For practices requiring choice, companies should offer the choice at a time and in context in which the consumer is making a decision about his or her data
As we have seen in Part 4 of Privacy by Design, the lengthy privacy choices can be omitted for commonly accepted practices but what is the recommended approach for those that fall outside this boundary. The choice has to be meaningful through clear and concise questions, and at a time and in a context in which the consumer is making a decision about his or her data. For example, in online activity the disclosure and control mechanism should appear clearly on the page on which the consumer type in his or her personal information whereas in offline, the disclosure and consumer control should take place at the point of sale such as, having the cashier ask the customer whether he/she would like to receive marketing offers from other companies. A typical situation is with social media services. If consumer information will be conveyed to third-party application developer, the notice-and-choice mechanism should appear at the time the consumer is deciding whether to use the application and in any event, before the application obtains his/her information. In the event where information sharing occurs automatically through a default setting, the consumer must be informed in plain English when he/she becomes a member of the service.
The commission believes that businesses that take a simplified approach to providing choices will not only help consumers make decisions during particular transactions but also will facilitate consumers’ ability to compare privacy options that different companies offer, hence such approach could promote meaningful competition on privacy. A simplified approach is one that do not place choice buried within long privacy policies and pre-checked boxes which are considered as non-effective.