Terry McQuay

Short Notice for Privacy

A short notice is a summary of an organization's privacy policies and procedures that is made available to consumers. Short notices are usually used in the following circumstances:

• When there are physical limitations to providing full notice, for example in coupons, marketing forms, surveys or customer mailers;
• To provide clarity to a consumer with a summary of the key elements in a readily available full notice (recommended); or
• When an organization chooses not to be transparent about its privacy policies and procedures and instead provides the minimal information believed to be required (not recommended).

Typical locations of short notices for privacy include:

• On corporate websites, as a summary of an organization's full privacy notice;
• As a mailer sent to customers; and
• As a poster, say in a customer service or retail location.

The increased momentum of short notices in a multi-layered privacy notice has resulted from:

1. Corporations' increased desire to provide consumers easy and quick access to key information from the organization's privacy policy to allow them to make informed decisions.
2. An emerging international movement popularizing a standard format for short notices.
3. A desire for corporations to demonstrate a commitment to privacy to consumers, businesspartners and regulators.

Business Case for a Short Notice for Privacy

Consumers and commissioners' offices complain about privacy notices being lengthy, using too much legalese and generally being very hard to understand. Consumer studies indicate that long privacy policies build distrust, as consumers feel the organization is hiding their true privacy practices. Nymity's studies have found that in some cases this may be true, but the vast majority of organizations are trying to balance legal requirements with building trust.

A short notice for privacy effectively balances legal requirements, being transparent, meeting commissioners' objectives and building trust. A short notice provides consumers the key privacy provisions required to make a quick and informed decision about providing their personal information.

Creating a short notice for privacy is a simple, effective and cost-effective way to demonstrate an organization's commitment to privacy to consumers, business partners and the commissioners' offices.

The Value of a Standardized Short Notice

If all organizations were to use the same short notice format, consumers would have an easily understood and consistent format to compare organizations' privacy policies and practices. A standardized short notice format would be similar to nutrition labeling, as Nutrition Facts statements allow consumers to quickly identify key information and compare products to make an informed purchasing decision.

Just like nutrition labels, a standardized format for short notice in the form of a Privacy Fact Statement would allow consumers to quickly understand:

• What personal information the organization collects;
• How an organization uses and shares personal information;
• Choices available;
• Important considerations related to providing personal information; and
• How to contact the organization.

Fortunately, there is an emerging international standard for short notice adopted by some of the major public and private sector organizations in Canada and abroad.

Privacy Fact Statements - Standardized Short Notice

The standardized short notice Format outlined in this guide is based on the Berlin Memorandum of the Working Party under Article 29 of Directive 95/46/EC in December of 2004.

This format is quickly becoming the international standard for short notice. This is due to its simplicity and functionality. Several organizations have adopted short notices and created what Nymity calls Privacy Fact Statements, including:

Private Sector

• Equifax Canada
• Microsoft
• P&G
• JPMorgan Chase
• Kodak

Public Sector

• Privacy Commissioner of British Columbia
• Australian Government
• US Postal Service

Three uses of Privacy Fact Statements are: the first layer of an online multi-layered privacy notice, posters and mailed privacy notices. Privacy Fact Statement benefits:

Consumers - Privacy Fact Statements allow consumers to understand the organization's privacy policies at a glance and allow for quick comparisons with other organizations using the same format. In an industry such as banking where privacy practices are similar, a Privacy Fact Statement would highlight other trust-building documents to allow the financial institution to differentiate itself while providing key information. An example of an organization providing additional value to consumers through its privacy notice would be documentation for consumers on protecting themselves from identity theft or phishing.

Businesses - Privacy Fact Statements help organizations build consumer trust, as they quickly provide consumers the information they need to make a decision and indicate an organization has nothing to hide. The results are increased revenues and reduced numbers of complaints. They also put the organization in good standing with privacy commissioners and business partners, by demonstrating the corporation's commitment to privacy. Privacy Fact Statements, when used with effective full privacy notices, reduce the organization's exposure to privacy risk.

