Out-Law / Your Daily Need-To-Know

Privacy icon scheme underpinned by sanctions framework could help build trust in online services, say researchers

Out-Law News | 03 Nov 2014 | 3:50 pm | 3 min. read

Businesses could display 'privacy icons' to signify good practice in personal data handling but such a scheme would need to have an enforcement element if it is to gain any traction, a new study has found.

The research, commissioned by the Centre for Copyright and New Business Models in the

Creative Economy (CREATe), found that the use of privacy icons could help improve consumer trust in online services (33-page / 1.85MB PDF), but that there are challenges in developing a privacy icon scheme that can balance the need for simplicity with sufficient legal detail.

The researchers said that an EU privacy icons initiative would be useful if it could help signify whether or not websites are compliant with "basic data protection guarantees". This could be achieved through a "traffic light" system. However, they said that no work on such a scheme has yet been undertaken.

The lack of harmonised rules on privacy around the world means that any privacy icons initiative would face jurisdictional challenges, the researchers said.

"A key problem with icon or label schemes will be their international scope," the researchers' report said. "Consumers buy digital products and services globally not locally; while an icon/labelling system might be developed only for use by UK service providers and aimed at UK consumers only, its usefulness might then be limited to industry sectors strongly tied to national borders (eg energy suppliers)."

"Given differences in privacy laws, especially between the EU and the US, but also between the UK and many other EU states, and the disparity of laws throughout Asia, a system that tried to label compliance, or even 'factual' privacy features, might be very difficult to build on an international scale," the report said.

The researchers said that any new privacy icons initiative would need to be backed by "some kind of independent audit and/or complaint process, with appropriate sanctions" so as to build consumer trust. The trust would be generated because the enforcement aspect of the scheme would serve to guarantee that "service providers were actually implementing their privacy claims", they said.

"An icon or labelling scheme need not guarantee legal compliance by its members – that is the job of the privacy regulator - but it still arguably needs audit to make sure what its participants represent in their icons is accurate," the researchers said in their report. "Such audit could be supplied by working in hand (in the UK) with the Information Commissioner or, arguably, by providing an independent auditor or ombudsman."

"It would need to be considered what sanctions if any were needed for failing to implement an icon representation accurately (or more likely, perhaps, failing to maintain it after changes to the policy)," it said.

The researchers said that there were examples of privacy icon schemes that have been developed in the past but which failed to achieve a "critical mass" of support among consumers and businesses. Winning such support "would be crucial to the success of any icon scheme for privacy", they said.

The researchers said that previous studies have generally concluded that the fewer icons used to signify information on privacy to internet users, the better. However, it said some of the necessary "subtleties and complexities" of privacy information could be lost by restricting the number of icons used in any new scheme.

However, the researchers also said that introducing the concept of labelling to "the privacy realm" could have the opposite effect of overloading consumers with too much information to the point that the scheme would lose its effectiveness.

Limiting privacy icon initiatives to specific technologies or industries could help remove some of the complexity entailed in labelling, they said.

However, the burden on businesses involved in converting detailed privacy policies into simplified privacy icons is one barrier that would need to be overcome to ensure there are sufficient service providers engaged with the initiative to enable it to gain traction, the researchers said.

"Persuading service providers to translate their privacy policy into icons is itself an overhead in time," the report said. "Lack of critical mass among service providers is a key pitfall to avoid."

A voluntary code set up by the Internet Advertising Bureau (IAB) Europe requires businesses signed up to the framework to display an icon if they use adverts that track users' behaviour. If users click on the icon they are taken to a website that will enable them to switch off behavioural adverts delivered by companies that use the icon.