Nowadays, company’s privacy statements are not easily accessible and hardly understandable for consumers. The consequence of this is that it is not clear for consumers what will happen to their personal data. There is room for a lot of improvement on this level. This article will treat the possibilities to make the privacy statement better understandable for consumers.

Introduction

Information processes tend to be complex and the privacy statements are most of the time described as complex as the information processes are.[i] Almost all company’s privacy statements are complex, too long, and consumers often do not have knowledge about the company’s information practices after reading the long notices.[ii] The Organisation for Economic Co-operation and Development (OECD) recommend that consumers should be able to gain access to information about personal data practices without unreasonable effort as to time, knowledge and expense.[iii]  In order to comply with that recommendation of the OECD, the privacy statement should be easily accessible and written in an understandable matter. Some authors argue that companies can increase consumer trust in their company by implementing substantive privacy protections as well as procedures to integrate privacy principles into everyday business.[iv] Research shows that legal documents written in plain language increase reader comprehension and are more persuasive.[v] When legal documents are not written in plain language, readers will stop reading when they do not understand the content of the text.[vi] Another study shows that consumers do not read long privacy policies. Besides, shorter privacy policies which have a structured design increase the likelihood of consumers to read them.[vii] On European level, the Article 29 Working Party describes a minimum level of obligations on how and which information must be provided to individual users in accordance to the Data Protection Directive[viii] (hereinafter DPD). This opinion on more harmonised information provisions argues that information provided to data subjects[ix] should contain language and layout which is easy to understand.[x]

In the following, this article will describe how companies can improve the accessibility and readability of their privacy statements. There are more ways to improve privacy statements, however, I will discuss the aspects of plain language, multi-layered notice and the placement of the privacy statement.

Plain language

Plain language is clear, direct and focuses on the message. Writing in plain language means focusing on common equivalents of legal and technical jargon.[xi] When drafting the privacy policy in plain language, the company should consider who the audience is. In this point the education and comprehension levels of consumers are important. The goal here is to bridge the gap between the reading level of the privacy statement and that of the customers.[xii] Secondly, it is important to have it clear what the audience needs to know. There is information that has to be included in order to comply with legal and regulatory requirements. Generally, all information about data processing should be provided which is necessary for customers to make a choice whether to use the product or service of the company.[xiii]

Privacy policies should focus on information that consumers need to know in order to make a choice, but do not know yet. Best to describe privacy issues in “if this, then that”-terms. In this way, customers understand which information is collected by the company, what the company will do with it, and what choices the customer has.[xiv] Second, it is best to replace wordy phrases with simple words, for example ‘with regard to’ can be replaced by ‘about’. Third, legal and technical jargon should be omitted. Readers will lose their attention when the same concepts are repeated or reworded in a different way. So fourthly, redundant information should be eliminated. In line with that, the fifth point is that sentences should be pared down to essential thoughts. Sixth, it makes it easier to read when phrases, sentences and lists have the same construction. Seventh, never use capital letters for sentences or paragraphs, it will make it hard to read. Lastly, it is best to use positive language, avoid double negatives, and use active voice.[xv]

Multi-layered notice

Readability of privacy notices do not only depend on the text but also on the design and layout of the notice. Multi-layered notices can make it more clear for the consumer to read. Each layer should focus on information that the consumer need to understand about their position so that consumers can make informed decisions.[xvi]

The multi-layered notice is a recommendation of the Article 29 Working Party. The goal of the multi-layered notice is to ensure a minimum level of obligations on how and which information must be provided to individual users in accordance with the Data Protection Directive (hereinafter DPD). The Article 29 Working Party wants that the information provided to consumers should contain language and layout which is easy to understand. According to the Working Party, a multi-layered notice can do this.[xvii] Multi-layered notices make a notice complete in an understandable way. The layers work together and give the consumer complete, understandable information.[xviii]

On top of that, the multi-layered notice contributes to standardization of privacy statements. Standardization of the privacy statements has been argued as very effective. Standardization can help consumers recognize the content and the information in it. Consumers then are familiar with the design and know where to look for which information and differences between privacy statements.[xix] Therefore, it is highly recommendable to follow the multi-layered format of the Article 29 Working Party. This format is publicly available and recommended by European Institutions. The latter makes it more likely that other companies will imply this format. Hopefully in time, this format will be the standard format for privacy statements.

The first layer is the short notice which has to provide the core information required under Article 10 of the Data and Privacy Directive (DPD)[xx]. Information that has to be provided according to that Article is the identity of the controller and the purposes of processing. Very short notices can also be shown on mobile phones or other small devices in order to make privacy notices more accessible to customers. Sometimes the use of pictograms can provide the short notice information to customers.[xxi]

The second layer is the condensed notice. The information that needs to be provided in the condenses notice is information about the purpose of the data processing, the recipients of the data, the possibility of transfer to third parties, the right to access, to rectify and oppose and the choices that are available to the consumer. Besides, contact information for questions and information about the privacy notice should be provided. The condensed notice has to be available online and in hard copy via written or phone request.[xxii]

The third layer is the full notice and must include all national legal requirements and specificities.[xxiii] Information such as the name or address of the data protection commissioner, details of the database and reference to local laws have to be included in this layer.[xxiv]

