Problem Summary

Users often face difficulties in comparing and assessing privacy policies due to their complexity, length, and lack of standardisation.

Rationale

By leveraging assessment tools, organisations can provide clear, concise, and compliant privacy information to users.

Solution

To improve the communication of privacy policies to users by implementing tools that assess compliance with regulations, compare various privacy policies, and ensure alignment with data protection principles. Such tools may summarise key privacy facts and visualise information flows, making privacy policies easier for non-expert users to understand and compare.

Railean and Reinhardt [1] present a privacy transparency tool (OnLITE) for non-expert consumers, enabling them to understand and compare how Internet of Things (IoT) devices handle data. The tool aims to address the increasing number of IoT products and their privacy implications, complying with legal acts like the GDPR by summarising key privacy facts and visualising information flows in a clear and readable manner for quick assessments, even with large datasets. For the prototype, they've used information provided by the manufacturers since that information is expected to be provided under GDPR consideration. Source code for the prototype and other materials are available at https://zenodo.org/records/4126346.

Liu et al. [2] developed a classification scheme based on GDPR Article 13 and annotated a corpus of 304 privacy policies to facilitate automatic compliance analysis. This annotated dataset was used to train classification models that can identify and classify sentences within privacy policies for rule-based compliance checks. They implemented a web-based tool called AutoCompliance to assist users in applying this approach, identifying compliance issues in privacy policies. The annotated dataset and the tool aim to improve transparency and help organisations ensure their privacy policies comply with GDPR requirements. While the AutoCompliance tool website is no longer available as of this write, the dataset is accessible via a GitHub repository.

Kolter, Kernchen, and Pernul [3] focus on a user-driven, community-based approach rather than an automated compliance analysis tool. They propose a user-centric privacy architecture aimed at providing provider-independent protection of personal data. Central to this architecture is an online privacy community that empowers users to share privacy-related information, ratings, and experiences regarding service providers. The architecture includes components that allow users to define privacy preferences, which can be matched with the privacy policies of service providers. This aids users in assessing adherence to their preferences and making informed decisions about data disclosure.

Platforms: personal computers, mobile devices

Example

Collage of screenshots of the tabs of OnLITE [1]. (See enlarged)

AutoCompliance tool [2]. (See enlarged)

Privacy policy summary [3]. (See enlarged)

• OnLITE summarises key privacy facts and visualises information flows, making it easier for non-expert consumers to understand and compare how IoT devices handle data. It improves use understanding and fosters critical thinking, encouraging users to reflect on the information shown to them. It also allows for quick assessments of privacy policies even with large datasets, facilitating easier comparisons and evaluations [1].
• AutoCompliance helps users understand privacy policies by automatically identifying and classifying key sentences according to GDPR Article 13. A user study showed that AutoCompliance reduced the user reading time by 55%. Additionally, the AutoCompliance tool aids organisations in ensuring their privacy policies comply with GDPR requirements, helping to identify and address compliance issues [2].
• A community-based approach that leverages collective knowledge and experiences, helping users make informed decisions about data disclosure and privacy practices [3].

• The study acknowledges limitations such as the absence of participants above the age of 44 and a limited number of novice participants; however, the interface design, evaluated with a broader participant range, and heuristic evaluation by experts, mostly in their forties, are considered compensatory factors. It also requires long-term studies to assess user habituation and sustained effectiveness of the tool [1].
• The accuracy of the AutoCompliance tool's machine learning models depends on the quality and representativeness of the training data. Also, the AutoCompliance tool and similar solutions primarily support English privacy policies, limiting their applicability in multilingual contexts [2].
• The success of a community-driven approach depends on user participation and engagement over time. Additionally, the community-based platform and privacy preference tools may be complex for users who are not familiar with privacy policy analysis and digital tools [3].

Such solutions aim to communicate personal data handling practices through privacy notices [4].

Transparency [5] is the main privacy attribute since this mechanism involves the proactive distribution of information to users, promoting visually accessible communication of data handling practices and helping users to make privacy-informed decisions. Other related privacy attributes: