DPI16_Banner_300x250 WITH COPY


Terry McQuay

Short Notice for Privacy

A short notice is a summary of an organization's privacy policies and procedures that is made available to consumers. Short notices are usually used in the following circumstances:

  • When there are physical limitations to providing full notice, for example in coupons, marketing forms, surveys or customer mailers;
  • To provide clarity to a consumer with a summary of the key elements in a readily available full notice (recommended); or
  • When an organization chooses not to be transparent about its privacy policies and procedures and instead provides the minimal information believed to be required (not recommended).

Typical locations of short notices for privacy include:

  • On corporate websites, as a summary of an organization's full privacy notice;
  • As a mailer sent to customers; and
  • As a poster, say in a customer service or retail location.

The increased momentum of short notices in a multi-layered privacy notice has resulted from:

  1. Corporations' increased desire to provide consumers easy and quick access to key information from the organization's privacy policy to allow them to make informed decisions.
  2. An emerging international movement popularizing a standard format for short notices.
  3. A desire for corporations to demonstrate a commitment to privacy to consumers, businesspartners and regulators.

Business Case for a Short Notice for Privacy

Consumers and commissioners' offices complain about privacy notices being lengthy, using too much legalese and generally being very hard to understand. Consumer studies indicate that long privacy policies build distrust, as consumers feel the organization is hiding their true privacy practices. Nymity's studies have found that in some cases this may be true, but the vast majority of organizations are trying to balance legal requirements with building trust.

A short notice for privacy effectively balances legal requirements, being transparent, meeting commissioners' objectives and building trust. A short notice provides consumers the key privacy provisions required to make a quick and informed decision about providing their personal information.

Creating a short notice for privacy is a simple, effective and cost-effective way to demonstrate an organization's commitment to privacy to consumers, business partners and the commissioners' offices.

The Value of a Standardized Short Notice

If all organizations were to use the same short notice format, consumers would have an easily understood and consistent format to compare organizations' privacy policies and practices. A standardized short notice format would be similar to nutrition labeling, as Nutrition Facts statements allow consumers to quickly identify key information and compare products to make an informed purchasing decision.

Just like nutrition labels, a standardized format for short notice in the form of a Privacy Fact Statement would allow consumers to quickly understand:

  • What personal information the organization collects;
  • How an organization uses and shares personal information;
  • Choices available;
  • Important considerations related to providing personal information; and
  • How to contact the organization.

Fortunately, there is an emerging international standard for short notice adopted by some of the major public and private sector organizations in Canada and abroad.

Privacy Fact Statements - Standardized Short Notice

The standardized short notice Format outlined in this guide is based on the Berlin Memorandum of the Working Party under Article 29 of Directive 95/46/EC in December of 2004.

This format is quickly becoming the international standard for short notice. This is due to its simplicity and functionality. Several organizations have adopted short notices and created what Nymity calls Privacy Fact Statements, including:

Private Sector

  • Equifax Canada
  • Microsoft
  • P&G
  • JPMorgan Chase
  • Kodak

Public Sector

  • Privacy Commissioner of British Columbia
  • Australian Government
  • US Postal Service

Three uses of Privacy Fact Statements are: the first layer of an online multi-layered privacy notice, posters and mailed privacy notices. Privacy Fact Statement benefits:

- Privacy Fact Statements allow consumers to understand the organization's privacy policies at a glance and allow for quick comparisons with other organizations using the same format. In an industry such as banking where privacy practices are similar, a Privacy Fact Statement would highlight other trust-building documents to allow the financial institution to differentiate itself while providing key information. An example of an organization providing additional value to consumers through its privacy notice would be documentation for consumers on protecting themselves from identity theft or phishing.

Businesses -
Privacy Fact Statements help organizations build consumer trust, as they quickly provide consumers the information they need to make a decision and indicate an organization has nothing to hide. The results are increased revenues and reduced numbers of complaints. They also put the organization in good standing with privacy commissioners and business partners, by demonstrating the corporation's commitment to privacy. Privacy Fact Statements, when used with effective full privacy notices, reduce the organization's exposure to privacy risk.

