A Design Space for Effective Privacy Notices

Privacy and Security, Networks, the Internet, and Cloud Computing and Cloud Computing

Article Snapshot

Author(s)

Rebecca Balebako, Lorrie Faith Cranor, Adam Durity and Florian Schaub

Source

Eleventh Symposium on Usable Privacy and Security (SOUPS 2015), Ottawa, Canada, pp. 1-17, July 22-24, 2015

Summary

This paper surveys the literature on “best practices” for privacy policy design, and describes how to design useable privacy policies. Most policies are ineffective. Privacy policies should consist of multiple layers, offering information when it becomes relevant.

Policy Relevance

Privacy notices should offer users real control over their information.

Main Points

  • Privacy notices should serve the needs of the system’s entire audience, which usually includes primary, secondary, and incidental users; for example, Google Glass collects information on bystanders as well as the wearer.
     
  • The privacy notice should highlight practices the audience is unlikely to expect.
     
  • Most notices should consist of multiple layers; the initial notice should be simple.
     
    • Further information should be delivered when it is relevant.
       
    • Facebook and Microsoft offer interactive privacy policies with multiple layers.
       
  • The timing of the privacy notice is important.
     
    • Notice can be given at setup (when the system is used for the first time), or just-in-time (when the information is being collected).
       
    • Systems can also provide persistent notice, periodic notice, or notice on demand.
       
  • When possible, privacy notices should include opt-in, opt-out, or other options so the user can control her level of privacy.
     
  • Android and Apple’s iOS take different approaches to privacy; iOS users may deny an app access to information but continue to use it, but Android users may not.
     
  • Privacy policies fulfil regulatory requirements, but are often ineffective or unsuitable for informing users.
     
  • New technologies like wearables or the Internet of Things will challenge designers of privacy policies; for example, small smartphone screens complicate the presentation of privacy notices.
     

 

Get The Article

Find the full article online

Search for Full Article

Share