Contact Us

Disruptive Competition Project

655 15th St., NW

Suite 410

Washington, D.C. 20005

Phone: (202) 783-0070
Fax: (202) 783-0534

Contact Us

Please fill out this form and we will get in touch with you shortly.
Close
Menu
Menu

Consumer Privacy and Security – Why Nutrition Labels?

· April 11, 2024

Tags

Credit: kali9

Privacy continues to be an important consideration for consumers as we advance through this data driven age. The absence of a comprehensive law at the federal level has left consumers unprotected, mainly reliant upon a confusing patchwork of state laws that has left them exposed to data breaches and other risks. As a result, users increasingly feel as if they no longer have control over their personal data. To assuage these range of consumer worries, responsible technology companies have explored a multitude of technical and non-technical solutions from using privacy enhancing technologies to improving the readability and availability of privacy notices and disclosures. However, not every possible solution needs to be new, as stakeholders are turning to a time-tested solution: the nutrition label. Like its food-labeling counterpart, the privacy label aims to provide consumers with the information they need to make informed decisions about the technology they use in their day-to-day lives.

A Brief History of the Food Nutrition Label

Necessity is the mother of invention. With the rise of processed foods came a greater need for more transparency about what consumers were putting in their bodies. After much debate from nutritionists, consumers and industry leaders, the Food and Drug Administration (FDA) unveiled the first regulations that would lead to the nutrition label as we know it in 1973. 

Although food labeling would not become mandatory for manufacturers until the passage of the Nutrition Labeling and Education Act in 1990 and final regulations weren’t published until 1993, the concerns behind the regulation had been growing for decades. Then in the late 1980s, two reports highlighting the link between proper nutrition and good health led to a sudden upswing in consumer interest. By requiring disclosure about certain negative facts from suppliers, the government hoped to help consumers make informed decisions based on “full and accurate information” about food products. In addition, the hope was that resulting market forces might also influence suppliers to include more healthy attributes in their products. 

The food label is constantly being updated to follow the latest nutritional guidance. The latest version of the nutrition label was implemented in 2020 with the following changes: the “serving size” and “calories” section must be larger and in bold, the label must specify the amount of added sugars, and has dropped the “calories from fat” section, among other changes. 

Similar to the wave of consumer concern over nutrition that swept through the U.S. in the later half of the 20th century, we are once again seeing an upswing of consumer demand for more transparency – but this time, surrounding privacy and cybersecurity.

U.S. Cyber Trust Mark: a Nutrition Label for Smart Device Cybersecurity

In response to this consumer concern, the Federal Communications Commission (FCC) has proposed the U.S. Cyber Trust Mark program for smart devices. Under this proposal, the FCC would apply the Cyber Trust Mark logo to qualifying products, and the logo would reportedly “help consumers make informed purchasing decisions, differentiate trustworthy products in the marketplace, and create incentives for manufacturers to meet higher cybersecurity standards.” Alongside the logo would be a QR code that consumers could scan to access the most up-to-date security information from a “national registry of certified devices.” The FCC says the surge in attacks against smart devices – totaling over 1.5 billion in the first six months of 2021 alone, per one third-party estimate – coupled with the increasing popularity of these devices requires the implementation of stronger security measures and smart consumer decision-making. 

But is a simple logo enough? One study from Carnegie Mellon University answers this question with a resounding no. A 518 participant survey revealed that consumers strongly favored fictional smart thermostat products with higher complexity and more information over a minimal label with only the trust mark and a QR code. 

Privacy Nutrition Labels: What Are They?

A logo like the trust mark isn’t enough to address consumer concerns when it comes to the use of technology in everyday life. Similar to the surge of consumer attention that played a large part in the creation of the nutrition label, Americans today are facing a crisis of confidence when it comes to both privacy and cybersecurity – namely, who is going to collect their data and how they are going to use it. A recent Pew survey shows that 81% of U.S. adults are concerned about how companies collect data, and 73% say they have little to no control over the data that these companies do collect about them. A growing number of Americans say they don’t understand the laws and regulations that protect their data privacy, with 72% saying they understand very little or nothing at all about these protective measures, a marked difference from the 63% who answered the same in 2019. 