A paper from the federal privacy commissioner's office states:

"14-page privacy notice does not necessarily do a better job on knowledge and consent than a one-page privacy notice. Long and tangled privacy notices are at best confusing and frustrating. At worst they infer consent for just about any use for the personal information that could be imagined and make a mockery of the spirit of the law. Clear language in privacy notices is essential."

Guide to Creating a Privacy Fact Statement

Research used by the working group has shown that privacy notices should be short with fewer than seven categories and fewer that twenty-eight lines of text.

Privacy Fact Statement Structural Components

The Berlin Memorandum, on which Privacy Fact Statements are based, calls for a privacy short notice to be one page in length and use the subheadings:

  1. Scope;
  2. Personal Information Collected;
  3. Uses and Sharing;
  4. Your Choices;
  5. Important Information; and
  6. How to Contact Us.

General Guidelines

A Privacy Fact Statement must:

  • Have language that is neutral, non-propagandistic and void of legalese;
  • Include the key facts relevant to consumers decisions;
  • Fit on one page;
  • Contain four or fewer bullets per subheading;
  • Link to or refer to a full notice;
  • Avoid the use of privacy principles;
  • Limited use of marketing language; and
  • Not conflict with the full notice.

It can also contain links to key information in the full notice; for example, a list of affiliates or details on types of information collected.

The key components of a Privacy Fact Statement are the use and sharing of an individual's personal information and what options consumers have. Information related to safeguards, data retention, accuracy and accountability for the organization's actions could be reserved for the privacy policy. Explaining the privacy principles is not required, or desired. What is needed are the "privacy facts."

Privacy Fact Statement Structural Guide

Six components of a short notice are:

1. Scope - Seemingly simple in concept, Nymity research has found that there are many considerations for defining the scope of an organization's privacy notice. The scope of the notice must deal with: who is covered by the notice; website versus corporate application; employees, if appropriate: which jurisdictions the notice applies to; which organizations and affiliates are covered; plus many other considerations.
The Privacy Fact Statement Scope subheading should be a single sentence that covers the key components necessary for the consumer to understand to whom the consumer is providing their personal information.
The Scope subsection should answer the questions:

What company is responsible for the information I provide?
Does this privacy notice apply to personal information collected by phone, by mail, in person or just online through the website?

2. Personal Information - Nymity's research has shown that privacy notices that effectively define personal information provide examples of what is and is not personal information, and details about where information is obtained. This serves to mitigate privacy risk and build trust. Although there are dozens of considerations for privacy policies, the short notice only requires what personal information is collected where and when.
This section should answer the questions:

  • What is considered personal information?
  • What personal information is the organization collecting?
  • Where does this organization get my personal information?
  • When does the organization collect my personal information?

Some organizations may struggle with stating the sources of personal information collected and wish to keep this information buried in the privacy policy, if, for example, they rent lists from other sources. Including this information in a short notice quickly provides consumers notice of where the organization has obtained their information and allows them to quickly opt out of future use of that information. Allowing consumers to quickly understand and opt out is less likely to damage the organization's brand and minimizes the chances of a complaint. (See Nymity's paper "Privacy Notice - Nymity's Primer for Transparency" for a discussion on who reads privacy notices at www.nymity.com.)

3. Uses and Sharing -
Nymity's research has found that providing notice of Uses and Sharing of personal information is the key component of transparency, and thus the key to effective Privacy Fact Statements. Our research has found over forty criteria for privacy policies in this area to mitigate privacy risk and build trust, but only the three or four key provisions are required for the Privacy Fact Statement.
The Uses and Sharing subsection should answer the questions:

  • How will the company use my information?
  • In what circumstances is my information shared?

In this section the tendency is to explain how the information is not used, for example, "We will not sell your information." This is fine, as long as it is true, although an affirmative statement is usually better. A statement that an organization does not sell information must not be misleading, for example, when the organization rents or trades personal information. This could be considered deceptive and lead to complaints to one of the privacy commissioners in Canada.

