What is a ‘privacy nutrition’ label and why do they matter?

With the recent global events over the past few months, you may have missed Apple’s announcement in November last year. From December 8th 2020 Apple would require app developers to add privacy ‘Nutrition Labels’ to increase transparency to users. The intention being to ensure you know what data is being collected through the app you are downloading. This includes being notified of any third parties that may also be collecting your personal data, what they are collecting and why. The initiative was for the Privacy Nutrition Label to be shown on the app page before download, although what has proven more labour-intensive, is Apple’s requirement to keep them up to date. This fundamentally shifts gear into extending privacy by default for developers which has not always been the case.

Are we about to see a rippling effect of privacy nutrition labels becoming the norm on all app platforms, websites and games? We’re not sure, but in some ways we already have a form of legally required, externally facing transparency labels in the humble data protection notice.

Why are ‘privacy nutrition’ labels needed?

Unsurprisingly, a year after GDPR going live, there was an abundance of app and browser pop-ups asking for further permissions and consent for various processes. For the most part, few people clicked to acknowledge the embedded links to read the updated privacy policies. These notices were wordy and sometimes difficult to understand due to legalese, despite the GDPR calling for “clear and plain language”. (I recommend the documentary Terms & Conditions May Apply for a deeper dive on this type of activity). These pop-ups seemed like a box-ticking exercise (pun intended) in readiness for new legislation but Apple appears to be leaning into the concept of data protection as a form of Corporate Social Responsibility (CSR).

Regulators will not typically deal with every infringement brought to their attention. The UK’s Information Commissioner’s Office itself is coming under fire from UK privacy campaigners, the Open Rights Group (ORG) who intend to bring legal action against them for failing to stop what they consider to be unlawful practices by the Adtech industry (more here). The market itself, however, seems to be taking a stance.

Who will be affected?

Deals are being lost on the grounds of data protection measures not sufficiently met. The locations of data being stored are not within a specific territory due to the possibility of government intrusion. This all comes down to upfront transparency. However, this push by Apple is a sign that it’s the larger, corporate companies whose reputations and finances are suffering as a result of consumers becoming more aware.

Thousands of suppliers feed on those enterprises who, like Apple, may also be in the direct-to-consumer marketplace. Whether it is commercially motivated or more of a socially responsible corporate activity becomes a moot point.

As time goes on we, as the consumer, expect to have a clear idea of the use of our data in order to make an informed decision over a product or service. We want to have the choice over whether to accept that risk or not.

What will a ‘nutrition label’ contain?

Although there is no standard practice or templates available, here are some ideas for what a privacy “Nutrition Label” could contain:

1. Clear indication of the risks being taken by a data subject were they to continue with the service with easy to understand icons depicting the level of risk associated, with links, to the data protection notice;
2. A list of data categories captured within the product or service offering;
3. Depiction of whether consent is required for some activities and a link explaining why and how to withdraw consent;
4. The existence of auto decision-making;
5. Contact details of the Data Controller and/or data protection officer;
6. The retention period scale informing readers of the shortest and longest times data may be held with a link to further details;
7. The number of legal bases for processing personal data within the product or service offerings with a link to the data protection notice for further explanation;
8. Whether data will be transferred to a third country;
9. Icons depicting what types of data will be collected with links who may be collecting the data with explanations on why it is being collected;
10. A link to how you could take action on your data subject rights

Need help?

If you need to write a privacy notice, we have some useful information here. ​If you are trying to clarify whether you are at risk of a data breach, or want to discuss what your business needs in order to prevent a breach, we can help. Contact us for a no-obligation chat.