A paper from the federal privacy commissioner's office states:

"14-page privacy notice does not necessarily do a better job on knowledge and consent than a one-page privacy notice. Long and tangled privacy notices are at best confusing and frustrating. At worst they infer consent for just about any use for the personal information that could be imagined and make a mockery of the spirit of the law. Clear language in privacy notices is essential."

Guide to Creating a Privacy Fact Statement

Research used by the working group has shown that privacy notices should be short with fewer than seven categories and fewer that twenty-eight lines of text.

Privacy Fact Statement Structural Components

The Berlin Memorandum, on which Privacy Fact Statements are based, calls for a privacy short notice to be one page in length and use the subheadings:

1. Scope;
2. Personal Information Collected;
3. Uses and Sharing;
4. Your Choices;
5. Important Information; and
6. How to Contact Us.

General Guidelines

A Privacy Fact Statement must:

• Have language that is neutral, non-propagandistic and void of legalese;
• Include the key facts relevant to consumers decisions;
• Fit on one page;
• Contain four or fewer bullets per subheading;
• Link to or refer to a full notice;
• Avoid the use of privacy principles;
• Limited use of marketing language; and
• Not conflict with the full notice.

It can also contain links to key information in the full notice; for example, a list of affiliates or details on types of information collected.

The key components of a Privacy Fact Statement are the use and sharing of an individual's personal information and what options consumers have. Information related to safeguards, data retention, accuracy and accountability for the organization's actions could be reserved for the privacy policy. Explaining the privacy principles is not required, or desired. What is needed are the "privacy facts."

Privacy Fact Statement Structural Guide

Six components of a short notice are:

1. Scope - Seemingly simple in concept, Nymity research has found that there are many considerations for defining the scope of an organization's privacy notice. The scope of the notice must deal with: who is covered by the notice; website versus corporate application; employees, if appropriate: which jurisdictions the notice applies to; which organizations and affiliates are covered; plus many other considerations.
The Privacy Fact Statement Scope subheading should be a single sentence that covers the key components necessary for the consumer to understand to whom the consumer is providing their personal information.
The Scope subsection should answer the questions:

What company is responsible for the information I provide?
Does this privacy notice apply to personal information collected by phone, by mail, in person or just online through the website?

2. Personal Information - Nymity's research has shown that privacy notices that effectively define personal information provide examples of what is and is not personal information, and details about where information is obtained. This serves to mitigate privacy risk and build trust. Although there are dozens of considerations for privacy policies, the short notice only requires what personal information is collected where and when.
This section should answer the questions:

• What is considered personal information?
• What personal information is the organization collecting?
• Where does this organization get my personal information?
• When does the organization collect my personal information?

Some organizations may struggle with stating the sources of personal information collected and wish to keep this information buried in the privacy policy, if, for example, they rent lists from other sources. Including this information in a short notice quickly provides consumers notice of where the organization has obtained their information and allows them to quickly opt out of future use of that information. Allowing consumers to quickly understand and opt out is less likely to damage the organization's brand and minimizes the chances of a complaint. (See Nymity's paper "Privacy Notice - Nymity's Primer for Transparency" for a discussion on who reads privacy notices at www.nymity.com.)

3. Uses and Sharing - Nymity's research has found that providing notice of Uses and Sharing of personal information is the key component of transparency, and thus the key to effective Privacy Fact Statements. Our research has found over forty criteria for privacy policies in this area to mitigate privacy risk and build trust, but only the three or four key provisions are required for the Privacy Fact Statement.
The Uses and Sharing subsection should answer the questions:

• How will the company use my information?
• In what circumstances is my information shared?

In this section the tendency is to explain how the information is not used, for example, "We will not sell your information." This is fine, as long as it is true, although an affirmative statement is usually better. A statement that an organization does not sell information must not be misleading, for example, when the organization rents or trades personal information. This could be considered deceptive and lead to complaints to one of the privacy commissioners in Canada.

