Regulators Could Find Carnegie Mellon Tool for Grading Privacy Policies Useful
SANTA CLARA, Calif. -- Carnegie Mellon is developing a framework for assessing the user-friendliness of websites' privacy notices and consent options, two professors said at the USENIX Privacy Engineering Practice and Respect (PEPR) conference Monday. While aimed at companies seeking to review their methods, the tool could be useful to privacy regulators as well, Carnegie Mellon CyLab Director Lorie Cranor told us.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
UsersFirst is a framework that seeks to build a user-centered design for privacy choices, said Norman Sadeh, a computer science professor who co-directs Carnegie Mellon’s privacy engineering program. The users in question include data subjects who are targets of privacy notices, and others whose data is collected and should be informed, he said.
Common problems with how companies implement notice and choice are that often they're difficult to find and comprehend, provide inadequate choices or use manipulation to influence user choices, Saldeh noted. UsersFirst offers a taxonomy to identify those common issues, Cranor told the PEPR audience.
“Our tool could be useful for regulators to guide their analysis and also to offer guidance to people about how to comply with their laws,” Cranor emailed us afterward. “It doesn't directly address any particular privacy laws, but I could see a regulator developing guidance for organizations under their jurisdiction based on this taxonomy.”
Regulators “could point out potential compliance issues for their particular laws based on the taxonomy,” added Cranor. “The regulator could also use this to guide their own analysis when they are enforcing their laws.”