TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | On Creating a Prototype Transparency Notice Related reading: Report: 24% of execs implement privacy, security in planning stages




A few days ago, I wrote an article here on Transparency as the new Privacy. The article put forward the idea that the traditional website privacy policy is failing to protect the interests of online consumers. The argument was based on the idea that the privacy policy’s main goal was to protect the owners of the site, and that it had been mis-sold as a vehicle for better consumer information.

Instead, we put forward the idea of a transparency statement, as a device solely dedicated to informing visitors, principally about how their information is treated. When writing the article, we had no idea really what the transparency statement would look like, but of course the immediate challenge coming back was to produce one.

Taking that challenge up, below you can see the first images of the concept mocked up on a website. [Update: June 2, 2014: The website with Transparency Notice is now live.]

Image of possible transparency notice.

Essentially what we wanted to do was communicate data practices as clearly and succinctly as possible. This is not always easy, as clarity and brevity are not necessarily the same

First off, we changed the name to Transparency Notice—it is both shorter and a notice feels slightly softer than a statement.

The icon is an adaptation of an image we have used elsewhere—a magnifying glass with an asterisk inside. Although the magnifying glass is also connected with search in many places, it conveys the idea of looking closer at something—which seemed appropriate.

We initially thought about having the icon on its own, but decided that as a new concept it needs explanation, which is why we put the text next to the image. We expect that this could be dropped if the idea became more widely recognised and linked to this or another particular image.

A closer look.

Hovering over the icon brings up the notice itself. We wanted to make the text succinct in a bullet point style that conveys the message in as few words as possible, whilst trying to avoid potential for misinterpretation.

With the mini bullet icons we borrowed from the ideas of the traffic light labelling system being used in some supermarkets for food health messaging. We realise however that no-one would likely want to use red, as it was too danger oriented. The green tick is meant to denote privacy protection practices, and the orange ‘i’ is for data collection practices you might want to learn more about.

Further development would include adding links to both opt-out controls and the detailed privacy policy.

Of course this is very much a prototype and we would welcome all feedback, but I hope it demonstrates the core idea. We hope to release this live onto a website within a few days, when we can begin measuring interaction, as well as testing a few alternative tweaks. And if anyone would like to introduce something similar to their own site, we will be happy to help. We are already considering releasing a WordPress plugin and if there is enough interest we could develop a simple service to enable customisation and integration into any site.


If you want to comment on this post, you need to login.

  • comment Helen Allen • May 29, 2014
    Hi Richard, good effort and thank you for kicking off this subject. I do in deed hate the notices that make you loose the will to live.In saying that however, this might be a bit too short and it appears more of a commitment statement than a privacy or cookies notice. I suppose that is why you are using the transparency title. I am a bit worried about the reference to the privacy statement though. Would people consider this as an attempt to hide the "real" notice?
  • comment Radim Kolar • May 29, 2014
    Hi Richard, I like this "iconic" idea very much. I think it has a big potential, especially if it could cover all the requirements on "providing information prior to collection as required by laws".
    I think it can easily disclose basic information about involved 3rd parties. There could be one line for each major 3rd party involved, accompanied with set of icons (e.g. disclosing if it is/not cloud based, provider is/not certified, data resides in secure location, etc).
    For instance when 3rd party company would be involved (as a Data Processor), there can be a Name of the company with direct link to their Privacy Policy plus set of icons, which would more details on that involved 3rd party (e.g. if cloud based, there would be cloud icon with EU inside (for data residing in EU), US inside for cases where data resides in USA and "?!" inside for cases where data may reside in less secure countries. For the US cloud, it can actually have variance with an picture of an anchor and text "SH" indicating that the cloud company is Safe Harbor certified (similarly for PDI-DSS or other certs.)
    There could also be a special icon or set of icons for "Access + Correction + Update + Blocking + Opt-out options + ..." accompanied with a link or e-mail address, disclosing where the user may reach his/her rights and ask for questions.
    Set of icons can also indicate which category of data is collected (e.g. cookie icon for cookies, addressbook icon for contact data, red cross icon for medical and health data, IP Address icon for traffic metadata, etc.)
    There could also be line disclosing the legal grounds with icons for law, consent, business need, etc.
    In ideal case, there could be a repository of such icons e.g. maintained by W3C wo that the look and feel would be the same, ensuring, that anywhere in the world, people would see the same symbols, so it would not be so easy to present "misleading" icons.
    Theoretically such a Transparency Notice could be invoked when user's activity would result in collection of Personal data (e.g. when pressing submitt button). There could be a checkbox allowing the user to "consent" for all subsequent collectins of PD (Transparency Notice displayed only once per user), or to consent just with the particular collection (Transparency Notice invoked again with next submitt).
    Maybe it can even find it's way into some future HTML stadard, who knows :-)
  • comment Richard Beaumont • May 29, 2014
    Thanks for the comment.  Thie idea is indeed designed to be a first line of information - with the direct links into the privacy and cookie policies (including opt-out controls where applicable) for those that seek more detail.
    I agree that getting the balance is difficult - short enough to be read, long enough to carry real meaning.  We don't want this to be seen as a way to discourage reading the privacy policy, but a vehicle to make privacy practices on a site more accessible.
  • comment Richard Beaumont • May 29, 2014
    Lots of great suggestions here Radim.  It is a difficult balancing act between level of detail, and something that will actually be read and understood - but I like many of your ideas. Will think about these in the next stage of development
  • comment Agnes Kupai • Jun 1, 2014
    On Creating a Prototype Transparency Notice – I am happy to help Richard Beaumont with his transparency notice.  The following should help consumers:
    We will let you delete past data that you have provided.
    We will delete past data that we have generated about you on your request.
    We will not use your data to produce or add to personal profiles or engage in predictive profiling.
    We will let you opt-out from us using other organization's profiles about you to personalize and target business or information towards you.
    We will not engage in personalized and variable pricing practice. 
    We will let you opt-out of any data sharing regarding your data.
    We will give you choice over who has access to your data.
    We will pay you for data that you submit to us, when we share, rent, swoop or sell that data.
    We will not put any of your data into storage that is protected by exemptions to data protection law.
    We will let you opt-out of your data travelling outside your national boundaries. 
    We will provide a non digital channel for you to use when accessing our services.
    We will provide information about our goods and services to you, prior to taking your data. Your data only needs to be entered when you are sure that you want to transact business with us.