Also, an organization shouldn't state, "We don't share your information without your consent" when they rely on implied consent (opt-out), as that is misleading and could lead to complaints. These organizations should state "We share information about you with other companies so they can offer you their products and services" and let the consumer read the next section related to their opt-out choices. But if express consent is used (opt-in), then "We don't share your information without your explicit consent" is a trust-building statement.

4. Your Choices - Consumers have choices relating to accessing and updating their personal information. They have the ability to complain and withdraw consent. Nymity has identified over dozens of transparency considerations for effectively providing notice that mitigates privacy risk and builds trust related to choices. One of these requirements, as defined by the Canadian Marketing Association, mandates that organizations provide consumers with choices that are easy to understand, easy to find and easy to act on.

The Your Choices subsection should answer the questions:

• When can I withdraw my consent, and when may I not?
• Can I access and update my information?
• How do I make changes?

As it is likely that an organization wants to have customer service deal with consumer choices, a toll-free number should be provided. The advantage of this approach is that customer service calls explain what the individual what is opting out of while providing the organization with another opportunity to position its products and services. Of course, customer service must be trained to identify privacy concerns and escalate the call when required.

5. Important Information - This section deals with areas in which organizations wish to differentiate themselves from their competitors, increase trust, increase clarity or further mitigate risks. This section includes the key elements in the privacy policy that organizations should make known to a consumer. The contents can vary widely.

Potential questions answered in the section include:

• Where is the privacy policy (full notice)?
• What material changes have been made to the policy?
• What educational privacy and security materials does the organization provide?
• What privacy seals does the organization have?
• What privacy awards has the organization won?
• How do I find the FAQs (which generally is a listing of key information, as few consumers ask questions related to privacy policies)?
• Are there any special legal requirements I should know about?

6. How to Reach Us - This subsection provides consumers with contact information for the privacy office. Where applicable, it should be clear to consumers when they should contact the privacy office instead of customer service.

This section should answer:

• How do I call the privacy officer?
• How do I email the privacy officer?
• When do I call the privacy officer?
• When do I call customer service?

Example Privacy Facts Statement

An example of a privacy short notice can be found at Equifax Canada www.equifax.ca.

Next Steps

1. Read Nymity's paper called "Privacy Notice - Nymity's Primer for Transparency" (www.nymity.com) to learn about the value of multi-layered privacy notices.
2. Upgrade your privacy policy and/or full notice prior to creating a Privacy Fact Statement.
3. Recommendation: Use Nymity's Canadian Notice Index, as it provides extensive research for creating effective privacy policies and notices.
4. Once the Privacy Fact Statement is created, contact Nymity so that your firm can be listed in the Privacy Fact Statement directory.
5. Submit your policy for Nymity's next assessment of privacy policy for the Top Privacy Policy Awards in Canada.

Special Thanks

Special thanks to Malcolm Crompton of Information Integrity Solutions, Martin Abrams of the Center for Information Policy Leadership, Robin Gould-Soil and Anna Sheehan of TD Bank Financial Group, Wally Hill of the Canadian Marketing Association, Steve Heck of Microsoft, John Wunderlich of Ceridian, Bryan Walker of the Canadian Institute of Chartered Accountants, David Young of Lang Michener LLP, Sara Levine of Fasken Martineau, Pat Flaherty of Torys LLP and Philippa Lawson of CIPPIC.  

This paper was completed in cooperation with the Canadian Notice Index Authorized Business

Reprinted with permission. © 2006 Nymity Inc. All rights reserved

Terry McQuay is president of Nymity, Inc., based in Toronto, Ontario. Nymity provides research, education and support services for privacy professionals tasked with providing privacy expertise to corporations and not-for-profit organizations with operations in the U.S. and Canada. For more information visit www.nymity.com. McQuay can be reached at +416.214.7838 or at terry.mcquay@nymity.com

This e-mail address is being protected from spam bots, you need JavaScript enabled to view it