Privacy Nutrition Labels: A Simpler Model for Consumer Privacy Notices - Fordham Intellectual Property, Media & Entertainment Law Journal
27555
post-template-default,single,single-post,postid-27555,single-format-standard,ajax_fade,page_not_loaded,,select-theme-ver-3.3,wpb-js-composer js-comp-ver-6.6.0,vc_responsive
 

Privacy Nutrition Labels: A Simpler Model for Consumer Privacy Notices

Privacy Nutrition Labels: A Simpler Model for Consumer Privacy Notices

A core requirement of the European Union’s General Data Protection Regulation (“GDPR”) is that companies must inform consumers of what information is being collected and how such information is being used.1 As a result, when the GDPR went into effect in May 2018, consumers received an onslaught of notices regarding privacy policy updates, many of which were lengthy and cumbersome to read, let alone understand.2 According to Jonathan Coleman, it would take consumers three and a half hours to read ten GDPR-compliant privacy policies.3 Three and half hours may not seem like much, but when you consider that the average internet user has seven social media profiles, thirty smartphone apps, and visits an average of eighty-nine websites per month, each with their own unique privacy policy, it’s easy to see how privacy notices intended to inform the public might actually lead to even more confusion.4

This issue has been further compounded by the number of privacy regulations, each with varying privacy policy requirements, that have been proposed by state legislatures across the U.S. As of March 2021, three states had passed comprehensive privacy law legislation requiring privacy policy notices, with similar legislation pending in another twenty-three states.5 At least twelve of those proposed laws would require some form of privacy notice.6 Under this patchwork of privacy legislation, consumers and companies will have to navigate a labyrinth of varying notice requirements, likely increasing costs and further burdening already time-strapped consumers.

Researchers at Carnegie Mellon University’s CyLab have developed a streamlined summary privacy notice that seeks to quickly notify consumers about how their data is being collected and used.7 The distilled notice offers an efficient model for informing consumers about the privacy rights while still satisfying the panoply of regulatory requirements. Using Food and Drug Administration nutrition labels as their inspiration, CyLab developed what they’ve termed a “privacy nutrition label.”8 The label is designed to be easy to read with colorful graphics that change as the potential privacy risks increase.9 The researchers considered both more simplified, purely graphical notice models and more detailed versions, settling on a balanced “goldilocks” approach that provides digestible information without sacrificing too much detail.10 Researchers hope that the “privacy nutrition label” might become the industry standard for “internet of things” (“IoT”) products, allowing consumers to “quickly and efficiently find information” and compare the privacy practices of various devices.11

While the focus of CyLab’s research centered around enabling IoT product comparison, the simplicity and dynamic nature of the proposed label may lend itself to broader applications. With what seems like every website and internet application sending lengthy privacy policies to their users, an easy to digest, uniform privacy label might offer a better solution – one that users might actually read. Moreover, as CyLab’s research notes, not only did users of their privacy label report that information was easier to find and compare, but they reported actually enjoying reading the privacy label.12 Who would have thought you could actually enjoy reading a privacy policy? Imagine that the next time a privacy policy update pops up in your inbox.


  1. General Data Protection Regulation ((EU) 2016/679).

  2. Jonathan Coleman, Here’s How Long It Would Take to Read All the New Privacy Updates, Medium (May 23, 2018), https://jonnathancoleman.medium.com/heres-how-long-it-would-take-to-read-all-the-privacy-updates-you-ve-been-getting-cd4f215cff6d [https://perma.cc/L9KN-66RS].

  3. Id.

  4. Id.

  5. Sarah Rippy, US State Comprehensive Privacy Law Comparison, IAPP (Mar. 8, 2021),https://iapp.org/resources/article/state-comparison-table/ [https://perma.cc/VJ9E-T36M](last visited Mar. 19, 2021).

  6. Id.

  7. Patrick Gage Kelley et al, A “Nutrition Label” for Privacy 1–2 (2009).

  8. Id.

  9. Id. at 7.

  10. Id. at 5.

  11. See Patrick Gage Kelley, Designing a Privacy Label: Assisting Consumer Understanding of Online Privacy Practices, https://cups.cs.cmu.edu/privacyLabel/files/CHI-finalPoster.pdf [https://perma.cc/9UEA-7HAE](last accessed Mar. 20, 2021).

  12. Kelley et al, supra note 7, at 10.

Rachel Winters

Rachel Winters is a third-year evening student at Fordham University School of Law, a staff member of the Intellectual Property, Media & Entertainment Law Journal, and a research assistant to Professor Olivier Sylvain. She is a Moot Court member, where she served on the Jessup bench team. In addition, she works full time as a paralegal and compliance officer at an investment management firm. She holds a B.A., with honors from SUNY Binghamton and an M.A. from The Ohio State University.