Some interesting research has emerged from CyLab at Carnegie Mellon University. 

Lorrie Cranor and her group have been working for years on finding better ways of communicating privacy policy to users. This has included a great deal of work on P3P, which is still the basis of the Privacy settings tab in your IE8, even if most websites ignore it or abuse it.

A couple of months ago, Lorrie’s group published consumer research on better notices using various formats including the layered notice format. They concluded that a standardised ‘Food Label’ table was best.  The paper is titled Standardizing Privacy Notices: An Online Study of the Nutrition Label Approach.

As Privacy Commissioner of Australia, I helped get a resolution adopted by data protection regulators worldwide on better notices including layering (subsequently further endorsed by the EC Article 29 Committee in Opinion WP 100). It is interesting that Lorrie Cranor has evidence for even better formats.

Another approach with great promise is the ‘arrow’ symbol that Apple has announced will be included in OS 4 for iPhones. This will tell users in a simple way whether or not an app is gathering location data about the user. Not only simple but just as importantly, empowering. 

Symbols used in this way have great potential.

Now for the next question: who is listening? 

It took a year of effort to get regulators to adopt the position on better notices and another year before the A29 group did. And there has been insufficient take up since then, although IIS has had some success with its clients on Layered Notices.

In the end, it is uptake that matters, regardless of whether driven by the market or by the law. Privacy experts have work to do.