Natural Language Processing of Privacy Policies: A Survey

TL;DR

This survey reviews NLP techniques applied to privacy policies, highlighting current methods, gaps, and future research opportunities to improve privacy notice communication and understanding.

Contribution

It provides a comprehensive analysis of 109 papers on NLP for privacy policies, identifying research gaps and suggesting future directions for robust privacy policy NLP applications.

Findings

Many studies focus on annotating and classifying privacy texts

Significant research gaps exist in summarization and contextualized embeddings

Opportunities for domain-specific model tuning are identified

Abstract

Natural Language Processing (NLP) is an essential subset of artificial intelligence. It has become effective in several domains, such as healthcare, finance, and media, to identify perceptions, opinions, and misuse, among others. Privacy is no exception, and initiatives have been taken to address the challenges of usable privacy notifications to users with the help of NLP. To this aid, we conduct a literature review by analyzing 109 papers at the intersection of NLP and privacy policies. First, we provide a brief introduction to privacy policies and discuss various facets of associated problems, which necessitate the application of NLP to elevate the current state of privacy notices and disclosures to users. Subsequently, we a) provide an overview of the implementation and effectiveness of NLP approaches for better privacy policy communication; b) identify the methodologies that can be further enhanced to provide robust privacy policies; and c) identify the gaps in the current state-of-the-art research. Our systematic analysis reveals that several research papers focus on annotating and classifying privacy texts for analysis but need to adequately dwell on other aspects of NLP applications, such as summarization. More specifically, ample research opportunities exist in this domain, covering aspects such as corpus generation, summarization vectors, contextualized word embedding, identification of privacy-relevant statement categories, fine-grained classification, and domain-specific model tuning.