Privacy notices: should they be precise or simple?
Aleksandr Tiulkanov
Upskilling people in the EU AI Act - link in profile | LL.M., CIPP/E, AI Governance Advisor, implementing ISO 42001, promoting AI Literacy
A fierce skirmish at first, a more peaceful discussion later: this is what just happened right before my eyes, on my LinkedIn feed. And the reason? Opposing views on how a children’s gaming company should (not) explain their data practices. Does a simplified and even gamified privacy notice like this one make sense?
I will skip the unhealthy part of the argument, especially now that the party at fault has already admitted the mistake. I will stick to the points which are worth discussing .
One side is arguing for precision: the European privacy law, they argue, envisages that data controllers must give full and precise account of what are the legal basis and purposes of data processing and how long the data is retained. All of that must be disclosed in respect of each data category and each data processing activity. All third-party recipients must be disclosed, all international data transfers detailed, all data subjects’ rights enumerated.
Moreover, this side argues that the data controller cannot diverge from the legal terms in the General Data Protection Regulation (GDPR) and must present all this information in full and at the same time (or as they say – “without breaking context”).
The other side is arguing for context-driven simplicity: the European privacy law might be great, but it is not to be transposed word-by-word into consumer-facing documents. The data controller needs to consider what cognitive science says about the limitations of human nature.
If your customers can’t figure out what all those precise legal concepts mean for them, and why are they important, you must explain. Further still, if your customers are children, you should know better than torture them with actual legal jargon from the GDPR and ePrivacy Directive.
I fully subscribe to this other side’s view.
In fact, the European privacy law does not require data controllers to use the legal terms from the laws verbatim in consumer privacy notices. On the contrary, article 12 of the GDPR requires privacy notices to be in plain language, concise, clear, transparent, intelligible, and easily accessible.
This means data controllers are required to avoid the terms of art which are used in the GDPR itself if this would confuse people more than help them.
We need to be clear about one simple thing: the language of the law is intended primarily for professionals. Privacy law is no exception. It uses necessarily abstract and at the same time precise language because the purpose of privacy law is to guide the behaviour of businesses and governments, who are supposed to afford hiring professionals to fully grasp the complex legal terms, as well as associated case law, guidance, and doctrine.
Privacy notices are written primarily for ordinary people. And sometimes these ordinary people are children. So, necessarily, the terms and phrasing in the privacy notices have to be more simple and less precise. Even more so if the information is intended for children.
Article 29 Working Party realised this when it was preparing the Guidelines on transparency under GDPR . There, it noted the obvious “tension between completeness and [ease of] understanding” when drafting privacy notices. Among other things the Guidelines underline:
领英推荐
It’s the effect on consumers that matters. When drafting your privacy notice, you need to let people know what effect your operations will have on their life. They should not drown in the sea of only seemingly equally important information.
Data controllers get to decide what language to use. They should assess the actual risks in context, focusing the consumers’ attention on more important things at the expense of other things of lesser significance.
Data controllers should err on the side of simplicity. When dealing with the precision vs simplicity dilemma, the latter is king: “information should be provided in as simple a manner as possible, avoiding complex sentence and language structures”.
If you’re dealing with children, your language should be “child-centred”. Privacy notices should be designed to “ensure that the vocabulary, tone and style of the language used is appropriate to and resonates with children”.
Context-specific simplicity is paramount in mass communication. It is embedded in the approach to Creative Commons licensing schemes: their content licenses have three layers : human-readable, lawyer-readable, and machine-readable (yes, I guess we lawyers are somewhere in between robots and normal people).
Privacy notices are for ordinary people, so they need to be all but lawyer-readable, and if the company deals with children, there needs to be a children-readable version too.
To give you an inspiring example from another field: watch this video . It explains the concept of blockchain at 5 levels of difficulty: from child-level to expert-level. See how it is possible, and sometimes necessary, to have largely the same concept explained for different age groups. I am saying “largely”, because of course the more you will need to simplify it, the less accurate you will need to be.
But there is one more thing: the goal of the exercise. As I said, the purpose of privacy law (as any other law) is primarily to guide the behaviour of our businesses and governments. The purpose of a privacy policy is to explain to people how our businesses and governments behave. And if children are concerned, the additional goal is to whet their appetite for privacy and self-determination in their future life, not to kill it.
The wall of legal jargon in privacy policies kills this appetite. Simple and gamified privacy notices let our children know privacy is interesting and perhaps something they should care about then they grow up. Viewed in perspective, such children-centred privacy notices further democracy, human rights, and the rule of law.
So far, I have focused on two diverging approaches to drafting privacy notices. What I plan to do next however is to explore another way for human-centred privacy management with the help of – you may have guessed – some fancy future technology. This will be the focus of my next article – so I urge you to follow me on LinkedIn and subscribe to this newsletter.
In the meantime, if you’re not sure whether your own privacy notices are human-readable (and not just lawyer-readable), add me to your contacts here and leave a message for a quick audit and suggestions.
LL.B. (England and Wales), FIP, CIPM, CIPP/E, AI&Privacy Expert
1 年Aleksandr Tiulkanov, I'm really grateful to you for this observation. I couldn't agree more with the idea that privacy notice (or external policy - which is aimed to provide clear plain and meaningful information for the data subject) should be understandable and accessible for the data subject for the first end. It's absolutely clear for me that in accordance with transparency principle accessibility far outweighs preciseness. If the data subject is unable to understand what you really do with his (her) data it does not matter how accurate, precisely and detailed your privacy notice is. If you are unable to explain what you do in accessible way for data subject, your processing cannot meet the data subject's reasonable expectations. Therefore, your processing is not only non-transparent, but also unfair and, therefore, unlawful. So, if your policy unclear for the data subjects your doesn't exist at all from GDPR point. Long and convoluted (legal-fashioned) notices are infringements of data subjects' rights and contrary to the basic ideas of GDPR. Overall I'm strongly in favour of gamification, using pictograms, video etc. as well as other user-friendly approaches.