Categories: visualizeuser-interfaceinformexplain

Privacy Labels

[Also Known As]

Privacy Nutrition Labels

Context

Users use a variety of services (or products) for which there are different effects on their privacy. The providers of these services have varying policies around that usage, and thus affect privacy differently. Typically the differences appear in a privacy policy document, or set of documents. Services encourage users to read this information, which can be quite extensive and involved. Users do not typically have the time or patience to investigate this information on their own.

Problem

Due to the effort required, users often do not investigate the various privacy policies of the services they use, leaving them uninformed about the potential consequences of their consent and choices. Services tend to have overly complex policies, and present them inconsistently, which agitates this issue.

Forces and Concerns

  • Users want to know how much personal data they must share to use a service, without unnecessary or disproportionate effort
  • Users want to quickly determine which services provide the functionality they seek with the privacy tradeoffs they can best accept
  • Controllers want users to realize what data they use, and how they use it, so that they do not process it without informed consent
  • Controllers also want users to understand the options they have in privacy preferences, and the advantages of opting into further sharing

Solution

Present the user with an standardized privacy 'nutritional' label to quickly summarize policy information.

[Structure]

_Putting a box around the label identifies the boundaries of the information, and, importantly, defines the areas that are “regulated” or should be trusted. This is a common issue when the label is placed in close proximity to other information, but may not be as significant an issue online. _

Using bold rules to separate sets of information gives the reader an easy roadmap through the label and clearly designates sections that can be grouped by similarity

Providing a clear and boldfaced title, e.g., Privacy Facts, communicates the content and purpose of the label specifically and assists in recognition.

Finally, we have defined a maximum width of 760px for this label and all following designs in this paper. One important consideration was that the privacy label design be printable to a single page and viewable in the standard width of today’s internet browsers.

[Implementation]

The tabular format can be filled in automatically if a site uses [Platform for Privacy Preferences].

Privacy Label Example

Privacy Labels use four colored squares to help convey information quickly: - Dark Red Square: we will collect and use your information in this way - 'opt out' Red Square: by default, we will collect and use your information in this way unless you tell us not to by opting out - Light Blue Square: we will not collect and use your information in this way - 'opt in' Blue Square: by default, we will not collect and use your information in this way unless you allow us to by opting in

In the short table variation, the label omits any rows (information types) which are entirely light blue (no collection or use). Instead this information gets summarized in text below the label using short natural-language format. Similar rows are merged into combined statements for brevity.

Consequences

The Privacy Label authors conducted a study where they assessed respondents' (n=764) attention to presented policies. They were able to determine how long respondents looked at each policy and where that affected their opt-out and further investigation decisions in the study. These were randomly divided between Privacy Labels (n=188), short table version (n=167), short text version (n=169), the full original policy document (n=162), and Layered Policy Design (n=78). Privacy Labels tested best among the respondents, followed by short table and text variations. Layered Policy Design was not found to perform any better than the full text when not additionally rephrasing policies.

Examples

[Known Uses]

Privacy Labels are currently implemented using Privacy Bird and Privacy Finder Their source code is also available.

This pattern complements Impactful Information and Feedback, Layered Policy Design, Privacy Aware Wording, Privacy-Aware Network Client, Awareness Feed, and Privacy Color Coding. It also implicitly complements Trust Evaluation of Services Sides through Awareness Feed, and P3P through Privacy-Aware Network Client.

As a visual cue, this pattern aids in providing Impactful Information and Feedback by augmenting it with quickly interpreted information. Unlike other visual cues, this pattern does not relate to Informed Secure Passwords.

Visual cues like this pattern also aid in providing accessible policies, and thus complement Layered Policy Design, Privacy Aware Wording, and Privacy-Aware Network Client. This pattern in particular implicitly complements P3P through Privacy-Aware Network Client.

Like many patterns which inform users, elements of Awareness Feed and its methods for establishing awareness also go well with visual cues like this pattern. It also implicitly aids Trust Evaluation of Services Sides, which provides visual representation to highlight trust levels to the user.

Pre-patterns

  • uses Financial Privacy Notice
  • refines P3P Expandable Grid, which sought to refine P3P
  • refines Simplified [Privacy] Grid
  • refines Simplified [Privacy] Label

[Sources]

P.G. Kelley, L.J. Cesca, J. Bresee, and L.F. Cranor. Standardizing Privacy Notices: An Online Study of the Nutrition Label Approach. CHI 2010.

P. Kelley, J. Bresee, L. Cranor, and R. Reeder. A "Nutrition Label" for Privacy. SOUPS 2009

Kleimann Communication Group, Inc. Evolution of a Prototype Financial Privacy Notice. February 2006. Available: http://www.ftc.gov/privacy/privacyinitiatives/ftcfinalreport060228.pdf

Reeder, R.W. Expandable Grids: A user interface visualization technique and a policy semantics to support fast, accurate security and privacy policy authoring. PhD thesis, Carnegie Mellon. 2008. http://www.robreeder.com/pubs/ReederThesis.pdf