The earlier introduces ‘just-in-time notice’ touches not only upon the topic of timing but, can also be a tool to renew information and consent. Consent must be obtained before the data collection and if a new use of personal information has been identified. However, informed consent is furthermore an ongoing process that changes as circumstances change. Therefore, organizations should not rely on a static moment in time, but rather treat consent as a dynamic and interactive process. Organizations should consider periodically reminding individuals about their privacy options and invite them to review these. This concept of TIMING AND CONTEXT also includes the chance to break up notices into smaller pieces and delivering them at demand. First of all, users cannot be expected to remember months later the information they read when downloading an app or using a service. Especially given that people use hundreds of services. Then, only pieces of information might be needed at a time and user could better understand to what purpose they are consenting. Furthermore, the ongoing and renewing concern with privacy decisions might educate consumers in the long run. The repetitive confrontation with privacy issues could increase people’s awareness of the topic. Schaub and his colleagues suggest that ‘periodic notices’ remind users of an ongoing data practice in certain time periods. They would “provide an opportunity to reaffirm user consent over time, especially when practices are not visible.” As an example, the authors name the operating system ‘iOS’ which periodically reminds users of apps that access the phone’s location in the background. However and as introduced in section 2.3, Turow and his colleagues find that the overload of privacy decisions make people resign and belief that there is no other way than consenting and disclosing data. Moreover, Adjerid and his colleagues find evidence of a “diminishing propensity of privacy notices to impact disclosure over time, suggesting that notice may have an initial impact but that users may settle back into familiar disclosure habits in a short period of time.” Support comes again from Anderson and his colleagues. As we will see in section 4.3 when dealing with ‘warnings’ people face neurological restrictions when they are repeatedly asked to do something. ‘Just-in-time notices’ and reminder thus, could rather lead to resigning and consenting too often. Furthermore, it might be that the costs of requesting new consent may discourage organizations from pursuing new uses of information. This can then undermine the drive for innovation of the company.
The level of needed information to enable meaningful consent can vary by individual and situation. One person may be comfortable with a quick review of summarized information; another may want to do a deeper dive.One person may want to do a more in-depth review of an organization’s privacy practices up-front; another may look at information piece by piece, returning to it later when they have more time or depending on what services they are using and when. Individuals may also want the opportunity to review in detail the information that they’ve clicked-through when they originally signed up for the service.
‘Highlighting’, ‘coloring’, ‘one-pager’ and ‘pictograms’, finding the right language and timing hint on the concept of SIMPLIFICATION. Especially when dealing with complex decisions such as a privacy decisions, simplification asks for a more straightforward information and reminds on the need to fit into the information processing capabilities and decision-making processes of the individual.
For instance, communication can evolve by having clear structured formats such as tables and standardized forms. Levy and Hastak (2008) assessed the communication effectiveness of several competing notice formats and find in their study that table notices (hinting on simplification and pictured clarity) significantly outperformed other notice styles regarding measures of judgment quality. Furthermore, research by Kelley and his colleagues (2010) shows that providing standardized privacy policies in form of STANDARDIZED TABLES can have significant positive effects on accuracy, speed of information finding and reader enjoyment in privacy policies. The authors tested the ‘standardized tables’ against short standardized texts, normal full policy texts and layered texts. In their study, the standardized tables had ten rows, each representing a data category the company may accumulate, four columns detailing the ways that data may be handled, and two columns representing ways that data may be shared beyond the company. Relevant boxes were furthermore highlighted in dark red if the data is used or collected and light blue if it is not used or collected by the organization. In the USA, the ‘Kleimann Communication Group’ (KCG) table is applied to unfold data usage of financial institutions to consumers. The table states in three rows why, by whom and how data is used. Taking the standardized tables and the KCG into account, also the term PRIVACY LABEL is used to describe a standardized table. Comparable to nutrition labels, the ‘privacy label’ shall be standardized and show which data is collected, how it is used and with whom it is shared. In another study by Kelley and her colleagues, the authors find that such by ‘nutrition labels’ inspired ‘privacy labels’ outperformed standard formats in readability, recall, and comprehension. Such standards would not necessarily need to be compulsory and have the huge advantage of comparability. Standards could enfoster machine readability and thus facilitate contrasting privacy policies against each other. Not only for users, but also for examining authorities, this could be very beneficial and time-saving. The ‘standardized tables’, together with the coloring were well received. ‘Standardized tables’ and ‘one pager’ could foster clarity and reduce complexity and scope. However, the question remains which attributes besides the above stated example, such standards should have. A more fine structured coloring could be possible, differentiating for instance, whether data is only collected and used by the organization itself or shared with third parties. Should the implementation of such approaches be voluntarily or suggested by a state or supranational institution such as the EU? The answer lies in further support for the practicality and in a political debate about the precise design of a standard. However, the comparability of privacy policies via standards technically hints already at the next section where giving a context is seen as beneficial to enhance meaningful consent. But before, some simple ways are set out to assess if customers understood privacy notices.