When consumers don’t trust a company’s data collection methods, they tend to take privacy “self-defense” actions, such as “withholding, obfuscating or fabricating personal data, as well as avoiding commercial transactions that involve data” or move to more privacy-friendly competitors. The International Association of Privacy Professionals found that, in one year, 85% of consumers said they deleted a phone app, 82% opted out of sharing personal data, and 78% avoided a particular website out of privacy concerns.

To address some of these concerns, some large technology companies are taking it upon themselves to voluntarily roll out privacy measures, such as Google’s significant location history update that gives users more control over their personal data and Apple’s advanced data security that protects data stored in the iCloud with end-to-end encryption. But one of the most innovative strides platforms have taken to provide transparency is the “nutrition label” requirement on their platforms. Similar to the now-familiar nutrition labels implemented by the FDA, privacy labels aim to distill complex privacy data into easily digestible components for consumers to use in their daily lives.

Perhaps the most visible of these efforts is Apple’s introduction of privacy labels in their app store back in 2020. Apps developed after December 8, 2020 and hosted on Apple’s App Store are required to create labels that alert users on what type of data the app might collect, how that data is used, and provide Apple with information about the app’s privacy practices, including that of third-party partners. The labels aim to provide users with clear and concise guidance on data usage.

For Illustrative Purposes: A screenshot of Apple’s privacy label. 

Other companies implementing their own version of privacy labels include Amazon, Google’s Android App Store, and Google Play. Even in the generative AI space, some companies like Twilio are getting a jump on privacy concerns by announcing they will place “nutrition labels” on the AI services they offer.

Are Consumers Safer or More Informed with these Labels?

Consumers are greatly interested in privacy, and in theory, a privacy nutrition label is one way to get difficult information across to users. The public also seems to be on board. Most users in a study published by the Proceedings on Privacy Enhancing Technologies Symposium said they liked the concept of privacy labels, and found the labels useful. 

But like with any new initiative, there have been unresolved questions about the best way to administer these labels. 

Current Challenges

Lack of Common Objectives 

With more and more businesses implementing their own version of a privacy label, the absence of standardized labels makes it difficult for consumers to compare between labeling systems. TechCrunch reported in 2022 that the Apple App Store and the Google Play Store versions of the privacy label had different aims: while Apple’s labels focused on the type of data collected, data tracking, and informing the user about what data is linked back to them, Google’s focused more on responsible data collection by allowing developers to disclose their data security best practices. It would be beneficial to both consumers and developers if platforms were to agree on a universal checklist of data to include on privacy labels and include clear definitions for each category.

Lack of Standards for Reportin

While app stores have made privacy labels mandatory, the businesses rely heavily on developers to self-report the information that goes into the labels. This system creates room for human error, as developers often have inconsistent interpretations of terminology and what information they are required to report. In 2023, Mozilla tested the Google Play Store’s new privacy label to find there were discrepancies in about 80% of the apps they reviewed. The organization analyzed 40 of the Google Play Store’s most popular apps by comparing their privacy policies with the information they reported on the Google Data Safety Form, only to uncover “major” discrepancies in 16 of them and “some” discrepancies in 15. Mozilla identified that inconsistent self-reporting was at the core of these issues – for example, while Snapchat reported on Google’s Data Safety Form that it didn’t share any personal users’ data with third parties, their privacy policy stated that it may share data with “integrated third parties.” 

After a Washington Post reporter found that a third of the evaluated apps had inaccurate labels back in 2021, the House Committee on Energy and Commerce sent a letter urging Apple to “improve the validity of its App Privacy labels to ensure consumers are provided meaningful information about their apps’ data practices and that consumers are not harmed by these potentially deceptive practices.” Among their requests were more details on their auditing process, whether or not Apple ensures labels are corrected upon discovery of inaccuracies, and Apple’s enforcement policies against an app that doesn’t provide accurate information. 

