Despite numerous groups' efforts to score, grade, label, and rate the privacy of websites, apps, and network-connected devices, these attempts at privacy indicators have, thus far, not been widely adopted. Privacy policies, however, remain long, complex, and impractical for consumers. Communicating in some short-hand form, synthesized privacy content is now crucial to empower internet users and provide them more meaningful notice, as well as nudge consumers and data processors toward more meaningful privacy. Indeed, on the basis of these needs, the National Institute of Standards and Technology and the Federal Trade Commission in the United States, as well as lawmakers and policymakers in the European Union, have advocated for the development of privacy indicator systems.
Efforts to develop privacy grades, scores, labels, icons, certifications, seals, and dashboards have wrestled with various deficiencies and obstacles for the wide-scale deployment as meaningful and trustworthy privacy indicators. This paper seeks to identify and explain these deficiencies and obstacles that have hampered past and current attempts. With these lessons, the article then offers criteria that will need to be established in law and policy for trustworthy indicators to be successfully deployed and adopted through technological tools. The lack of standardization prevents user-recognizability and dependability in the online marketplace, diminishes the ability to create automated tools for privacy, and reduces incentives for consumers and industry to invest in privacy indicators. Flawed methods in selection and weighting of privacy evaluation criteria and issues interpreting language that is often ambiguous and vague jeopardize success and reliability when baked into an indicator of privacy protectiveness or invasiveness. Likewise, indicators fall short when those organizations rating or certifying the privacy practices are not objective, trustworthy, and sustainable.
Nonetheless, trustworthy privacy rating systems that are meaningful, accurate, and adoptable can be developed to assure effective and enduring empowerment of consumers. This paper proposes a framework using examples from prior and current attempts to create privacy indicator systems in order to provide a valuable resource for present-day, real world policymaking.
TABLE OF CONTENTS INTRODUCTION I. GOALS FOR PRIVACY INDICATORS A. More Meaningful Notice B. Consumer Empowerment C. Nudging Users and Data Processors Toward Privacy II. TYPES OF ONLINE PRIVACY INDICATORS A. Privacy Grades and Scores B. Privacy Labels and Icons 1. Privacy "Nutrition " Labels 2. Label and Icon Systems C. Privacy Certification Regimes and Seals D. Privacy Dashboards III. OBSTACLES TO MEANINGFUL PRIVACY INDICATORS A. Lack of Standardization B. Scoring Criteria Deficiencies 1. Selection of Grading Criteria 2. Weighting of Grading Criteria C. Interpretation Issues 1. Non-holistic Interpretive Approach 2. Ambiguity, Vagueness, and Silence in Privacy Statements 3. Annotator Consistency D. Rating Agent Reliability IV. LAW AND POLICY REQUIREMENTS FOR SUCCESSFUL DEPLOYMENT OF PRIVACY INDICATORS A. Legislative or Regulatory Establishment of Standardized Evaluation Criteria B. Analytical and Interpretative Approach C. Development of Standardized Icons, Location Placement, and Technical Requirements D. Reliability, Autonomy, and Sustainability of Indicator Systems CONCLUSION APPENDIX: ADDITIONAL EFFORTS TOWARD PRIVACY INDICATORS Privacy Grades and Scores Privacy Labels Privacy Certification Regimes and Seals Privacy Dashboards INTRODUCTION
Privacy policies are notoriously long, complex, and impractical for consumers. (1) To assist users of websites, internet platforms, mobile applications, and network-connected devices in evaluating privacy notices and gleaning useful information from them, many have tried to synthesize privacy content into short-hand indicators and some have tried to develop automated technological tools to create or display the indicators. These indicators include grades, scores, nutrition labels, ratings, certifications, and dashboards. (2) Despite numerous groups' efforts to score, grade, label, and rate the privacy of websites, apps, and network-connected devices, these attempts at privacy indicators have, thus far, not been widely adopted. (3)
Privacy policies, however, remain long, complex, and impractical for consumers. The ever-growing Internet of Things and growth of Big Data continue to undermine our reliance on long written disclosures, because data practices increase in complexity raising many difficulties for an accurate description that is meaningful to consumers. Communicating in some shorthand form, synthesized privacy content is now crucial to empower internet users and provide them more meaningful notice, as well as nudge consumers and data processors toward more meaningful privacy. This highlights the need to satisfy privacy concerns ex ante to assure trust in online systems.
Over the years, efforts to develop privacy grades, scores, labels, icons, certifications, seals, and dashboards have wrestled with various deficiencies and obstacles for the wide-scale deployment as meaningful and trustworthy privacy indicators. This paper identifies and explains the deficiencies and obstacles that have hampered past and current attempts to develop and deploy trustworthy and meaningful privacy indicators. Taking these problems as lessons, the paper offers criteria that can be established in law and policy so that trustworthy and meaningful indicators can be successfully deployed and adopted through technological tools.
To provide context, Section I describes the goals for privacy indicators. These goals are distilled from various past and current attempts at the generation of online privacy indicators. Despite differing methodologies and approaches, online privacy indicators have set out to achieve three similar goals: to provide consumers with more meaningful notice; to empower consumers; and to nudge data processors to improve online privacy notices.
GOALS FOR PRIVACY INDICATORS
Many have tried to develop privacy indicators. (5) Such initiatives generally seek to achieve three common objectives: provide consumers with more meaningful notice, empower consumers, and nudge data processors to improve their privacy notices and practices. The three subsections below describe each of these goals.