What happens to my data? A novel approach to informing users of data processing practices

Citizens increasingly use the Internet to buy products or engage in interactions with others, both individuals and businesses. In doing so they invariably share (personal) data. While extensive data protection legislation exists in many countries around the world, citizens are not always aware (enough) of their rights and obligations with respect to sharing (personal) data. To remedy this gap, users ought to become better informed of companies’ data processing practices. In the past, various research groups have attempted to create tools to this end, for example through the use of icons or labels similar to those used in nutrition. However, none of these tools have gained extensive adoption, mostly because it turns out that capturing privacy legislation in simple, accessible graphics is a complicated task. Moreover, we believe that the tools that were developed so far do not align closely enough with the preferences and understanding of ordinary users, precisely because they are too ‘legalistic’. In this paper we discuss a user study conducted to gain a better understanding of the kinds of information users would wish to receive with respect to companies’ data processing practices, and the form this information ought to take. On the basis of this user study we found a new approach to communicating this information, in which we return to the OECD’s Fair Information Principles, which formed the basis for (almost all) data protection legislation. We end the paper with a rudimentary proposal for an end user tool to be used on companies’ Web sites.

[1]  Lorrie Faith Cranor,et al.  Standardizing privacy notices: an online study of the nutrition label approach , 2010, CHI.

[2]  Irene Pollach,et al.  What's wrong with online privacy policies? , 2007, CACM.

[3]  Annie I. Antón,et al.  'I Need It Now': Improving Website Usability by Contextualizing Privacy Policies , 2004, ICWE.

[4]  Kim Bartel Sheehan,et al.  In Poor Health: An Assessment of Privacy Policies at Direct-to-Consumer Web Sites , 2005 .

[5]  G. Zinkhan,et al.  Exploring the Impact of Online Privacy Disclosures on Consumer Trust , 2006 .

[6]  Lorrie Faith Cranor,et al.  The platform for privacy preferences , 1999, CACM.

[7]  Mary J. Culnan,et al.  Strategies for reducing online privacy risks: Why consumers read (or don't read) online privacy notices , 2004 .

[8]  Colin Potts,et al.  Privacy policies as decision-making tools: an evaluation of online privacy notices , 2004, CHI.

[9]  Harry Hochheiser The platform for privacy preference as a social protocol: An examination within the U.S. policy context , 2002, TOIT.

[10]  Paula M. C. Swatman,et al.  Adding value to online privacy for consumers: remedying deficiencies in online privacy policies with an holistic approach , 2003, 36th Annual Hawaii International Conference on System Sciences, 2003. Proceedings of the.

[11]  Ardion Beldad,et al.  Trust and information privacy concerns in electronic government , 2011 .

[12]  O. O’neill,et al.  Transparency and the Ethics of Communication , 2006 .

[13]  Lorrie Faith Cranor,et al.  User interfaces for privacy agents , 2006, TCHI.

[14]  Marit Hansen Putting Privacy Pictograms into Practice - a European Perspective , 2009, GI Jahrestagung.