Every privacy professional knows by now that several weeks ago CNIL, France’s Data Protection Agency (DPA), imposed a fine of 50 million Euros against GOOGLE for violating “the obligations of transparency and information” rules imposed by the EU’s General Data Protection Regulation (GDPR). LINK
Summarizing, CNIL has judged GOOGLE’s transparency efforts on the basis of how well they serve the needs of GOOGLE’s customers, also known as EU citizens. The GDPR’s Article 12.1 yard stick mandating that privacy information shall be provided “… in a concise, transparent, intelligible, and easily accessible form, using clear and plain language … “ has been applied.
To those of us tasked with delivering adequate transparency under GDPR and other new and emerging privacy laws, this a teachable moment. The lesson: beginning in 2019, the effectiveness of privacy transparency will be judged from the point of view of how well it serves the needs of data subjects (users, customers, citizens, etc.), and no longer from the point of view of how well it serves the purposes of the data controller’s business. The days of “Post and Hope” are over.
What form would a new paradigm for transparency take? What is a real-world example of how enterprises regularly inform citizens of copious and complex information in a way that is explicit, specific, intelligible, concise, and easily accessible? The answer can be found in the aisles of the world’s grocery stores. It is the ubiquitous Nutrition Facts-style label. Consider this generic example:
This Nutrition Facts title name and font are familiar and iconic around the world. The label’s gridded framework supports clear and plain language presenting a prospective buyer/user with a select, concise list of best questions about this specific product. Each issue or question prompts a clear and explicit answer. The user can digest every detail of the information (unlikely), focus in on a fact of particular interest (calories, sodium, carbs?) or choose to ignore the notice completely (I trust this company, and know that the facts are here if I ever need them).
The nutrition facts information format goes a long way to meeting the transparency requirements of GDPR and its many derivative regulations that are springing up around the world. But two major concepts are missing that would make this disclosure format ideal for privacy notices.
First, privacy is much more complicated than food. Single digit or single word right-hand “answers” to elements of the framework are often inadequate to describe privacy concepts. For privacy facts, each answer needs to have “drill down” capability to present multiple sublayers of information on request. Secondly, unlike the flat visual nutrition presentation, a Privacy Facts Notice needs to be interactive. It needs to place digital control into the hands of the user to navigate, view, select, drill down on, expand on, respond to, and exit or ignore the presentation.
Fully enhanced with “drill down” and interactive functionality, here’s a sample of how a Privacy Facts Interactive Notice (PFIN) looks in the digital world, poised for interaction with a user.
One more major benefit emerges from marrying nutrition label simplicity with modern digital technology. The resulting consumer-paced dialogue now becomes operational across the full spectrum of consumer-facing touchpoints (websites, tablets, smartphones, mobile apps, IoT devices, venue signage, QR codes, etc.).
Like nutrition facts labelling, the simplicity and familiarity of PFIN notices build trust between data controllers and data subjects, enterprises and citizens, suppliers and consumers. Implementation of this new notice paradigm can go a long way towards eliminating the decades-old trouble with transparency for enterprises and users alike.