Layered Policy Design
Layered Privacy Policies / Multi-Layered Notices
As the law in various parts of the world requires a number of considerations, policies tend to be long, complex documents which are difficult to understand. The same holds true for privacy, which supplies its own legislative concerns, particularly regarding data protection. The [data] controller in these instances, provides users (data subjects) with services (or products) to which privacy policies apply. These suffer the same detail rich and superfluous content pitfalls as other policies, though are legally required to be available to users in a manner which is both understandable and complete.
The controller needs to balance comprehension and comprehensiveness in their privacy policies in order to ensure that users choose to inform themselves. If they do not, then processing their information is unlawful.
- Users do not want to read complex and long policies, and most will simply not read them unless they are very concise
- Users still want to understand any important distinctions which might cause them risks they would rather not take
- Controllers want to comply with legal requirements to avoid punitive measures as well as bad publicity
- Controllers also want users to know what they are signing up for when using a service, without being unpleasantly surprised
[Helps users] understand what they can expect about their personal data from a data controller (in terms of which data is managed, for which purposes, etc.) Also fosters simplicity, transparency and choice.
However, [multiple] versions of the privacy policies [need to] coexist, which may introduce potential contradictions; in particular, the data controller must ensure that updates are performed in parallel and coherently.
See examples at Terms of Service Didn't Read. The average user would take 76 work days to read the privacy policies they encounter each year.
- It is recommended by British Information's Commissioner Office in its Privacy Notices Code of Practice (p.55)
- This concept is quite similar to the Creative Commons license layers in the field of copyright management.
Like many patterns which inform users, elements of Awareness Feed (like Impactful Information and Feedback) and its methods for establishing awareness go well with accessible policy aspects like this pattern.
Interpretations of privacy policies and their expression in easily understood summaries could be improved with Appropriate Privacy Icons, Icons for Privacy Policies, and Privacy Color Coding. This makes for a more accessible solution with visual cues.
Accessible policies like these go well with Abridged Terms and Conditions, as they complement its need for policy summarization.
Pinnick, T. Layered Policy Design. TRUSTe Blog, 2011.
Christoph Boesch, Frank Kargl, Henning Kopp, and Patrick Mosby, “privacypatterns.eu - collecting patterns for better privacy,” 2017. [Online]. Available: https://privacypatterns.eu/#/?limit=6&offset=0. [Accessed: 18-Jul-2017].
Multi-Layered Notices Explained, White Paper, The Center for Information Policy Leadership, Hunton & Williams, http://mddb.apec.org/documents/2005/ECSG/DPM1/05_ecsg_dpm1_003.pdf