By Joanne Furtsch, CIPP, CIPP/C
Policy & Product Architect
@privacygeek
Add one user experience designer and one privacy policy geek, mix and out comes a new approach to short notice design and disclosures. As important as the design and layout of the short notice are to the consumer’s ultimate understanding, so are the text of the disclosures that communicate the data collection and use practices of a web site. Traditionally short notice disclosures have served to summarize all the data collection and use practices of a particular site or business covering six key areas: scope; personal information; uses and sharing; choices; important information; and how to contact the company. It is further recommended that each of these areas include four or fewer bullet point statements and fit on one page. This is still a lot of information to put on a single page.
This short notice approach has been adopted by some forward-thinking businesses such as Equifax Canada or P&G wanting to simply their complex privacy notices, but it has not been embraced by the larger number of businesses as a short notice standard from either a design or disclosure standpoint. TRUSTe’s own review of 100 random client web sites revealed 25% of those reviewed have adopted some sort of short notice format with notice content and design differing among the companies. Consumers are not being provided the level of transparency or access to choice mechanisms that they are seeking.
TRUSTe’s design approach, consistent with TRUSTe’s core values of transparency, choice, and accountability, focuses on communicating practices that are not readily apparent or unexpected to consumers, and making choice mechanisms easy-to-find. The disclosures populating the short notice describing the practices of the site need to be concise, in consumer-friendly language, and communicate the options available to consumers.
With these design parameters in mind, a new approach in crafting privacy short notice disclosures was needed that boiled the three notice categories down to their core fundamental components. The following three privacy components identified in the design phase to be represented in the short notices are:
– Data Use
– Data Sharing
– Third Party Tracking
The next step is determining how to define these three components and the different states that can be concisely described in easy-to-understand language. Crafting these disclosures has its challenges providing the appropriate level of transparency without obfuscating actual practices, balancing that against avoiding “privacy-wonk’ terminology and using terms that resonate with consumers.
For each of the categories in the short notice design – three states were identified:
– Expected use
– Unexpected use with choice
– Unexpected use without choice or unknown (practices are not described in the full privacy policy)
Then each of those states needed to be defined.
A rule of thumb to follow when drafting short notice disclosures, or any privacy statement disclosure for that matter is: when you think it sounds simple and understandable – think again and continue to simplify. At this juncture it is time to seek feedback.
In following that rule of thumb and keeping in the spirit of transparency around our approach, below are the short notice category states and definitions/disclosures associated with each state. TRUSTe is seeking feedback on these
Data Use.
- Expected Uses: Your data is only used to fulfill your order or to provide services you requested including: providing personalized content, securing your data, and/or communicating to you about your requested products or services.
- Additional Uses w/Choice: Your data is used to create a profile about you based upon your past purchases and/or to send you marketing communications. You can opt-out by emailing [email address].
- Unexpected/Unknown Use: Your data is used for unexpected or unknown purposes beyond providing you requested products or services. You are not provided choice around these unexpected uses.
Data Sharing
- Data Shared for Fulfillment: Your data is only shared with or collected by other companies only to fulfill your order or provide services you requested.
- Data Shared w/Choice: Your data is shared with other companies, so they can directly market their products or services to you. You can opt-out by emailing [email address].
- Data Shared w/o Choice or Unknown: The data sharing practices this site are unknown. Or your data may be shared with other companies for their own use (such as sending you marketing communications) and do not provide you choice around this sharing.
Third Party Tracking
- Tracking On This Site: This website uses other companies to collect data about how you use this site, such as: what pages you viewed, how long you were on a particular page, or whether you filled out a form to understand how people use the site.
- Tracking On This & Other Sites w/Choice: Other companies collect data from this and other independent websites to provide you with relevant ads. You can opt-out (link to pref mgr) if you do not want your data used for this purpose.
- Tracking w/o Choice or Unknown: The tracking practices of this website are unknown. Or other companies collect data from this and other independent websites to provide you with relevant ads, and do not offer you opt-out choices.
Specific areas of feedback include:
- Simplicity and the readability of the disclosures. How can these be simplified further?
- Are these the right categories and states?
- Should the third category where there is no choice or the practice is unknown be separated out into two categories thus creating a fourth category – Practices Unknown or Not Disclosed?
Please send feedback regarding the short notice disclosures to Joanne Furtsch at jfurtsch@truste.com.
Follow me on Twitter: @privacygeek
