Visit hbs.edu

Privacy notice and consent for a GDPR/CCPA/IoT world

Lorrie Cranor Headshot

New privacy laws in Europe (GDPR) and the US (CCPA in California) require companies to be transparent about their data practices and offer choices to consumers. Companies spent a lot of time and effort sending out new GDPR privacy notices, and now many are hurrying to add “do not sell my personal info” links to their websites in response to CCPA.

However, traditional privacy notice and choice mechanisms have not informed consumers effectively or offered them meaningful and accessible choices. Privacy notices are often long, difficult to understand and don’t appear at opportune times. Even simple icons that signal targeted advertising options are not widely recognized and lead to mechanisms that are often difficult for users to understand and use. Constrained interfaces on smart home devices and wearables do not readily lend themselves to displaying privacy notices or offering privacy choices. Furthermore, there is little information about the security and privacy of IoT devices available to consumers when they are selecting devices to purchase, despite the fact that these devices have become notorious for collecting and using data in surprising ways.

I will discuss our research at Carnegie Mellon University, which has taken a multi-pronged approach to tackling privacy notice and choice problems in ways that inform consumers and give them meaningful choices without overwhelming them. We’ve studied existing choice mechanisms on websites to determine where they confuse users and how to improve them. We have studied user understanding of privacy icons and tag lines and gained insights into how they might be changed to better communicate. We’ve developed prototype personal privacy assistants that can analyze privacy information from IoT devices automatically and use machine learning approaches to make recommendations for or take actions on behalf of their users. Finally, we’ve developed and tested a layered security and privacy “nutrition label” for IoT devices to inform consumers when making smart device purchase decisions.

    Engage With Us

    Join Our Community

    Ready to dive deeper with the Digital Data Design Institute at Harvard? Subscribe to our newsletter, contribute to the conversation and begin to invent the future for yourself, your business and society as a whole.