In interacting with digital apps and services, users create digital identities and generate massive amounts of associated personal data. The relationship between the user and the service provider in such cases is, inter alia, a principal-agent relationship governed by a ‘contract’. This contract is provided mostly in natural language text, however, and remains opaque to users. The need of the hour is multi-faceted documentation represented in machine-readable, natural language and graphical formats, to enable tools such as smart contracts and privacy assistants which could assist users in negotiating and monitoring agreements.

In this paper, we develop a Taxonomy for the Representation of Privacy and Data Control Signals. We focus on ‘signals’ because they play a crucial role in communicating how a service provider distinguishes itself in a market. We follow the methodology for developing taxonomies proposed by Nickerson et al. We start with a grounded analysis of the documentation of four smartphone-based fitness activity trackers, and compare these to insights from literature. We present the results of the first two iterations of the design cycle. Validation shows that the Taxonomy answers (10/14) relevant questions from Perera et al.’s requirements for the knowledge-modelling of privacy policies fully, (2/14) partially, and fails to answer (2/14). It also covers signals not identified by the checklist. We also validate the Taxonomy by applying it to extracts from documentation, and argue that it shows potential for the annotation and evaluation of privacy policies as well.