Complex products or services with layered offerings often take advantage of the readability and accessibility that short form notices offer. Mobile apps often add short form notices due to the space constraints of showing entire policies on a device. Indeed, opportunities and space for notice may likely shrink as time goes on, making short form notices even more beneficial. Key regulatory frameworks such as the GDPR already require the delivery of clear, concise summaries of data processing activities to obtain consent that are similar in many ways to short form notice (e.g., April 2018 Article 29 Working Party guidance on consent under the GDPR). Entities, including many U.S. based companies due to the GDPR’s broad extraterritoriality principle, that are alleged to have failed to deliver this information face lawsuits and regulatory enforcement (e.g., lawsuit filed against Apple alleging improperly obtained consent). The CCPA also will impose new requirements that may benefit from description in a short form notice.
Various regulators including the Federal Trade Commission and the California Attorney General (see Privacy on the Go) have weighed in on the benefits of a short form privacy notice. The National Telecommunications and Information Administration released a draft voluntary code of conduct for apps that want to use short form privacy notices. The code of conduct (found here) contains key considerations for developing a short form notice, such as defining the specific data types that an app may collect from a common list, identifying specific categories of third parties with which data may be shared and providing choice for each type of collection and sharing.