There are a number of factors to the GDPR (General Data Protection Regulation) that from May 2018 will change how companies communicate with users and process their personal information.

One fundamental factor is privacy notices and how organisations explain at the point of data collection what users can expect will happen to their data. In this article, we’ll dig into the topic of privacy notices more deeply, and present some best practice examples that appear to comply with the GDPR.

We all know privacy policies are painful

Who has ever read a privacy policy? Truthfully?

They are not quite as absurd as the iTunes terms and conditions (now a graphic novel), but a paper by McDonald and Cranor estimates that if the average person read every privacy policy for every website they visited in a year, that reading time would amount to some 244 hours.

In 2010, Facebook’s privacy policy was longer than the US Constitution.

It’s this absurdity that the GDPR is attempting to tackle – privacy policies may still be long and unwieldy documents, but users must be made aware of the salient facts in an easy-to-read notice at the point of consent or data collection.

The GDPR demands clarity through a privacy notice

This is what the GDPR has to say about the information companies provide about personal data processing – it must be:

  • concise, transparent, intelligible and easily accessible;
  • written in clear and plain language, particularly if addressed to a child; and
  • free of charge.

This means a simple link to your crazy-long privacy policy during registration will likely not do the trick.

As the ICO puts it when discussing the GDPR, “being transparent by providing a privacy notice is an important part of fair processing. You can’t be fair if you are not being honest and open about who you are and what you are going to do with the personal data you collect.”

What’s more, the information you should provide is changing, too. The lawful basis for your data processing, how long you’ll keep the data for, the user’s right to complain – these are all pointed to in the GDPR.

The following questions should be considered when writing a privacy notice:

  • What information is being collected?
  • Who is collecting it?
  • How is it collected?
  • Why is it being collected?
  • How will it be used?
  • Who will it be shared with?
  • What will be the effect of this on the individuals concerned?
  • Is the intended use likely to cause individuals to object or complain?

(Note, for the full detail on what information should be provided to the data subjects at point of data collection, readers should check out article 13 of the GDPR, specifically paragraphs 1 and 2, summarised by the ICO here.)

What does a privacy notice look like?

All this seems pretty straightforward so far, but what then does a privacy notice actually look like?

It’s not as lengthy as the questions above may suggest, in fact it chiefly tackles what will be done with personal data, by whom, and who it will be shared with.

Here’s an example, again from the excellent ICO guidance:

gdpr privacy notice example

As you can see, the privacy notice is part of obtaining consent from the user (or telling them about legitimate interests, for example), and is presented at the point of data collection. (In a previous article on the Econsultancy blog we have looked at the UX of obtaining opt-in – essentially how checkboxes should be presented).

When planning privacy notices, you should be aware that more information may be needed than shown in the example above. Such information depends on what the user reasonably expects to happen to their data, and whether a lack of honesty/fairness might be levelled if pertinent information is not provided (e.g. use of personal data for profiling).

You can see a longer example of a privacy notice in a blog post from Scott Sammons, privacy expert – read it here.

Examples of good privacy policy UX

Back to the GDPR. What does best practice look like?

Layers

There are two concepts of privacy policy/notice UX that the ICO advocates. The first is layering – allowing users to access easy-to-understand information and then delve more deeply if required.

The prototype from the ICO shown below uses three layers. The first is a headline question (how will we use the information about you?), the second is the collapsible information about processing and sharing, and the third is the hyperlink to the relevant section of a full privacy policy.

This layering is a good way of saving space in a mobile UI.

layers privacy

Just-in-time privacy notices

Another superb prototype from the ICO, also useful in mobile UIs particularly, is the just-in-time privacy notice.

As you can see in the GIF below, when the user engages with a data field, relevant information is displayed at that time with a pop-up style hint.

just in time privacy notice

Who is adopting some of these practices?

