Part One in An Educational Series for EdTech Vendors

Why transparency is important

 

"Big data" refers to the idea that the collection and use of a larger quantity of data increases both the positive and the negative aspects of data. A large accumulation of data allows companies to cross-reference and combine databases and threads of information to create new information and discover insights. Often, this new information digs deeper into the private lives of individuals by creating profiles and clusters of behaviors and interests associated with them. These profiles can travel across devices, companies, apps, and, of course, time.

Following this trend, there has been a growing number of consumers worrying about privacy and unwilling to share their data. However, many consumers want a personalized experience, which is impossible without collecting or sharing any data. A survey conducted by Longitude, a Financial Times company, and sponsored by Verizon found that approximately 69 percent of all individuals surveyed believed the purpose of a data request was the business's own financial gain instead of product or service improvement. However, 45 percent of survey respondents age 18 to 24 were open-minded about data sharing, and were ready to share data in exchange for a better product or service. 

In order to make the decision about whether or not to share data, consumers must have information about what is being collected and how it will be used. This information exchange will seldom be perfect, but consumers generally expect that a company will demonstrate what they are doing with the information. In fact, according to a 2018 article in Security Intelligence, "Transparency is often a critical factor for consumers when deciding whether to establish digital trust with a company."

 

Legal rules on transparency

 

Federal level: At the federal level, there's a law dedicated to children's privacy -- the Children's Online Privacy Protection Act (COPPA) -- that specifically addresses transparency. Transparency is often interpreted to mean notice. While transparency has several other components, notice is the first step. The notice requirement under COPPA requires that the operators of any website or online service associated with children's data provide the information collected as well as its use and disclosure. A parent is expected to use this information to decide whether and how to use the product with their children.

 

State level: At the state level, California stands out for its transparency requirements. The California Consumer Privacy Act (CCPA) requires that any business that collects a consumer's personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business may not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section. 

 

Interestingly, this rule both prescribes and proscribes company behavior in order to create a bubble of permitted behavior. While most companies would argue for less regulation, in some cases very specific regulatory requirements actually reduce costs by making the path clear for developers to increase transparency.

 

In addition, the privacy requirement under the California Online Privacy Protection Act (CalOPPA) specifies that an operator of a commercial website or online service that collects personally identifiable information through the internet about individual consumers who live in California who use or visit its commercial website or online service shall conspicuously post its privacy policy on its website. The term "conspicuously" seems vague but actually sits well in legal theory, as the requirement is clear. The requirements include either a privacy policy on the website or a hyperlink to the privacy policy. 

 

The California regulation raised the bar for many companies, and the public had access to privacy policies on the first or entry webpage to a product. At this point, it's rare to find any website without a privacy policy or a hyperlink. It may not appear at the top of the page or in the largest font, but post-CalOPPA, a company's privacy policy is much easier to find. Usually, it's found clustered with other legal terms in a simple menu at the bottom of a webpage.

 

Europe: The European Union, or E.U., has set a high bar for transparency, often calling out the term specifically and explaining the virtues of transparency to support the legitimate interest of data collection and use. There is less of an emphasis in the E.U. on consumer protection and transactional relationships like notice and consent, and more of an emphasis on the basic human rights of privacy and decency. 

 

The transparency requirement under the General Data Protection Regulation (GDPR) is, in fact, quite general on the subject of transparency, in that it requires that personal data shall be processed lawfully, fairly, and in a transparent manner in relation to the data subject ("lawfulness, fairness and transparency"). 

 

Transparent processing is about being clear, open, and honest with people from the start about who you are, and how and why you use their personal data. Note again the emphasis on "people" rather than "consumers," expanding the responsibility of data collectors and processors beyond those individuals with whom they have a contractual business relationship.

 

Best practices on transparency

 

Privacy policies, in order to be transparent, must be legible and comprehensible. An appropriate reading level is generally understood to be a high school level. If the average adult in the United States functions at an eighth grade reading level, privacy policies should not exceed a 12th grade level. In order to accomplish this level-setting, shorter sentences, shorter words, and simpler vocabulary will suffice as a proxy for software that analyzes language, although the latter does make the process more accurate.

 

Also, privacy policies should be organized into a sequence and structure that readers would expect. First, they'd want to know a bit about the product, then what data it might collect, and then how it might be used. Having run through the basics, additional details could be added describing the process for notice if there is a data breach, or what happens when a company is sold. 

 

The Common Sense Privacy Program has created a list of questions that functions not only as an in-house analytical tool for creating privacy evaluations, but also as a useful checklist for a company looking to draft a privacy policy that follows a logical sequence. 

 

Market differentiation: Advertising that the product protects privacy

 

At the baseline level, transparency allows consumers to more easily compare products on a level playing field, juxtaposing the same features or practices. Transparency works in conjunction with, rather than in opposition to, traditional marketing and advertising goals of differentiating products and services.

 

Similar to marketing copy describing products as sugar-free, fat-free, or low-calorie, there is an opportunity for companies to differentiate themselves and monetize their healthier privacy practices as a competitive advantage. It is important for companies to say their product has no "unhealthy" privacy practices even though the company doesn't engage in those, because consumers are looking to compare products across those factors. 

 

No transparency means consumers expect the worst because there is no clear promise of how the company will collect or use their data, and most other products have unhealthy practices.

 

In most organizations, it's often difficult to consolidate and utilize data from different departments, as each department manages their own type of data and databases. Therefore, increasing internal transparency will make a company's data management and governance easier and simpler, as it will avoid potential duplication or contradiction among departments. That's why the first step in creating a transparent privacy policy is to gather information from all the departments and products in a company about how they will collect and use personal data.

 

In part two of this series, we will describe how the Common Sense Privacy Program looks at transparency in a privacy policy, and how they generate an evaluation of that policy that includes both legal requirements and industry best practices -- including a backstage pass to understanding the scoring process.

Jill Bronfman

Jill Bronfman, served as Privacy Counsel for Common Sense. She taught law, graduate, and undergraduate students.