1. Start a Standard Privacy Notice workgroup in Kantara with a narrow charter to classify and label privacy notices.
   
2. Make the Automattic Policy the first label and post it the way we would a CC or OSI license.
3. Publish a DRY Privacy Notice Best Practice that would incorporate a labeled privacy notice BY REFERENCE and list only the exceptions, if any to the referenced policy.
4. Add CommonAccord to this as an option for describing only the exceptions.
5. Suggest standardized formatting for the exceptions right down to the fonts and colors.

My guess is that the world can get by with only 5 or so of these baseline privacy notice labels to serve, for example:

• blogs, (Automattic)
  
• merchants, (Vendor)
  
• things, (Robot)
  
• medical services, (HIPAA)
  
• directories (Dating)

In addition, I would classify each privacy notice into one of three classes depending on the kind of API they provide:

Class 1: Service will not see your data. You are in sole control of the API.

Class 2: Service will see your data but the API you control has all of the data available in reral-time.

Class 3: Service will see your data but there's limited or no API access.

I've described these three classes in http://thehealthcareblog.com/blog/2016/02/22/apple-and-the-3-kinds-of-privacy-policies/

The result would be that Kantara privacy notices would look like: Automattic_2 or HIPAA_3 and people would mostly pay attention only to the exceptions.

Adrian