring Personal Data from the EU to the US

Data Subject Rights

Security of Your Information

Data Storage and Retention

Changes and Updates to the Privacy Notice

Questions, Concerns, or Complaints

The California Department of Justice has developed one of the clearest statements of what topics to cover in an online privacy notice [CDOJ14]. Its recommendation covers the following topics:

  • Data collection: Describe how you collect PII, including other sources and technologies, such as cookies. Describe the kind of PII you collect.

  • Online tracking/do not track: Make it easy for the user to find the section of your policy that relates to online tracking. Describe how you respond to a do not track (DNT) signal or similar mechanism. Disclose the presence of other parties that collect PII on your site or service, if any.

  • Data use and sharing: Explain how you use and share PII, including:

    • Explain the uses of PII beyond what is necessary for fulfilling a customer transaction or for the basic functionality of an online service.

    • Explain your practices regarding the sharing of PII with other entities, including affiliates and marketing partners.

    • At a minimum, list the different types or categories of companies with which you share customer PII.

    • Whenever possible, provide a link to the privacy policies of third parties with whom you share PII.

    • Provide the retention period for each type or category of PII collected.

  • Individual choice and access: Describe the choices a consumer has regarding the collection, use, and sharing of his or her PII. Consider offering your customers the opportunity to review and correct their PII.

  • Security safeguards: Explain how you protect your customers’ PII from unauthorized or illegal access, modification, use or destruction.

  • Effective date: Give the effective date of your privacy policy.

  • Accountability: Tell your customers whom they can contact with questions or concerns about your privacy policy and practices.

ISO 29184 includes the following, more comprehensive, list:

  • Collection purpose: The organization should provide the following information relevant to the purpose of collection of PII:

    • The purpose(s) for which the PII is collected.

    • Information about the plausible risk to the PII principal from the processing of the PII.

    • If different purposes apply to different items of collected PII, the organization should make this clear to the PII principal.

  • PII controller: The organization should provide the identity and contact details for the PII controller. Typically, this is not an individual, but a department or office within the organization.

  • Specific PII elements: The organization should indicate what specific PII is being collected (e.g., name, address, and telephone number). It may be appropriate to display the actual value of an item to the principal prior to its collection.

  • Collection method: The PII principal should understand how his or her PII is being collected. Possibilities include:

    • Directly collected from the PII principal, such as through a web form.

    • Indirectly collected. For example, the organization may collect information from a third party, such as a credit agency, and combine that with PII collected directly.

    • Observed by the PII controller. Examples include browser fingerprint and browser history.

  • Timing and location of collection: For PII that is not directly collected, the notice should inform the principal of the timing and location of the collection.

  • Method of use: The organization shall indicate how the PII will be used. ISO 29184 gives the following examples:

    • Used as is

    • Used after some processing (e.g., derivation, inference, de-identification, or combining with other data)

    • Combined with other data (e.g., geo-localized, via the use of cookies, from third parties)

    • Used by automated decision-making techniques (e.g., profiling, classification)

  • Geo-location and jurisdiction: The organization should indicate where PII will be stored and processed and the legal jurisdiction(s) that govern the handling of the data.

  • Third party transfer: The organization should provide detailed information about any transfer of the PII to a third party.

  • Retention period: The organization should indicate how long the PII will be retained and its disposal schedule.

  • Participation of the PII principal: The organization should indicate what rights the PII principal has with respect to collected PII, including consent, access to the PII, ability to correct PII, and ability to revoke permission.

  • Inquiry and complaint: The organization should inform the PII principal about how to exercise his or her rights and how to file a complaint.

  • Accessing the choices for consent: The organization should provide a means for a PII principal to review what permissions he or she has granted.

  • Basis for processing: The organization shall provide information about the basis by which the PII will be processed, which may be by consent, contractual requirements, or legal/regulatory obligations.

  • Risks: The organization should provide specific information about plausible risks to PII principals, where the impact to privacy and likelihood of occurrence (after mitigations are considered) are high or those risks cannot be inferred from other information provided to the PII principal.

Notice Structure

The structure of a privacy notice is a key factor in its readability and usability. Traditionally, privacy notices have consisted of a single long document divided into sections to cover the various topics. The web privacy notice of JPMorgan Chase (at the time of this writing) is an example. Such a structure tends to discourage the reader and make it difficult to find anything useful. Increasingly, companies are opting for various types of layered privacy notices to provide users with a high-level summary of a privacy policy. One approach is to use short sections with “to learn more” links to more detailed information. The IAPP web privacy notice is of this type. Another approach is to display a list of tabs with descriptive titles, which the user can select for a description of each topic. The current TDBank web privacy notice is of this type (see https://www.td.com/us/en/personal-banking/privacy/).

Mobile App Privacy Notices

Readability and accessibility of privacy notices are significant challenges for mobile apps. The California Department of Justice makes the following recommendations [CDOJ14]:

  • Post or link to the policy on the application’s platform page so that users can review the policy before downloading the application.

  • Link to the policy within the application (e.g., from the application configuration, “About,” “Information,” or settings page).

The Mobile Marketing Association has released the Mobile Application Privacy Policy Framework [MMA11], which serves as a recommended template for the contents of a privacy notice for mobile apps. It covers the following topics:

  • The information the application obtains and how it is used. This includes user-provided information at the time of download and registration, plus automatically collected information, such as the type of mobile device you use, your mobile device’s unique device ID, the IP address of your mobile device, your mobile operating system, the type of mobile Internet browsers you use, and information about the way you use the application.

