Through a Glass Darkly: From Privacy Notices to Effective Transparency
46 Pages Posted: 2 Sep 2015
Date Written: September 1, 2015
Abstract
Openness is the first fundamental principle of fair information practices. Because openness involves operating in a way that an organization’s information practices are visible, it is central to fairness. A lack of openness leaves open the potential for abuse, allowing institutions to collect and use information without protections and outside the scrutiny of regulators, consumers or privacy advocates. Beginning in the late 1970’s, “notice” has served to practically implement openness in most commercial transactions. However, current notices have been widely criticized as being too complex, legalistic, lengthy and opaque.
In this paper, we argue that to achieve the openness required by the first fair information practice principle, data protection and privacy should move from a “notice” model to an environment of “transparency.” We assert that the terms “notice” and “transparency” are not synonymous and that different definitions apply to each. We define notice as the posted articulation of a company’s privacy practices and policies. In contrast, transparency is a condition of disclosure and openness jointly created by companies and policy makers based on a variety of approaches. While notice is an important element in transparency, transparency involves much more than notice as it relies not only on the posting of information, but the quality of the disclosure.
We review the history of notice and its traditional role in privacy and data protection. We consider the challenges and limitations of notice, and the attempts of business, government, privacy experts and technologists to address them as well as the lessons learned from these efforts. We also examine the implications of emerging technologies and data uses such as mobile apps, big data analytics and the Internet of Things for traditional notice. We propose what is needed to move from notice to an environment of transparency including improved notices, attention to contextual norms, integrating the design of notices into the system development process as part of privacy-by-design, public education, and new technological solutions. Finally, we present arguments for business buy-in and regulatory guidance. While we recognize that transparency is necessary but not sufficient for assuring fair data use, a discussion of issues related to the full complement of the fair information principles is beyond the scope of this paper.
Keywords: Privacy, Data Protection, Transparency, Fair Information Practices
Suggested Citation: Suggested Citation