Recently, the FTC and eight federal regulators of the financial industry in the US have proposed adoption of a model privacy notice form. This form would be used by financial institutions to inform customers about the institution’s privacy practices, and provide opt-out opportunities for the sharing of personal information.
This model privacy notice was developed using iterative, user-centred research and development. A report by the Kleimann Communication Group describes the research that went into the prototype. The goal of the project was to develop a paper-based privacy notice that was comprehensive, comprehensible, standardized to allow comparisons, and compliant with existing regulations.
The research and development process was conducted over 16 months and included 2 focus groups of 10 people each, preference testing with 7 participants, pre-testing with 4 participants, and diagnostic usability testing with 35 participants in 5 US cities. The model notices were revised during each of these steps. Page 1 of the final 3 page form is shown below.
The prototype privacy notice contains 4 main sections: (1) a “key frame” that answers generic Why, What, and How questions concerning the sharing of personal information; (2) a disclosure table that states the practices of the specific financial institution using the form (e.g., information is shared with affiliates for marketing purposes), and whether the customer can control those practices (i.e., opt-out options); (3) a secondary frame that provides definitions (e.g., “affiliates”) and answers to frequent questions (e.g., Why can’t I limit sharing?); (4) and an opt-out form where customers indicate their privacy choices.
The final prototype notice appears to be a usable and flexible tool for gaining understanding and consent. Follow-up evaluation is being planned once the notices have been used with the general public.
The development methodology and the resulting model forms might be applied to other areas where notice and consent are required. For example, participant consent forms used during research on human subjects are often overly long and complicated, often with the intent of appeasing an ethics review board rather than informing the participants. Perhaps this approach used for privacy notices could be used to improve and standardize these consent forms.