Also, an organization shouldn't state, "We don't share your information without your consent" when they rely on implied consent (opt-out), as that is misleading and could lead to complaints. These organizations should state "We share information about you with other companies so they can offer you their products and services" and let the consumer read the next section related to their opt-out choices. But if express consent is used (opt-in), then "We don't share your information without your explicit consent" is a trust-building statement.

4. Your Choices -
Consumers have choices relating to accessing and updating their personal information. They have the ability to complain and withdraw consent. Nymity has identified over dozens of transparency considerations for effectively providing notice that mitigates privacy risk and builds trust related to choices. One of these requirements, as defined by the Canadian Marketing Association, mandates that organizations provide consumers with choices that are easy to understand, easy to find and easy to act on.

The Your Choices subsection should answer the questions:

  • When can I withdraw my consent, and when may I not?
  • Can I access and update my information?
  • How do I make changes?

As it is likely that an organization wants to have customer service deal with consumer choices, a toll-free number should be provided. The advantage of this approach is that customer service calls explain what the individual what is opting out of while providing the organization with another opportunity to position its products and services. Of course, customer service must be trained to identify privacy concerns and escalate the call when required.

5. Important Information - This section deals with areas in which organizations wish to differentiate themselves from their competitors, increase trust, increase clarity or further mitigate risks. This section includes the key elements in the privacy policy that organizations should make known to a consumer. The contents can vary widely.

Potential questions answered in the section include:

  • Where is the privacy policy (full notice)?
  • What material changes have been made to the policy?
  • What educational privacy and security materials does the organization provide?
  • What privacy seals does the organization have?
  • What privacy awards has the organization won?
  • How do I find the FAQs (which generally is a listing of key information, as few consumers ask questions related to privacy policies)?
  • Are there any special legal requirements I should know about?

6. How to Reach Us - This subsection provides consumers with contact information for the privacy office. Where applicable, it should be clear to consumers when they should contact the privacy office instead of customer service.

This section should answer:

  • How do I call the privacy officer?
  • How do I email the privacy officer?
  • When do I call the privacy officer?
  • When do I call customer service?

Example Privacy Facts Statement

An example of a privacy short notice can be found at Equifax Canada www.equifax.ca.

Next Steps

  1. Read Nymity's paper called "Privacy Notice - Nymity's Primer for Transparency" (www.nymity.com) to learn about the value of multi-layered privacy notices.
  2. Upgrade your privacy policy and/or full notice prior to creating a Privacy Fact Statement.
  3. Recommendation: Use Nymity's Canadian Notice Index, as it provides extensive research for creating effective privacy policies and notices.
  4. Once the Privacy Fact Statement is created, contact Nymity so that your firm can be listed in the Privacy Fact Statement directory.
  5. Submit your policy for Nymity's next assessment of privacy policy for the Top Privacy Policy Awards in Canada.

Special Thanks

Special thanks to Malcolm Crompton of Information Integrity Solutions, Martin Abrams of the Center for Information Policy Leadership, Robin Gould-Soil and Anna Sheehan of TD Bank Financial Group, Wally Hill of the Canadian Marketing Association, Steve Heck of Microsoft, John Wunderlich of Ceridian, Bryan Walker of the Canadian Institute of Chartered Accountants, David Young of Lang Michener LLP, Sara Levine of Fasken Martineau, Pat Flaherty of Torys LLP and Philippa Lawson of CIPPIC.  

This paper was completed in cooperation with the Canadian Notice Index Authorized Business

Reprinted with permission. © 2006 Nymity Inc. All rights reserved

Terry McQuay is president of Nymity, Inc., based in Toronto, Ontario. Nymity provides research, education and support services for privacy professionals tasked with providing privacy expertise to corporations and not-for-profit organizations with operations in the U.S. and Canada. For more information visit www.nymity.com. McQuay can be reached at +416.214.7838 or at terry.mcquay@nymity.com

This e-mail address is being protected from spam bots, you need JavaScript enabled to view it


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»