March 25, 2024
One of the fundamental principles for Personal Data Controllers is the unwavering commitment to transparency vis-à-vis data subjects. In their pursuit to address this requirement, Controllers have opted to issue lengthy Privacy Notices, aiming for comprehensive disclosure to relevant data subjects. However, the question arises: Does this approach represent the most optimal method to guarantee transparency in personal data processing activities? The answer is demonstrably negative, due to the sheer length and intricate nature of these documents. In recognition of these shortcomings inherent in traditional Notices, the former Working Party 29 (WP29), now succeeded by the European Data Protection Board (EDPB), has actively advocated for the adoption of Layered Notice as a mean to rectify these issues.
A layered notice is a multi-tiered disclosure approach for data processing practices. Information on personal data processing is presented in a graduated format, ranging from a concise summary to a comprehensive document.
The concept of layered notices has demonstrably existed in practice since the early 21st century, emerging as an effort to streamline the length of traditional privacy notices. This approach was formally endorsed by the Working Party 29 (WP29) in the Opinion 10/2004 on More Harmonised Information Provisions, adopted 25 November 2004.[i] Currently, although the GDPR does not prescribe a specific format for this type of notice, it still reflects a recommendation from the former WP29 in the Guidelines on transparency under Regulation 2016/679.[ii]
Such recommendations stem from some limitations of traditional privacy notices. Lengthy notices with dense legal jargon and extensive details can overwhelm users, hindering their ability to grasp the core aspects of data processing practices. Assuming that reading the entire notice will be a challenging task, most data subjects shall abandon attempts to understand the notice altogether. As a result, the intended transparency is not achieved, potentially hampering informed consent.
Layered notice can resolve the aforementioned matters due to its valuable approach to ensuring transparency and user-friendliness when dealing with data privacy notices. Firstly, layered notice caters to diverse data subjects with varying levels of understanding and information needs; allow them to choose the level of detail they require – a quick overview or a deeper dive. Secondly, a multi-layered approach promotes clarity and improves the readability of privacy notice.[iii] The more comprehensive the data subjects get, the more likely they can make informed decisions toward the practices of data controllers and processors. Overall, layered notices can be a valuable tool for organizations to achieve GDPR compliance by promoting transparency, enhancing user control, and increasing efficiency.
However, the recommended notice still poses some challenges of implementation. Researchers have found out that although the layered notice enables data subjects to process information faster, it also leads to a less accurate understanding of the data processing. Additionally, people are inclined to skip the long notice if they couldn’t locate the desired information in the first layer.[iv] Thus, careful consideration of the implementation is warranted to ensure optimal effectiveness.
With a tiered format, privacy information in layered notice is presented in two or three layers depending on user needs. While specific content requirements exist, Data Controllers have some discretion in how many layers they use and how they distribute information within those layers. Therefore, layered notices offer some flexibility in structure.
For the first layer, WP29 recommends the Controllers to provide data subjects with a clear overview of the processing of their personal data and the location of detailed information in other layers of the privacy notice.[v] According to Recital 39 of GDPR, the first layer should include the details of the processing purposes, the identity of the controller and a description of the data subject’s rights.[vi] Presenting such information at the forefront facilitates transparency and ease of access for data subjects. Moreover, to be in line with the fairness principle, the first layer is also recommended to contain information on the serious impact of the processing on the data subject (if any) and processing which could surprise them. In addition, Controllers can include supplementary content in the first layer, but only if they can demonstrate accountability for the prioritized information.
About the second and the third layer, in the absence of explicit directives within the WP29 Guidelines, a two-layer structure has emerged as the prevailing approach for privacy notices. This format typically features the first layer, as previously analyzed, and a comprehensive notice as the second layer. However, some privacy notices utilize a three-layer format, with the content presented in each layer varying across different notices.
For example, in the Opinion 10/2004 on More Harmonised Information Provisions of WP29, the second layer is recommended to be presented as a condensed notice with all relevant information required, such as the types of data collected, the recipients of data, choices available to data subjects, contact details, etc. This is the core layer which offers data subjects a more comprehensive overview within a single page. The third layer, in accordance with this guideline, shall incorporate comprehensive national legal details and potentially a full privacy statement with relevant national contact links.
Meanwhile, other notices usually comprise of a second layer as a full privacy statement and a third layer serving as either (i) a reference document, providing a comprehensive explanation of all data processing definitions and practices for users seeking in-depth information; or (ii) an interactive tool or FAQ that allows data subjects to explore answers to specific questions based on their needs.
Although the three-layer format ensures comprehensiveness in privacy notices, it can also introduce undue complexity, overwhelming data subjects with an excessive amount of information. Consequently, the use of multi-layered privacy notices may hinder, rather than promote, transparency in the processing of personal data. This outcome would directly contradict the purpose for which layered notices were originally conceived. Therefore, a third layer should be utilized only if it demonstrably improves user understanding without introducing confusion.
