Are privacy policies ever read by individuals before they entrust their data with advertisers? A recent survey suggested they were not. The IOC is pushing for a new approach to privacy notice drafting, but will it put us lawyers out of a job? We read the runes at
The Information Commissioner's Office (ICO)
Information Commissioner and chief UK data protection watchdog Richard Thomas soundly admonished UK industry for using over-long, over-legalistic and downright unreadable "fair processing notices" ("FPN") at the point of data capture.
He called on UK businesses to drop confusing jargon and adopt clear and simple methods of explaining personal data uses and data protection rights to their customers and contacts.
This followed a research exercise showing that whilst 59.8% of respondents said they cared about what happened to their personal information, 58.4% misunderstood the scope of the Data Protection Act.
Most people also had little detailed knowledge of what happens to their personal information and paid scant attention to FPNs. 71.8% said they would pay more attention to better designed FPNs, so what improvements could be made to meet the Information Commissioner's concerns?
What makes an FPN good?
The research report itself contains an interesting section entitled "What makes an FPN good"? The main thing to achieve, this says, is that the FPN should be read, understood and remembered, in addition of course to containing the information required to make it legally compliant. A good FPN should therefore:
- stand out from the surrounding material, whatever media it is disclosed in;
- make a very clear statement of what it is about in a title or heading, ideally using attention grabbing words in the title like "risk" or "your protection";
- be clearly distinguishable from marketing material;
- use available techniques such as layering in an online context. An example in an appendix to the research report illustrates the layering approach. After a short introduction, there are then links to other parts of the FPN signposted by wording such as "Your Protection", "Access", and "Purposes and Disclosures". By clicking on those individual links, the reader goes straight to the relevant section;
- require action and involve the reader – people pay attention to anything, the report says, in an application that requires them to do something such as tick a box or sign acceptance;
- use short sentences, active voice, bullet points and any available space;
- be not so small in font size that it will be difficult for people to read;
- use catchphrases or mnemonics to get the message across; and
- in a telephone context, require the caller to announce that the FPN is about to be read, and then check that it has been listened to, and (at each main point) understood.
Why this matters:
The ICO cites Microsoft as a glowing example of the new initiative. That company is now rolling out layered FPNs in the UK and other countries in the course of 2005. It is hoped that the development will significantly improve the chances that individuals will at least read and understand how their data will be used. Other companies who are taking a leaf out of Microsoft's book include IBM, Kodak, and Procter and Gamble.