Developing Layered Privacy Notices

Design Simplifies Online Policies for Consumers

By , May 14, 2012.
  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
Developing Layered Privacy Notices

One way of improving consumer data privacy and security online is to encourage layered privacy notices, says privacy lawyer Alan Friel.

See Also: Advances in Application Security: Run-time Application Self Protection

Friel, a partner in the law firm of Edwards Wildman Palmer, spoke with Information Security Media Group about the Federal Trade Commission's privacy framework and its implications for organizations seeking to adhere to the new standards.

The framework, which is a set of best practices and recommendations, is hoping to encourage Congress to come up with a simple baseline set of privacy principles, including implementing privacy by design into online products and services before they're released to the market, and to improve the condition of online privacy policies.

"The report takes aim at how complex privacy policies have gotten," Friel says in an interview with Information Security Media Group's Eric Chabrow [transcript below].

To improve consumer privacy policies, Friel encourages his clients to provide layered security notices. The way a layered policy works is up-front, a user sees a bullet list containing the most important items, "something that can be read on a single smart-phone screen," Friel says. Then, if a user so wishes, he or she can click through the bullets to additional layers of detail.

"It's possible to have both simple, concise notice at the point of collection or at the point of download, but at the same time have multiple layers of detail if somebody so chooses to dig into that detail," he says.

In the interview, Friel:

  • Encourages clients to adopt layered privacy notices, especially for mobile apps, in which simple explanations are presented in short, easy-to-read text on consecutive screens;
  • Explains why businesses should benefit from following the FTC privacy framework;
  • Discusses the impact of the framework on businesses whether or not Congress codifies FTC standards in legislation presented in the report.

Friel is a partner in the intellectual property department of Edwards Wildman Palmer and chairs its media and technology licensing and transaction practice and counsels clients on the privacy, data security, technology, regulatory and intellectual property implications of using mobile, digital and social media.

FTC Privacy Framework

ERIC CHABROW: What's the gist of the FTC report and how significant is it?

ALAN FRIEL: It's significant in that it outlines the commission's viewpoint on what companies ought to be doing with respect to consumer data privacy and security. It doesn't really come as any surprise and in some ways can be seen as a bit of a relief for industry in so far as it's only a set of best practices and recommendations, and two, confirms that the FTC is not planning to engage in any new rulemaking to essentially hoist regulations on the industry. They do encourage Congress to come up with a simple base-line set of privacy principles and to look specifically at ways to regulate data brokers, but as far as most data privacy and security issues go, they're looking to industry to self-regulate and would then be in the position to enforce violations of those self-regulatory schemes.

CHABROW: Would they have any authority at the moment to go further then they did and actually implement certain regulations, or do they need Congress to act?

FRIEL: That's a good question and, in fact, one of the four commissioners who dissented, Commissioner Rosch, descended because he believes that the guidelines might in fact be turned into mandatory requirements. The FTC under its Section 5 authority - Section 5 of the FTC Act - permits the FTC to protect consumers from misleading or deceptive advertising or unfair advertising of business practices. The unfair prong has sort of changed throughout the years depending upon administration. For the most part, it needs a showing of actual injury whereas the deception prong does not, but Commissioner Rosch worries that the concept of unfairness is sufficiently vague and amorphous, that these principles could be imposed essentially as requirement. Basically, if industry for the most part adopts them, failure to adopt them might be seen as unfair.

He points out that there are a number of situations where the market place should be allowed to determine what consumers are given in the way of choice and that privacy by default or privacy by design, something the report advocates, is not always necessarily in the consumer's best interest.

Follow Jeffrey Roman on Twitter: @gen_sec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Paris Attacks: The Cyber Investigation

French authorities continue to investigate the Jan. 7 attack in Paris that claimed the lives of a...

Latest Tweets and Mentions

ARTICLE Paris Attacks: The Cyber Investigation

French authorities continue to investigate the Jan. 7 attack in Paris that claimed the lives of a...

The ISMG Network