Placement of the Privacy Statement

Last but not least, the place of the privacy statement can also contribute to the readability of privacy statements. Privacy statements have to be publicly available. In the Netherlands, there is no specific regulatory requirement where to publish the privacy statement. An effective way of publishing privacy statements could be on the Internet. In this way, everyone has access to the privacy statements they are interested in. However, consumers need to be able to find the privacy statement. Therefore, various parties prefer placing a link on the homepage that leads to the privacy statement. The link has to be in a clear and prominent place in order to be found by consumers.[xxv]

Concluding Remarks

In order to gain more consumer trust in companies, it is advisable to improve the readability and accessibility of company’s privacy statements. As stated above, this can be done in different ways. Firstly, using plain language in privacy statements will make them more understandable. When consumers do not have a clue what they are reading, they will often stop reading. Consequently, they will not know what happens with their data. A privacy statement written in plain language does not contain technical or legal jargon. Over all, the information given to consumers has to be in a manner that they can make an informed choice whether to use the company’s products and/or services. Secondly, the design and layout of the privacy statement is important. Writing the privacy statement as a multi-layered notice will increase readability and give the consumer complete information in an understandable way. Besides, multi-layered notices can contribute towards a standardization process of privacy statements. Lastly, the placement of the privacy statement is important. Advisable is a placement on the company’s website, in order to meet the requirement of public availability. Privacy statements will be easily accessible if a link on the homepage of the website is placed that leads to the privacy statement. Following these recommendations will make privacy statements better accessible and more readable.

_______________________________________________________

[i] “Multi-Layered Notices Explained (White Paper)”, The Center for Information Policy Leadership, APEC: 2005.

[ii] See “Multi-Layered Notices Explained (White Paper)”, The Center for Information Policy Leadership, APEC: 2005.

[iii] OECD, “Making Privacy Notices Simple: An OECD Report and Recommendations”, July 24, 2006.

[iv] S. Wheatman & M. Ghiselli, Privacy Policies: How to Effectively Communicate with Consumers and Avoid Judicial and Regulatory Scrutiny, IAPP (February 2014).

[v] See J. Kimble, Answering the Critics of Plain Language, 5 Scribes J. Legal Writing 51, 62-65, 73 (1996).

[vi] See W. H. DuBay, The Principles of Readability, 1 (August 25, 2004).

[vii] A. M. McDonald & L. F. Cranor, The Cost of Reading Privacy Policies and Formats, Privacy Enhancing Technologies Lecture Notes in Computer Science, Vol. 5672, 37-55 (2009).

[viii] Directive 95/46/EC.

[ix] Data subjects are in this case consumers and/or customers.

[x] Article 29 Data Protection Working Party, Opinion 10/2004 on More Harmonised Information Provisions, 11987/04/EN WP 100 (November 25, 2004).

[xi] Kinsella’s Media, Plain Language Primer for Privacy Policies, available at https://iapp.org/media/pdf/knowledge_center/Privacy_Policy_Primer.pdf

[xii] Kinsella’s Media, Plain Language Primer for Privacy Policies, available at https://iapp.org/media/pdf/knowledge_center/Privacy_Policy_Primer.pdf

[xiii] Kinsella’s Media, Plain Language Primer for Privacy Policies, available at https://iapp.org/media/pdf/knowledge_center/Privacy_Policy_Primer.pdf

[xiv] S. Wheatman & M. Ghiselli, Privacy Policies: How to Effectively Communicate with Consumers and Avoid Judicial and Regulatory Scrutiny, IAPP (February 2014).

[xv] See Kinsella’s Media, Plain Language Primer for Privacy Policies, available at https://iapp.org/media/pdf/knowledge_center/Privacy_Policy_Primer.pdf and S. Wheatman & M. Ghiselli, Privacy Policies: How to Effectively Communicate with Consumers and Avoid Judicial and Regulatory Scrutiny, IAPP (February 2014).

[xvi] Article 29 Data Protection Working Party, Opinion 10/2004 on More Harmonised Information Provisions, 11987/04/EN WP 100 (November 25, 2004).

[xvii] Article 29 Data Protection Working Party, Opinion 10/2004 on More Harmonised Information Provisions, 11987/04/EN WP 100 (November 25, 2004).

[xviii] “Multi-Layered Notices Explained (White Paper)”, The Center for Information Policy Leadership, APEC: 2005.

[xix] “Evolution of a Prototype Financial Privacy Notice: A Report on the Form Development Project” Kleimann Communication Group, Inc., February 28, 2006.

[xx] Directive 95/46/EC.

[xxi] Article 29 Data Protection Working Party, Opinion 10/2004 on More Harmonised Information Provisions, 11987/04/EN WP 100 (November 25, 2004).

[xxii] Article 29 Data Protection Working Party, Opinion 10/2004 on More Harmonised Information Provisions, 11987/04/EN WP 100 (November 25, 2004).

[xxiii] Article 29 Data Protection Working Party, Opinion 10/2004 on More Harmonised Information Provisions, 11987/04/EN WP 100 (November 25, 2004).

[xxiv] “Berlin Privacy Notices Memorandum”, available at http://mddb.apec.org/documents/2005/ECSG/DPM1/05_ecsg_dpm1_003.pdf, Appendix B

[xxv] OECD, “Making Privacy Notices Simple: An OECD Report and Recommendations”, July 24, 2006 and J. Temple, Why Privacy Policies Don’t Work – And What Might, San Francisco Chronicle (January 29, 2012).