The communicative power of privacy policies
by Aisling Dawson (Trilateral Research)
Privacy policies can be an effective communicative tool, building up consumer trust in an organisation by communicating that organisation’s privacy practices. However, many privacy policies are long and complex, obfuscated by legal jargon and vague clauses. How can we ensure that privacy policies retain their communicative power and harness it for good? By developing a framework for analysing organisations’ privacy policies through Deep Learning techniques, the TRUST aWARE project aims to enhance consumer trust when faced with confusing privacy policies, allowing consumers to better distinguish the trustworthy from the untrustworthy.
The proliferation of privacy policies online
With online organisations collecting an increasing amount of personal data from their users, organisations within the EU and those transacting with EU citizens are legally obliged to communicate what data they are collecting, how they are using it, and if they are sharing it with third parties .
Privacy policies are documents “regulating the relationship between the user and the website”  with regards to data use. Yet, from an ethical point of view, privacy policies should not only be considered a tick-box, legal requirement. Rather, privacy policies should have a normative, communicative power that extends beyond imparting an organisations’ privacy practices: they should communicate to what extent an organisation can be trusted to promote the consumer’s best interest. In this way, privacy policies act as an assurance to the consumer which fosters trust.
Contemporary privacy policies and miscommunication
First, where consumers do not read privacy policies but accept them without necessarily trusting the vendor, this distorts the fundamental values underpinning data collection. The GDPR (General Data Protection Regulation) data collection and privacy protection framework is premised on informed consent, notice, and trust between vendor and consumer . Thus, where privacy policies are failing to communicate a company’s privacy practices and, on a deeper, normative level, are failing to communicate that the company can be trusted, this degrades the communicative function and value of such policies.
How can TRUST aWARE enhance privacy policies’ communicative capacity?
This framework enables consumers to quickly access the key elements of an organisation’s privacy practices, improving consumer comprehension of privacy policies and maximising the policies communicative capacity. Further, by highlighting the most pertinent aspects of each policy, this tool enables consumers to better distinguish between trustworthy and potentially untrustworthy policies, promoting digital privacy and security.
 European Union General Data Protection Regulation (GDPR) 2016/679, Article 5 (principles relating to the processing of personal data), Article 6 (lawfulness of processing), Article 7 (conditions for consent), Article 13 (information to be provided where personal data are collected from the data subject) and Article 14 (information to be provided where personal data have not been obtained from the data subject).
 Nili Steinfeld, ‘“I agree to the terms and conditions”: (How) do users read privacy policies online? An eye-tracking experiment’ (2016) 55 Computers in Human Behaviour 992 doi: https://doi.org/10.1016/j.chb.2015.09.038, p.994.
 Brooke Auxier, Lee Rainie, Monica Anderson, Andrew Perrin, Madhu Kumar, and Erica Turner, ‘Americans and privacy: concerned, confused and feeling lack of control over their personal information’ (Pew Research Centre, 2019), available at: https://www.pewresearch.org/internet/2019/11/15/americans-and-privacy-concerned-confused-and-feeling-lack-of-control-over-their-personal-information/ (accessed January 2022).
 Grace Fox, Theo Lynn, Pierangelo Rosati, ‘Enhancing consumer perceptions of privacy and trust: a GDPR label perspective’ (2022) 35(8) Information Technology and People 181, p.181.
 Tatiana Emrakova, Benjamin Fabian, Annika Baumann, Hanna Krasnova, ‘Privacy Policies and Users’ Trust: Does Readability Matter?’ (Twentieth Americas Conference on Information Systems, August 2014).
 David Gefen, Izak Benbasat, and Paul Pavlou, ‘A research agenda for trust in online environments’ (2008) 24(4) Journal of Management Information Systems 275, p.276.