SoK: Three Facets of Privacy Policies

Privacy policies are the main way to obtain information related to personal data collection and processing. Originally, privacy policies were presented as textual documents. However, the unsuitability of this format for the needs of today’s society gave birth to other means of expression. In this paper, we systematically study the different means of expression of privacy policies. In doing so, we have explored the three main categories, which we call facets, ie, natural language, graphical and machine-readable privacy policies. Each of these facets focuses on the particular needs of the communities they come from, ie, law experts, organizations and privacy advocates, and academics, respectively. We then analyze the benefits and limitations of each facet, and explain why solutions based on a single facet do not cover the needs of other communities. Finally, we set guidelines and discuss challenges of an approach to expressing privacy policies which brings together the benefits of each facet as an attempt to overcome their limitations.

💡 Research Summary

The paper “SoK: Three Facets of Privacy Policies” provides a systematic examination of how privacy policies are expressed and the inherent trade‑offs among three dominant representation styles, which the authors term “facets”: natural language, graphical, and machine‑readable. Beginning with the observation that privacy policies are the primary mechanism for informing data subjects (DS) about personal data collection and processing, the authors note that traditional textual policies are increasingly inadequate for modern regulatory, usability, and enforcement needs.

The authors first distill three core requirements derived from major regulations such as the EU General Data Protection Regulation (GDPR), the US Fair Information Practice Principles (FIPPs), and the California Consumer Privacy Act (CCPA): (1) legal validity, (2) understandability for all stakeholders, and (3) enforceability/audibility in data‑processing systems. They then argue that existing policy representations each satisfy a subset of these requirements but none fulfills them all.

To structure the analysis, the paper adopts a slightly modified version of Wilson et al.’s privacy‑policy taxonomy, which comprises nine items: First‑Party Collection, Third‑Party Collection, Legal Basis, Data Subject Rights, Data Retention, Data Security, Policy Change, Other, and Choice Control. The taxonomy is mapped against each facet to assess coverage, completeness, and alignment with regulatory mandates.

Natural‑Language Facet – Originating from legal experts, this facet is mandatory for regulatory compliance because statutes such as GDPR Articles 13 and 14 explicitly require notices in natural language. The authors show that natural‑language policies can express all taxonomy items, including nuanced legal bases (e.g., consent, legitimate interest). However, they are often lengthy, dense, and difficult for lay users to parse, leading to low actual read rates. Moreover, the textual format hampers automated compliance checking and auditing.

Graphical Facet – Developed primarily by organizations and privacy advocates, graphical policies use icons, flowcharts, tables, and visual summaries to improve user comprehension. Empirical studies cited in the paper demonstrate higher perceived readability and faster decision‑making when users are presented with visual aids. Nevertheless, graphical representations typically omit detailed legal language, cannot fully capture complex obligations (e.g., specific retention periods), and lack a standardized schema, which limits interoperability with compliance tools.

Machine‑Readable Facet – This facet is driven by academia and includes formats such as P3P, ODRL, XACML, and newer JSON‑LD vocabularies. Machine‑readable policies enable automated enforcement, auditing, and integration with privacy‑by‑design architectures. The paper highlights that these formats can encode many taxonomy items as structured metadata, facilitating compliance verification by data protection authorities (DPAs) and automated consent management platforms. However, adoption in the wild is minimal; most commercial services still rely on textual notices. Moreover, machine‑readable specifications often lack the narrative explanations required for legal validity, and they may not convey the “why” behind data processing, which is a GDPR requirement.

The authors conclude that a single‑facet approach cannot simultaneously satisfy legal validity, user understandability, and technical enforceability. Consequently, they propose a “multi‑faceted privacy policy” that integrates the strengths of all three representations. The proposed design guidelines are:

1. Maintain a legally binding natural‑language core that directly references regulatory articles and provides the full legal basis for processing.
2. Add a concise graphical summary that highlights the most salient points for data subjects (e.g., data categories, third‑party sharing, rights).
3. Embed machine‑readable metadata (e.g., JSON‑LD) that mirrors the natural‑language content, enabling automated compliance checks and audit trails.
4. Adopt standardized interfaces and version‑control mechanisms to manage updates, ensure backward compatibility, and resolve cross‑jurisdictional conflicts.

The paper also discusses challenges to realizing this integrated approach: the lack of universally accepted standards for linking natural language, graphics, and machine‑readable formats; the cost and complexity of maintaining synchronized multi‑modal documents; potential legal ambiguities when different facets diverge; and the need for coordinated effort among regulators, standards bodies, industry consortia, and academia.

In summary, the work provides a comprehensive state‑of‑the‑art review of privacy‑policy expression, a clear taxonomy‑based evaluation of each facet, and a forward‑looking roadmap for constructing multi‑faceted policies that can meet the legal, usability, and technical demands of contemporary data‑protection ecosystems.