For privacy notices, one size doesn't have to fit all
One of the basic fair information practice principles is openness or notice. The core principle says there should be openness about developments, practices and policies for processing personal data. Anyone should be able to find out who processes personal data and how.
A common method for providing notice on the Internet is a box or link offered to a user registering at a Web site. Sometimes, the user merely has an option to look at the notice. Sometimes the consumer must click on the notice to proceed.
This ritualized offering of notice at the front end of a relationship has shortcomings. Notices are long and unreadable because of the complexity of personal data processing and the pressure to have complete disclosure. Many notices are written by lawyers and are impenetrable. Try reading a Gramm-Leach Bliley notice from your bank and you will understand my point.
Several attempts have been made to do better. A few years ago, there was a boomlet for short notices. The idea was to offer users a one-screen summary of a privacy notice. Short notices have not taken off. They are more complicated than they look. Some suspect that the business support of short notices was more for avoiding liability than for informing consumers.
Another attempt was the Platform for Privacy Preferences or P3P. This technology allows a consumer automatically to compare his or her privacy preferences with the policies of a site. If the site fails to meet the consumer's standards, P3P alerts the user. This is another approach that, despite some implementation, hasn't gotten any marketplace buzz. It is too complicated to use.
I would love to tell you that I have a new approach to notice that will solve all problems, be easy to implement and loved by all. I can't. However, I have some thoughts that may be useful in dragging the idea of notice a bit further down the road.
Notices serve multiple purposes. They notify individuals, and they notify the world. A data controller has an obligation to both. The reason we give notice to data subjects is obvious. However, notices must also be broadly available so that regulators, reporters and advocates can find them.
Second, a generally unstated purpose of notice is to force companies to pay attention to activities that affect privacy. Developing a privacy notice is actually an excellent technique for accomplishing this purpose. Notice should involve people from all relevant parts of the company. The resulting notice informs employees at the same time it informs outsiders.
Third, there may be more of an overlap between access and notice than anyone has identified to date. For example, credit monitoring pushes to the data subject information about the actual use of a credit report. This entails a notice element as well as access.
Contrast that with a one-time, click-here-to-read privacy notice that is "subject to change at any time." The value here is marginal.
We now have several elements to play with. Information can be pushed to or pulled by the consumer. Some parts of a notice may be more important to the world than to consumers. We can describe privacy practices generically or tell consumers what happened to their own data. Disclosure can come before the fact or after. Some elements can be automated to be focused and timely.
Let's imagine a consumer who cares mostly about redisclosure of personal information and spam. The site's privacy notice is available to be read, but the consumer uses a simple tool that gives him or her the precise privacy information that he or she wants. The site offers choices so the consumer can sign up to receive actual notice when data are to be transferred to a third party. The consumer also requests specific notice in the event that the company's spam policy changes. Other information about use of the consumer's data is available on demand at the company's access registry, where the consumer can exercise available choices.
This is just one vision for integrating elements of notice and access in an automated environment. It won't work with paper records or even with all automated records. It won't appeal to merchants who don't want to let consumers really know how personal data are used. And not all consumers will be interested.
Still, the idea is to make better use of technology and practice to achieve the goals of notice and access. Anything that gets us a step beyond a front-end, unreadable privacy notice is worth a try.