Privacy notices are supposed to empower people. But a recent global sweep shows that many businesses still struggle to make their privacy notices understandable and user-friendly. In 2024, the Global Privacy Enforcement Network (“GPEN”) revealed that many privacy notices still fall short, often in predictable and avoidable ways:[1]
- Complex and confusing language: More than 89% of privacy notices were found to be long or use complex language suited for those with a university education.
- Interface interference: When asking users to make privacy choices, 42% of websites and apps swept used emotionally charged language to influence user decisions, while 57% made the least privacy protective option the most obvious and easiest for users to select.
- Nagging: 35% of websites and apps repeatedly asked users to reconsider their intention to delete their account.
- Obstruction: In nearly 40% of cases, sweepers faced obstacles in making privacy choices or accessing privacy information, such as trying to find privacy settings or delete their account.
- Forced action: 9% of websites and apps forced users to disclose more personal information when trying to delete their account than they had to provide when they opened it.
The truth is that there is a simple issue: there is a disconnect between (a) the traditional notice and consent laws and (b) the ever-increasing complexity of today’s information-led environment.
Whenever a business collects, uses, or retains someone’s personal information, it typically needs that person’s consent—and informed consent requires clear disclosure. As businesses digitize and introduce new tools and processing activities, the list of things that must be disclosed keeps growing. And so do their privacy notices.
As a business owner, you may then ask: what should I do?
The answer? Keep maintaining your privacy and cybersecurity program. This includes (but is not limited to) the following:
- Governance: ensuring your office responsible for privacy and cybersecurity remains updated on the ever-changing landscape, updating your internal data privacy policy, maintaining audit trails, tracking the lifecycle of the personal information held by your business;
- Security: reviewing your physical, administrative, and technical security controls with your IT, HR, operations, and finance professionals;
- Risk Management: confirming your cyber insurance coverage is still appropriate for your operations, and updating your incident response plan; and
- Public Facing Compliance: updating your business’ consumer-facing privacy notice and ensuring that it is accessible and understandable.
My question for you? When is the last time you updated any part of your privacy program?
Davis, Burch & Abrams is a business law firm that helps companies develop practical, compliant AI, privacy, and cybersecurity programs tailored to evolving technology laws. If you have any questions about this article—or if your business needs guidance to stay current with AI, privacy and cybersecurity laws in the United States or Canada—please reach out to the author, Savvas Daginis, at [email protected].
This article is for informational purposes only and should not be seen as legal advice. You should consult with a lawyer before you rely on this information.
[1] “GPEN Sweep 2024: ‘Deceptive Design Patterns’” (Global Privacy Enforcement Network, 9 July 2024), link: https://www.privacyenforcement.net/content/2024-gpen-sweep-deceptive-design-patterns-reports-english-and-french.