When you look at the privacy notices of some online services, you will probably get confronted with long, complicated texts that a normal person would simply scroll over and not read in full. Yet, these privacy notices provide the details on which personal data is used, for which purpose it is used, who is using it and who else gets access to the data, and what rights you (the data subject) have regarding your personal data. This information must be provided based on common data protection laws like GDPR. The GDPR, for example, requires that transparency on personal data processing be supplied in different scenarios (as defined in Articles 7, 13, and 14).
Why do we need Privacy Icons?
Using icons to depict what will happen to our personal data could replace long text descriptions. If those icons were well designed, standardized, and widely used, users could easily understand how their personal data would be used before using a web service or application. Wouldn’t that be great?
Privacy Icons and the GDPR
The GDPR explicitly states that standardized privacy icons could be used to ensure transparency in personal data processing. Article 12 (7) states:
The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing. Where the icons are presented electronically they shall be machine-readable.
Additionally, the GDPR also sets the basis for creating standardized icons in Article 12 (8), where it states:
The Commission shall be empowered to adopt delegated acts in accordance with Article 92 for the purpose of determining the information to be presented by the icons and the procedures for providing standardised icons.
Unfortunately, even many years after the GDPR has become effective, the European Commission has provided no privacy icons.
Privacy Icon Initiatives
Currently, three initiatives worth mentioning are going in the direction intended by the GDPR.
privacy-icons.ch
A Swiss association comprised of attorneys and Swiss companies has created a set of icons and a guideline on how to use them. The icons can be used freely by anyone based on license terms and a required registration. The icons are created with the Swiss data protection law in mind and are available as webfonts and SVG files. All information is available in English, German, and Italian on the association’s website.
Privacy Icons of LfDI Baden-Württemberg
The data protection authority of the German state Baden-Württemberg had set up a contest in August 2021 to submit proposals for privacy icons by the end of September 2021. As a result of this contest, a set of privacy icons was selected, and they are now freely available. The icons are based on the GDPR but are missing two important aspects – the purpose of processing and the categories of personal data. The free download of PNG and SVG files is available on the website, which is only available in German.
Bitkom Privacy Icons Project
Bitkom, Germany’s digital industry association, has set up a working group to develop icons and provide guidelines (only available in German) on how to use them. The icons cover the most relevant categories of personal data, processing locations, transfer types, and some processing purposes. Of all three icon initiatives, this set (in my opinion) goes best in the direction intended by the GDPR. The icons are free to use and are available for download as PNG and SVG files on the Bitkom website.
Interestingly, Bitkom’s privacy statement does not use these privacy icons, even though they have existed since 2023.
What next?
None of these currently available icons fit the need perfectly. Still, we should start using them until better icons become available. We definitely have to get rid of long and complicated privacy notices.
There have also been some research initiatives on what these icons should cover; however, they have not had any substantial results so far (as far as I am aware). Looking at the available icons, it would have been better to spend more time investigating which types of icons are needed.
Yet, the idea of having standardized privacy icons to make it easier for users to understand what will happen with their personal data before they start using a service or provide consent is great and should be pursued further! Ideally, this should happen with the adoption of the European Commission (possibly even the NIST or ISO) to make a standardized set of icons available.
Overview of acronyms in the information security domain. This page does not aim to provide a complete list but only to provide the most relevant terms. Also, certain general IT, OT and Privacy acronyms are relevant for information security, but this list only provides the specific Information Security Acronyms. Knowing the meaning of these acronyms...Continue reading→
While this website focuses on Information Security Acronyms, some general OT Acronyms, like certain IT and privacy acronyms, are also important to know when trying to understand information security. Therefore, this page also lists some relevant OT Acronyms. Note that this list does not aim to provide a complete list of all possible OT Acronyms...Continue reading→
While this website focuses on Information Security Acronyms, some general Privacy Acronyms, like certain IT and OT acronyms, are also important to know when trying to understand information security. Therefore, this page also lists some relevant Privacy Acronyms. Note that this list does not aim to provide a complete list of all possible Privacy Acronyms...Continue reading→
While this website focuses on Information Security Acronyms, some general IT Acronyms, like certain OT and privacy acronyms, are also important to know when trying to understand information security. Therefore, this page also lists some relevant IT Acronyms. Note that this list does not aim to provide a complete list of all possible IT Acronyms...Continue reading→
I just had a look at the current version, the 2024 edition, of the CWE Top 25 Most Dangerous Software Weaknesses. Based on the Common Weakness Enumeration weakness types, this list is updated regularly and reflects the most relevant weaknesses in software. Since 2019 this list is updated annually based on the recently observed vulnerabilities...Continue reading→
Website/Blog This imprint applies to the content under the domain infosecbleep.net including all subdomains. Social Media This legal notice also applies to my presence on the following social media platforms: LinkedIn: linkedin.com/in/weberheiko Legal Information Name: Heiko Weber Postal Address: Starweg 29, 63768 Hösbach, Deutschland E-Mail: contact@infosecbleep.net
2024 CWE Top 25 – still the same problems in software as always Privacy Icons – why we need them and where to get them TOP 3 Information Security Incidents 2024 Hello world!Continue reading→
You can add comments to certain pages and posts of this blog and send me messages directly via email to contact@infosecbleep.net. Preferably, you should send your email encrypted and signed using PGP. You can find my current public PGP key below or download it here. -----BEGIN PGP PUBLIC KEY BLOCK----- mDMEZ252VhYJKwYBBAHaRw8BAQdArSm3/WKtmpQCHYDqSavPbLvcEGKuR6kzEvKv YY0CPoC0J0luZm9TZWNCTEVFUCA8Y29udGFjdEBpbmZvc2VjYmxlZXAubmV0PoiZ BBMWCgBBFiEEG9ZeY4Pj1GeK+S3iMcK/PCYrLGYFAmdudlYCGwMFCQWqRFoFCwkI BwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQMcK/PCYrLGbLxAEAgjNR1oEsqjnn VtKyXHuAd5ZGE0ubcXBvOB4WDzu1vrsA/1BQSNJezqnp4XUQqkpJxNVkvPhWrf8D...Continue reading→
last updated and in effect since: 28-Dec-2024 I operate this blog and act as the data controller for processing your personal data. Heiko Weber, Starweg 29, 63768 Hösbach, Germany You can contact me at: dataprotection@infosecbleep.net
Welcome to InfoSecBLEEP, a blog dedicated to exploring the ever-evolving world of information security and data protection. The blog is authored by Heiko Weber, a seasoned expert with a lifelong passion for safeguarding digital ecosystems and promoting privacy. Born in 1974 in Germany, Heiko currently resides in the Rhein-Main metropolitan area. His journey into the...Continue reading→
