Privacy Aware Wording
Users are exposed to many privacy policies and notifications which seek to inform them of various issues. The controllers who provide these explanations require that users fully understand the circumstances around the use of their data. Specifically, the purposes for which and means by which their personal data is collected or otherwise processed. There is much information however, and so users are likely to overlook important details.
Information the controller conveys to the user is frequently overlooked due to length and complexity of both the content and the vocabulary within, which compromises validity of consent.
Users should clearly understand the content of and terms used within privacy and security software. The terms are usually formulated on an expert-basis and therefore often difficult to understand for the average user.
- Users do not want to read complex and long policies
- Users still want to understand what risks they might be taking with their data by using the service (or product)
- Controllers want to ensure that users understand risks
- Controllers need consent given by users to be informed
Construct privacy related information using easily parsed and low difficultly vocabulary, with short concise sentences and enough flow to persuade the user to process it.
Users should not need to be familiar with the subject matter. They should also not be given unnecessary detail at the highest level of abstraction. Consider combining techniques from other patterns such as Layered Policy Design.
Before using the terms one should be sure that they are clear and understandable for the target-users. Therefore it is recommended to either refer to standardized terms [or] to conduct user tests on the understandability of [utilized] terms and phrases. These tests do not have to be extensive. Asking only few representative users from the target-group about their understanding of the terms should suffice.
Referring to the user as the data subject or otherwise introducing terms to the user may reduce reading comprehension. Instead of focusing on legally accurate terms, the information should make sense to the user. It should not be provide a false interpretation, however. The PrimeLife example features a mock corporation which summarises information according to 'what', 'how', and 'who'.
Like many patterns which inform users, elements of Awareness Feed (like Impactful Information and Feedback) and its methods for establishing awareness go well with accessible policy aspects like this pattern.
Interpretations of privacy policies and their expression in easily understood summaries could be improved with Appropriate Privacy Icons, Icons for Privacy Policies and Privacy Color Coding. This makes for a more accessible solution with visual cues.
Accessible policies like these go well with Abridged Terms and Conditions, as they complement its need for policy summarization.
S. Fischer-Hübner, C. Köffel, J.-S. Pettersson, P. Wolkerstorfer, C. Graf, L. E. Holtz, U. König, H. Hedbom, and B. Kellermann, “HCI Pattern Collection - Version 2,” 2010.
C. Graf, P. Wolkerstorfer, A. Geven, and M. Tscheligi, “A Pattern Collection for Privacy Enhancing Technology,” The Second International Conferences of Pervasive Patterns and Applications, vol. 2, no. 1, pp. 72–77, 2010.