  • Whether the application collects precise real-time location information of the device.

  • Whether third parties see and/or have access to information obtained by the application.

  • Automatic data collection and advertising, such as whether the application is supported via advertising and collects data to help the application serve ads.

  • Opt-out rights.

  • Data retention policy and information management.

  • Children. Avoiding soliciting data from or marketing to children under age 13.

  • Security procedures.

  • How users are informed of changes to the privacy policy.

  • Consent to the processing of user-provided and automatically collected information as set forth in the privacy policy.

  • Contact information.

This list is quite in line with recommended topics for web-based privacy notices. But organizations need to be concerned about effectively presenting this information on the small screens of mobile devices. To that end, the National Telecommunications and Information Administration has developed a recommended short form privacy notice [NTIA13]. The short form should provide brief information in the following categories: types of data collected, sharing of user-specific data, means of accessing a long form privacy notice, and the identity of the entity providing the app.

With respect to the types of data collected, the short form notice should state which of the following data categories the app collects:

  • Biometrics: Information about your body, including fingerprints, facial recognition, signatures, and/or voice print

  • Browser history: A list of websites visited

  • Phone or text log: A list of calls or texts made or received

  • Contacts: A list of contacts, social networking connections or their phone numbers, postal, email, and text addresses

  • Financial info: Credit, bank, and consumer-specific financial information such as transaction data

  • Health, medical, or therapy info: Health claims and other information used to measure health or wellness

  • Location: Precise past or current location of a user

  • User files: Files stored on the device that contain the user’s content, such as calendar, photos, text, or video

The short form notice should state whether the app shares user-specific data with any third-party entity that falls within any of the following categories:

  • Ad networks: Companies that display ads to you through apps

  • Carriers: Companies that provide mobile connections

  • Consumer data resellers: Companies that sell consumer information to other companies for multiple purposes, including offering products and services that may interest you

  • Data analytics providers: Companies that collect and analyze your data

  • Government entities: Any sharing with the government except where required by law or expressly permitted in an emergency

  • Operating systems and platforms: Software companies that power your device, app stores, and companies that provide common tools and information for apps about app consumers

  • Other apps: Other apps of companies that the consumer may not have a relationship with

  • Social networks: Companies that connect individuals around common interests and facilitate sharing

The National Telecommunications and Information Administration also provides guidance concerning how and when to display this data [NTIA13].

Privacy Notice Design Space

The content of a privacy notice is only one aspect of good privacy notice design. The article “Designing Effective Privacy Notices and Controls” from IEEE Internet Computing [SCHA17] presents a design space for privacy notices that encompasses four dimensions: the notice’s timing (when it is presented), channel (how it is presented), modality (communication model used), and control (how are the choices provided), as illustrated in Figure 8.6.

FIGURE 8.6

FIGURE 8.6 Privacy Notice Design Space

Timing

The effectiveness of a privacy notice depends a great deal on the timing of its presentation. If the web service or app presents the notice at a time that is inconvenient for the user, the user is apt to ignore it. “Designing Effective Privacy Notices and Controls,” from IEEE Internet Computing [SCHA17] lists six timing opportunities:

  • At setup: A mobile app can present the privacy notice once when the user is about to install the software. This enables the user to make an informed decision about purchasing the software. Typically, the app that uses this timing also provides a means for the user to review the privacy notice subsequently.

  • Just in time: A mobile app or web service can show the privacy implications of a requested transaction. This has the advantage that the user need only be shown privacy information related to that transaction.

  • Context dependent: A mobile app or web service can present a privacy notice triggered by certain aspects of the user’s context, such as location (e.g., in proximity to a data-collecting sensor) or who will have access to the information, or can warn about potentially unintended settings.

  • Periodic: A mobile app or web service may repeat a privacy notice periodically as a reminder. For example, iOS periodically reminds users of apps that access the phone’s location in the background.

  • Persistent: Persistent notices alert the user of ongoing data activity with privacy consequences. For instance, Android and iOS display a small icon in the status bar whenever an application accesses the user’s location; if the icon is not shown, the user’s location is not being accessed. Privacy browser plugins typically place an icon in the browser’s toolbar to inform users about the data practices or third-party trackers of the website visited.

  • On demand: Systems should enable users to access particular portions or all of a privacy notice on demand. A simple example of this is the standard practice of providing a privacy link at the bottom of each web page.

Channel

The channel dimension refers to how the privacy notice is presented to the user. A primary channel is the one in which the privacy notice is presented on the same platform as the one the service itself is provided with. For example, if a service is provided through a web interface, then the policy notice will be integrated as part of the web interface. A secondary channel uses another method, such as email, and a public channel utilizes publicly available platforms such as billboards and posters.

Modality

Modality specifies the way in which the privacy notice is communicated to the user (e.g., visual, auditory, haptic [vibration], machine readable). For online services, the most common modalities are visual presentation of the policies as texts and graphics. The other modalities may represent a supplemental effort to ensure that the user is aware of the privacy implications of various actions. An example of the machine-readable modality is IoT devices that broadcast their machine-readable privacy notices to smartphones or other devices, which then use other modalities for presentation to the user.

Control

Control means providing users with decisions on possible control of their data. Options to opt in and opt out of data activity may be available to a user. A user might need to pause and make choices and therefore provide consent. Controls may wait for user action (blocking) or not (non-blocking), or they can be separate from the main notice (decoupled).

  • + Share This
  • 🔖 Save To Your Account