To sum up, a layered privacy notice should include a concise summary highlighting the essential aspects of data processing. The notice should also have well-structured layers that are easy to navigate and readily accessible. Additionally, the language used in the privacy notice should be clear and understandable, avoiding legal jargon.
In accordance with the WP29 guidelines, layered notice can be employed in both digital and non-digital contexts to promote transparency.
In the online approach, layered notice involves linking to the various information categories that must be provided to data subjects, rather than presenting all such information in a single on-screen notice. For the first layer, it should be presented on banner or pop-up with less-than-one-screenful length. In accordance with Article 12.7 and Recital 60 of GDPR, Data Controllers may leverage standardized icons within the initial layer of their data privacy notices to enhance visual clarity, promote ease of comprehension, and ensure ready accessibility for data subjects (note that the icons should be machine-readable where they are presented electronically). Besides, the link to the full notice or to relevant parts should be made easily identifiable (e.g., different color, underlined). After finishing the first layer, data subjects should be able to navigate directly to the section of the next layer that they wish to read. Transparency must also be maintained within subsequent layers. This can be achieved through the use of clear headings and subheadings, along with hyperlinks that connect back to relevant sections in the first layer for more detailed information. In addition to website, the design of layered notice should give due consideration to the mobile-friendliness by ensuring all layers are optimized for mobile devices with easy navigation.
Multi-layered online notices are becoming increasingly widespread, especially for data controllers with complex, large-scale, and multi-purpose personal data processing activities. A typical example is Facebook[vii], which uses a two-layer notice structure: overview (the first layer) and detailed information (the second layer). In addition, several other Controllers also implement multi-layered notice structures for their privacy policies, including: Hearst; HarperCollins Publishers; Optimizely; KnowBe4.
In non-digital contexts, layered notice can be implemented through face-to-face communication, telephone interactions, or physical materials. The first “layer” is recommended by WP29 to generally convey the most important information (as the virtual first layer) since it is the first time the controller engages with the data subject. For example, such information can be conveyed when talking to data subjects and a copy or a link to the full version of privacy notice can be sent by email. Meanwhile, offline notice can be designed for use in physical locations with a concise summary (the first layer) and a QR code leading to the subsequent layers online or a copy in other suitable places. For non-digital interaction with data subjects (face-to-face or phone), it is necessary to train staff on how to deliver the first layer summary effectively for better understanding.
In practice, Data Controllers should conduct research to understand data subjects’ needs and information preferences, in order to create an effective layered notice. In the process of design, visual aids and clear formatting is recommended to enhance readability and accessibility. Last but not least, a periodic review process should be implemented for all data privacy notices to ensure they accurately reflect current data practices and comply with evolving regulations.
To summarize, in the context of GDPR compliance, layered notices emerge as a powerful tool for building trust and transparency with data subjects. Their structure, offering a clear and concise summary followed by detailed information, empowers users to understand how their data is handled. This user-friendly approach fosters trust by demystifying data practices upfront, while also ensuring GDPR compliance by providing comprehensive information when needed. Layered notices represent a win-win for both organizations, demonstrating a commitment to responsible data practices, and for data subjects, who gain control and understanding of their personal information./.
PrivacyCompliance
[i] https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2004/wp100_en.pdf , accessed 20 March 2024
[ii] https://gdpr-text.com/guidelines/transparency/ , accessed 20 March 2024
[iii] WP29, Opinion 10/2004 on More Harmonised Information Provisions, adopted 25 November 2004
[iv] Alecia M. McDonald, Robert W. Reeder, Patrick Gage Kelley, and Lorrie Faith Cranor, “A Comparative Study of Online Privacy Policies and Formats” In. Privacy Enhancing Technologies, (Proceedings of PETS 2009, Seattle WA, August 2009). <http://lorrie.cranor.org/pubs/authors-version-PETS-formats.pdf> accessed 20 March 2024
[v] Guidelines on transparency under Regulation 2016/679
[vi] Recital 39: “The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed.”
[vii] https://www.facebook.com/privacy/policy/ , accessed 20 March 2024
Vietnam AI Handbook – Second Edition In January 2024, PrivacyCompliance published the first version of the AI Handbook which was received warmly by the AI community and the general public. Since then, there have been many developments in the AI scene around the world such as new AI applications, and new regulations, with the most […]
Learn more
The First AI Handbook in Vietnam Dear Colleagues, Partners, and Friends, Mindful of the significant advancements in artificial intelligence (AI) in recent times, Privacy Compliance has undertaken a project aimed at updating our clientele, partners, and the general public on the prevailing state of AI globally and, more specifically, in Vietnam. With great pride, we […]
Learn more
Introduction to GDPR KEY TAKEAWAYS: – GDPR is the EU’s current personal data protection regulation and the global standard in the field of data protection; – Predecessors of GDPR include the OECD’s 1980 Privacy Guidelines and the 1995 Directive 95/46/EC ; – GDPR stipulates many concepts and regulations regarding data protection such as the definitions, […]
Learn more