Microsoft

As with many companies out there, Microsoft is getting some things right and others arguably not so. When I investigated signing up for an Outlook email account, I was pleased to see that the form I had to fill in employed the just-in-time technique noted above. You can see it in the screenshot below.

microsoft just in time privacy notice

Just-in-time privacy notice from Microsoft

However, Microsoft doesn’t include a privacy notice at the end of the form when I am ready to sign up. Arguably there should be some information at this level about what data of mine will be used and how. I am also required to opt-out of marketing, which will be a no-no under the GDPR.

Microsoft should be given credit though for its use of layering when a user clicks through to the privacy policy. As you can see from the screenshot, there are clickable subtitles in the form of questions, top-line information given and then links to more detailed information.

microsoft privacy policy

The best GDPR stats and surveys we’ve seen 

Age UK

Age UK was included in my last article about opting in to marketing consent. For a simple transaction (a donation), the privacy notice is clear, and sits next to the option to opt in to marketing.

You can see the message below, it’s not extensive, it focuses on the main area of doubt a user may have in consenting to marketing – will my data be passed on?

Age UK assuages these doubts and also details the option of changing your mind. There is then a link to a more detailed privacy policy.

It should be stressed that direct marketing may rely on the basis of legitimate interests (not always consent, though the individual still needs to be made aware at data collection). Sending email marketing is possibly governed by both the PECR and the GDPR, depending on the level of processing of data. This article by the DMA gives a handy summary.

age uk privacy notice

The charity’s privacy policy is partly shown below and was updated in April 2017. I like the layout of information. It looks well prepared for next year’s regulation and includes information about updating your details, security precautions, any transfer outside of Europe and any profiling that may take place. Check it out here.

age uk privacy policy

The beginning of Age UK’s privacy policy

USwitch

USwitch has a very simple UX for comparing energy prices, but it remembers to include some just-in-time information. See the screenshots below.

Note the use of the word ‘optional’ in the phone number field, too.

uswitch just-in-time privacy

uswitch just-in-time privacy

However, when I went further through the process of applying for quotes, I could not see an obvious privacy notice. It may be argued that all the information I input (energy consumption etc.) is necessary to provide a quote, but I would still have been reassured with another notice about what happens to my data.

USwitch does have a good privacy policy, though, similar in style to Age UK, with clear headings and a range of information, also updated in April 2017 (see it here).

Remember….

There are likely better examples out there with whiter-than-white compliance. But remember, it’s horses for courses.

As the ICO points out, consumer expectations are key. You have to “Actively give privacy information if:

  • you are collecting sensitive information;
  • the intended use of the information is likely to be unexpected or objectionable;
  • providing personal information, or failing to do so, will have a significant effect on the individual; or
  • the information will be shared with another organisation in a way that individuals would not expect.”

Ridding the internet of legalese and promoting transparency is not a new concept

As an addendum, it’s worth noting that the challenge of keeping the user informed is one that many academics and developers have worked on before.

One nice example is the open source code available from the Application Developers Alliance. It partnered with Intuit in creating privacy notices for apps (see below) that would comply with the Mobile App Privacy Voluntary Code in the US.

intuit and privacy alliance notice

Open source privacy notice from App Developers Alliance

Another example of previous attempts to bring some saliency to the privacy notice is the use of iconography. There are no standard icons used to denote various levels of privacy or data use, but their appeal is obvious – they are language neutral. As GDPR applies to users based across the EC, we cannot assume all users understand one of the major languages of the region.

Aza Raskin of Mozilla has developed privacy icons inspired by Creative Commons. Along with some standard short text, the icons simplify privacy policy, though it should be noted that most of this sort of work has been academic. There remains difficulty in the issue of jurisdiction.

mozilla privacy icons

Image via CREATe – The use of privacy icons and standard contract terms to build consumer trust

Note that this article represents the views of the author solely, and are not intended to constitute legal advice.

Are you a privacy expert? Let us know your thoughts in the comments below…

A Marketer’s Guide to the GDPR (subscribers only)