The good news: there may be ways to automate a part of the process of making accurate labels, which not only will boost consistency, but efficiency and ease of use as well. The Privacy Label Wiz claims to “systematically review a comprehensive list of questions with the developer and provide them with the support they need to more accurately disclose their app’s data practices” by generating a preliminary report based on its analysis of an app’s code, then asking developers to handle a final check of the completed label. 

Lawmakers could also create incentives for technology companies to start their own privacy label initiatives or improve upon the ones they currently maintain. The House letter to Apple notably used the term “potentially deceptive practices,” which could chill future voluntary efforts towards consumer transparency. At the moment, it is unclear how these privacy labels work with state privacy requirements. Could privacy labels potentially evolve to fulfill notice requirements, like the California Consumer Privacy Act’s “notice at collection” provision? What about liability protections for businesses? These are all avenues decisionmakers could address to increase the effectiveness and popularity of use of privacy labels without the use of overly restricting regulations.

Consumer Readability Difficulties 

The labels were designed to be user-friendly, but the variance in the types of data collected and the ways it is being used means that privacy labels can become very long and very complicated, very quickly. Perhaps that shouldn’t be too surprising—some apps have privacy policies that can reach up to 4,300 words. Trying to simplify all that information into a smaller label often results in an unwieldy, difficult to use product. But hiding information below the line is also not a solution. A study comparing the usability of Android and Apple privacy labels found that “most users missed critical information because they didn’t expand the accordion interface.” 

To make reading these labels even more difficult for the average consumer, some of the data type descriptions are not immediately transparent. For example, the Apple Health app collects “sensitive info,” but there are no further descriptions of what “sensitive info” means on the label itself. For the definition, the consumer would have to go to the data types description list on their website, which explains that sensitive information includes data such as “racial or ethnic data, sexual orientation, pregnancy or childbirth information, disability, religious or philosophical beliefs, trade union membership, political opinion, genetic information, or biometric data.”

More Education on Privacy Necessary 

Consumers are largely unaware of privacy labels. While consumers are supportive of the idea of privacy labels, they haven’t been very effective thus far. Some researchers believe that the lack of impact is in part because consumers didn’t know the labels existed “until we pointed them out.” For example, most participants in a study were unaware that privacy labels existed in the iOS app store, even though the labels had been rolled out a year prior, which the researchers theorized was due to the labels “requir[ing] some scrolling to discover.” More marketing of the labels or featuring the labels more prominently in the app store could solve this issue.

To boost awareness and consumer readability, public education should focus more on privacy and security at a younger age. The general public understands nutrition facts thanks in large part due to the emphasis on it in schools; per the National Center for Education Statistics, “nutrition is taught in each and every grade from kindergarten through tenth grade in over 90 percent of all public schools.” Creating a similar foundation for privacy would go a long way in creating a shared understanding of the information contained in the privacy labels, thus solving some of the concerns surrounding such labels today. 

Conclusion

Privacy labels are still in their infancy, and more research needs to be done to continue improving their efficacy, their reach, and their ease of use. In particular, technology companies should conduct market surveys on consumers and developers to narrow in on common pain points to develop the optimal privacy nutrition label. There are also other entities in the privacy label space, such as the Cylab Security and Privacy Institute at Carnegie Mellon University, that have already done intensive research into these labels and may be able to provide valuable third-party insights. Platforms should consider partnering with these entities to improve their product and meet the growing privacy demands from consumers. 

Privacy

Trust in the integrity and security of the Internet and associated products and services is essential to its success as a platform for digital communication and commerce. For this reason we’re committed to upholding and advocating for policymaking that empowers consumers to make informed choices in the marketplace while not impeding new business models.

Popular Articles