A European Union initiative to develop standards for shorter and more readable data-privacy notices on Web sites is shining a spotlight on a similar need in the U.S., and large companies such as Microsoft Corp. and The Procter & Gamble Co. are already adopting the condensed format.

On its corporate Web site, P&G has created a "privacy notice highlights" page that uses a modular format identical to the one approved by an EU panel in late November. The modular approach lets companies provide Web site visitors with capsule descriptions of their privacy policies as the initial step in the disclosure process.

Sandy Hughes, P&G"s global privacy executive, said last week that the Cincinnati-based maker of consumer goods set up the new page after a survey of users who visited the Web site showed that 95 percent of them found shorter data privacy notices helpful.

The information on the page fits in a single screen on a PC and is separated into six data fields, each containing concise, bulleted information about P&G"s privacy policies. Links are included that open separate windows with more detailed descriptions of the policies.

P&G has yet to implement a similar short-form notice on its European Web sites, but Hughes said it plans to do so. "What will take time is the multiple language translations to go on top of our policies, which are already in 17 languages," she said.

Peter Cullen, Microsoft"s chief privacy strategist, said the software vendor also plans to implement a layered notice approach similar to the one being used by P&G.

Focus-group research done last year by Microsoft in Germany and Hong Kong showed that consumers were overwhelmingly in favor of shorter privacy notices, he said.

Microsoft will begin by implementing short-form notices on its MSN Web sites in Europe, Cullen said. He noted that the challenge is in figuring out exactly what information needs to be included in the shortened notices to make them suitable for the bulk of Microsoft"s customers.

The EU"s data privacy commissioners are proposing the adoption of the modular notices as a way to make privacy statements more user-friendly, said Jonathan Bamford, assistant commissioner in the U.K."s Information Commissioner"s Office.

Legal obligations remain

The short-form proposal does not eliminate the legal obligations that companies have to disclose their privacy polices in full, according to Bamford. "What it does is provide another layer of clarification beyond what the law says you have to do," he said.

Under the multitier approach, companies still must offer a full notice that spells out all of their privacy policies and their legal obligations. They can supplement that notice with the following:

n Short notices for situations where the space available for displaying information is limited, such as on cell phones or handheld devices.

n Condensed notices presented in the format that P&G is using, with brief descriptions of policies on the kind of personal data that a company collects, how the information will be used, who it will be shared with and the right to view and correct information.

There"s a need for a similar privacy-notice model in the U.S., said Martin Abrams, executive director of the Center for Information Policy Leadership at Hunton & Williams LLP in Richmond, Va. The center, whose members include Microsoft, P&G, Eastman Kodak Co. and Citigroup Inc., led a workshop on the EU proposal last March in Berlin.

Privacy notices in general have gotten "incredibly long" over the past few years, Abrams said, pointing to the adoption of federal regulations such as the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act.

"When GLBA and HIPAA were passed, there was a requirement to make these notices even more complete and long," he said. That has resulted in privacy notices that are barely readable and largely ineffective, Abrams claimed.

But companies in regulated industries could find it hard to use shorter notices, said Kirk Herath, chief privacy officer at Nationwide Mutual Insurance Co. in Columbus, Ohio.

"Those of us who are required to provide privacy notices under GLBA or state privacy law have very specific notice requirements as to what we need to say and explain to our customers," he said. "I"ve never seen a short-form notice that does an effective job of providing all of the necessary legal ingredients."

As a result, companies that use condensed notices could be leaving themselves "wide open" to charges of deceptive trade practices, Herath said.