There are a number of factors to the GDPR (General Data Protection Regulation) that from May 2018 will change how companies communicate with users and process their personal information.
One fundamental factor is privacy notices and how organisations explain at the point of data collection what users can expect will happen to their data. In this article, we’ll dig into the topic of privacy notices more deeply, and present some best practice examples that appear to comply with the GDPR.
We all know privacy policies are painful
It’s this absurdity that the GDPR is attempting to tackle – privacy policies may still be long and unwieldy documents, but users must be made aware of the salient facts in an easy-to-read notice at the point of consent or data collection.
The GDPR demands clarity through a privacy notice
This is what the GDPR has to say about the information companies provide about personal data processing – it must be:
- concise, transparent, intelligible and easily accessible;
- written in clear and plain language, particularly if addressed to a child; and
- free of charge.
As the ICO puts it when discussing the GDPR, “being transparent by providing a privacy notice is an important part of fair processing. You can’t be fair if you are not being honest and open about who you are and what you are going to do with the personal data you collect.”
What’s more, the information you should provide is changing, too. The lawful basis for your data processing, how long you’ll keep the data for, the user’s right to complain – these are all pointed to in the GDPR.
The following questions should be considered when writing a privacy notice:
- What information is being collected?
- Who is collecting it?
- How is it collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with?
- What will be the effect of this on the individuals concerned?
- Is the intended use likely to cause individuals to object or complain?
(Note, for the full detail on what information should be provided to the data subjects at point of data collection, readers should check out article 13 of the GDPR, specifically paragraphs 1 and 2, summarised by the ICO here.)
What does a privacy notice look like?
All this seems pretty straightforward so far, but what then does a privacy notice actually look like?
It’s not as lengthy as the questions above may suggest, in fact it chiefly tackles what will be done with personal data, by whom, and who it will be shared with.
Here’s an example, again from the excellent ICO guidance:
As you can see, the privacy notice is part of obtaining consent from the user (or telling them about legitimate interests, for example), and is presented at the point of data collection. (In a previous article on the Econsultancy blog we have looked at the UX of obtaining opt-in – essentially how checkboxes should be presented).
When planning privacy notices, you should be aware that more information may be needed than shown in the example above. Such information depends on what the user reasonably expects to happen to their data, and whether a lack of honesty/fairness might be levelled if pertinent information is not provided (e.g. use of personal data for profiling).
You can see a longer example of a privacy notice in a blog post from Scott Sammons, privacy expert – read it here.
Back to the GDPR. What does best practice look like?
This layering is a good way of saving space in a mobile UI.
Just-in-time privacy notices
Another superb prototype from the ICO, also useful in mobile UIs particularly, is the just-in-time privacy notice.
As you can see in the GIF below, when the user engages with a data field, relevant information is displayed at that time with a pop-up style hint.
Who is adopting some of these practices?
As with many companies out there, Microsoft is getting some things right and others arguably not so. When I investigated signing up for an Outlook email account, I was pleased to see that the form I had to fill in employed the just-in-time technique noted above. You can see it in the screenshot below.
Just-in-time privacy notice from Microsoft
However, Microsoft doesn’t include a privacy notice at the end of the form when I am ready to sign up. Arguably there should be some information at this level about what data of mine will be used and how. I am also required to opt-out of marketing, which will be a no-no under the GDPR.
Age UK was included in my last article about opting in to marketing consent. For a simple transaction (a donation), the privacy notice is clear, and sits next to the option to opt in to marketing.
You can see the message below, it’s not extensive, it focuses on the main area of doubt a user may have in consenting to marketing – will my data be passed on?
It should be stressed that direct marketing may rely on the basis of legitimate interests (not always consent, though the individual still needs to be made aware at data collection). Sending email marketing is possibly governed by both the PECR and the GDPR, depending on the level of processing of data. This article by the DMA gives a handy summary.
USwitch has a very simple UX for comparing energy prices, but it remembers to include some just-in-time information. See the screenshots below.
Note the use of the word ‘optional’ in the phone number field, too.
However, when I went further through the process of applying for quotes, I could not see an obvious privacy notice. It may be argued that all the information I input (energy consumption etc.) is necessary to provide a quote, but I would still have been reassured with another notice about what happens to my data.
There are likely better examples out there with whiter-than-white compliance. But remember, it’s horses for courses.
As the ICO points out, consumer expectations are key. You have to “Actively give privacy information if:
- you are collecting sensitive information;
- the intended use of the information is likely to be unexpected or objectionable;
- providing personal information, or failing to do so, will have a significant effect on the individual; or
- the information will be shared with another organisation in a way that individuals would not expect.”
Ridding the internet of legalese and promoting transparency is not a new concept
As an addendum, it’s worth noting that the challenge of keeping the user informed is one that many academics and developers have worked on before.
One nice example is the open source code available from the Application Developers Alliance. It partnered with Intuit in creating privacy notices for apps (see below) that would comply with the Mobile App Privacy Voluntary Code in the US.
Open source privacy notice from App Developers Alliance
Another example of previous attempts to bring some saliency to the privacy notice is the use of iconography. There are no standard icons used to denote various levels of privacy or data use, but their appeal is obvious – they are language neutral. As GDPR applies to users based across the EC, we cannot assume all users understand one of the major languages of the region.
Image via CREATe – The use of privacy icons and standard contract terms to build consumer trust
Note that this article represents the views of the author solely, and are not intended to constitute legal advice.
Are you a privacy expert? Let us know your thoughts in the comments below…