The Trouble With Transparency
By Dale Smith, CIPT
Every privacy professional knows by now that on January 21, 2019, CNIL, France’s Data Protection Agency (DPA), imposed a fine of 50 million
Euros against GOOGLE for violating “the obligations of transparency and
information” rules imposed by the EU’s General Data Protection Regulation
(GDPR). LINK
Since tens of thousands of complaints have been submitted to
EU DPAs against GDPR-exposed companies since May of 2018, this action against
GOOGLE does not come as a complete surprise, considering their massive market
presence and activity around the collection of personal data. What does come as a surprise (maybe even to
GOOGLE), is the fact that their alleged failure to provide proper transparency to EU data subjects is the
centerpiece of CNIL’s action. With all
due respect to GOOGLE, their EU-facing privacy policy
currently runs to 29 pages and is a masterpiece of proactive abundant disclosure
and respect for GDPR compliance. It is very, very well done, by current privacy
policy standards.
Yet CNIL as a regulator is clearly not
satisfied. What is the
trouble here? What are the “obligations
of transparency” that CNIL believes are missing from GOOGLE’s lavish recital of
privacy policy information? In CNIL’s
words – the answer is “… the information provided by GOOGLE is
not easily accessible to users.” CNIL
goes on to state – “Indeed, the general architecture of the information chosen
by (GOOGLE) does not … respect the obligations of the Regulation. Essential information such as the purposes
for which the data is processed, the length of time the data is stored, or the
categories of data used to personalize the advertisement, are excessively
scattered throughout several documents, which include buttons and links that it
is necessary to activate to read additional information. Relevant information is accessible only after
several steps, sometimes involving up to five or six actions.”
Summarizing, CNIL has judged GOOGLE’s transparency efforts on
the basis of how well they serve the needs of GOOGLE’s customers, also known as
EU citizens. The GDPR’s Article 12.1 yard
stick mandating that privacy information shall be provided “… in a concise,
transparent, intelligible, and easily accessible form, using clear and plain
language … “ has been applied.
To those of us tasked
with delivering adequate transparency under GDPR and other new and emerging
privacy laws, this a teachable moment. The
lesson: beginning in 2019, the effectiveness of privacy transparency will be judged
from the point of view of how well it serves the needs of data subjects (users,
customers, citizens, etc.), and no longer from the point of view of how well it
serves the purposes of the data controller’s business. The days of “Post and Hope” are over.
This is a major concern. If GOOGLE can’t get transparency
right, who can? Is this transparency
Armageddon? In this writer’s opinion, it
is not. On the contrary, it is a strong signal
for positive change. It is a signal that
the consumers’ helpless feeling in the “Check the I Agree Box or Go Away”
moment while viewing a legalistic privacy policy and/or a no-choice, off-topic
cookie banner could be at an end. It is
a signal that GDPR-grade transparency is here to stay. Legalistic privacy
policies will always be with us of course, but the privacy world is currently primed
to embrace a new “layered notice” paradigm for delivering privacy information
to users on their terms.
What form would a new paradigm for transparency take? What is a real-world example of how
enterprises regularly inform citizens of copious and complex information in a
way that is explicit, specific, intelligible, concise, and easily accessible? The answer can be found in the aisles of the
world’s grocery stores. It is the
ubiquitous Nutrition Facts-style label. Consider this generic example:
This Nutrition Facts
title name and font are familiar and iconic around the world. The label’s gridded framework supports clear
and plain language presenting a prospective buyer/user with a select, concise list
of best questions about this specific product. Each issue or question prompts a
clear and explicit answer. The user can
digest every detail of the information (unlikely), focus in on a fact of particular
interest (calories, sodium, carbs?) or choose to ignore the notice completely
(I trust this company, and know that the facts are here if I ever need
them).
The nutrition facts information format goes a long way to
meeting the transparency requirements of GDPR and its many derivative
regulations that are springing up around the world. But two major concepts are missing that would
make this disclosure format ideal for privacy notices.
First, privacy is much more complicated than food. Single digit or single word right-hand
“answers” to elements of the framework are often inadequate to describe privacy
concepts. For privacy facts, each answer
needs to have “drill down” capability to present multiple sublayers of
information on request. Secondly, unlike
the flat visual nutrition presentation, a Privacy Facts Notice needs to be
interactive. It needs to place digital
control into the hands of the user to navigate, view, select, drill down on,
expand on, respond to, and exit or ignore the presentation.
Fully enhanced with
“drill down” and interactive functionality, here’s a sample of how a Privacy Facts Interactive Notice (PFIN)
looks in the digital world, poised for interaction with a user.
One more major benefit emerges from marrying nutrition label
simplicity with modern digital technology.
The resulting consumer-paced dialogue now becomes operational across the
full spectrum of consumer-facing touchpoints (websites, tablets, smartphones,
mobile apps, IoT devices, venue signage, QR codes, etc.).
Like nutrition facts labeling, the simplicity and
familiarity of PFIN notices build trust between data controllers and data
subjects, enterprises and citizens, suppliers and consumers. Implementation of this new notice paradigm can
go a long way towards eliminating the decades-old trouble with transparency for
enterprises and users alike.
Questions and comments can be directed to Dale Smith at drs@privacycheq.com. For a live, remote, demonstration of PFIN and its associated authoring templates and tools, contact info@privacycheq.com.
Dale Smith, CIPT is a co-founder and Futurist at PrivacyCheq
with 38 years of experience in designing and implementing consumer-facing
digital technology.
