Chapter 4: Information Management and Privacy Risk Management

Delivering Privacy Notices - Layered, Just-in-Time, and Mobile

Notices should be accessible online and in-person, with training for staff. Common techniques include the layered notice (short top layer plus full bottom layer), just-in-time notice at/before collection, and privacy dashboards - with special care for small mobile screens. GLBA requires annual notices to financial customers.

Make the notice accessible online (linked from the front page) and posted at places of business
For financial institutions, GLBA requires customers receive the notice annually, with clear notice of opt-out rights
Train personnel; HIPAA creates specific training requirements for all employees of covered entities
Customer service reps should have a summary script, full notice access, and know how to escalate issues

A layered privacy notice puts key points in a short top layer with a link to the full bottom layer. A just-in-time notice follows the principle of notice 'at or before the point of information collection.' A privacy dashboard summarizes privacy info and offers control. Small mobile screens make notices challenging; the FTC recommends privacy by design (or default), transparency, and simplified choices, and warns that 'legalese' notices go unread.

Key terms - quick answers

What is “Layered privacy notice”?

A short top-layer summary with a link to a comprehensive full notice in the bottom layer.

What is “Just-in-time notice”?

Notice provided at or before the point of information collection or before accepting a service/product.

What is “Privacy dashboard”?

An easy-to-navigate summary of privacy information that also offers user control.

← Drafting, Updating, and Versioning the Privacy Policy Opt-In, Opt-Out, and No Option →