While conducting demos of their ConsentCheq solution, PrivacyCheq Co-Founders Roy Smith and Dale Smith, CIPT, were constantly running into a problem. Clients would tell them they liked ConsentCheq’s ability to develop privacy notices, but the solution would conflict with other systems already in place.
At first, the co-founders thought they could sell companies on their solution by just featuring its privacy notice function, but they soon realized it was not a feasible outcome. This dilemma led the Smiths to use a subset of its ConsentCheq technology to create PrivacyUX, a tool that allows clients to create simple, easy-to-digest privacy notices.
Clients of PrivacyUX can enter their privacy notices into a content management system in a number of fields broken into different sections. The Smiths conducted a demo for Privacy Tech, in which they created a mock privacy notice using text from the IAPP's own notice.
“Privacy professionals who are data controllers will be able to put in information about how their organization uses data subject personal information and inform those data subjects about what their rights are under the appropriate law in their jurisdiction,” Dale Smith said. “They are going to take text right off the website.”
The data controller will be able to fill out “dialogue” layers that address different aspects of their notice, such as what data is collected and why, with whom the data may be shared, and even an “enlightened notice,” which can function as an FAQ for the company.
For each layer, there will be the description, where the data controller will enter the text from the notice, and a call to action, which acts as a set of directions. For the demo, the Smiths entered “please review this information about how the IAPP uses private data” as an example of one such call to action.
The whole data-entry process could take an hour or two, according to Dale Smith. The most time-consuming piece of the process involves assembling the text of the privacy notice, due to legal ramifications and the need for approval before it goes live.
Once all of the fields have been filled, data controllers can test out their privacy notices in a number of ways. The controller can see how the notice looks on a website, or someone can scan a QR code to have the notice pop up instantly.
For the demo, the Smiths had me text “IAPP” to a phone number on my iPhone. Within seconds, a link was texted back to me from PrivacyUX, and once I clicked on it, I was able to see the notice they have been creating during the presentation. While testing, data controllers can cycle through several different languages, such as English, French, Spanish, Italian, Dutch and Afrikaans. Once the notice has been made live, controllers can see how many times a notice has been viewed and in what language.
The Smiths have even been working on a command system for smart speakers, such as the Amazon Echo. This would allow a data subject to ask for the privacy notice of a specific company. The smart device, in turn, would then recite whatever section the person wishes to hear.
With the EU General Data Protection Regulation now in effect, the Smiths hope PrivacyUX can help companies avoid compliance penalties by providing proper privacy notices in easily consumed formats. Dale Smith said the company has been thinking about delivery methods in ways he believes his competitors have not, especially in instances where a data subject does not have a laptop on hand.
One industry they have been focusing on is hospitality, as many hotels use video surveillance and track Wi-Fi, but do not have a proper way to display their privacy notices. Dale Smith contends that hotels in the European Union are violating the General Data Protection Regulation by not alerting their clients to these practices. The Smiths think PrivacyUX could help the hospitality industry by giving hotels a tool that would allow them to print out their privacy notices, alerting customers to any data collection activities as they walk through the door.
The creation of PrivacyUX has been heavily influenced by the Article 29 Working Party’s guidelines on transparency and consent under the GDPR, and the Smiths assert no other solution produces WP29-style notices on the market. The WP29 guidelines were the motivating factor behind the decision to have privacy notices delivered through smart speakers, as the documents call for more types of technologies to be used in such a manner.
Now that the GDPR is in full swing, the Smiths will be waiting to see if more guidance comes out, whether from the European Commission or from the newly formed European Data Protection Board, before making any tweaks to the tool.
“The UX stands for user experience,” Roy Smith said. “Even though we are concerned with meeting the requirements of the GDPR, we also built this with the idea of making the user experience as good as possible, because that’s how trust is built.”
If you want to comment on this post, you need to login.