The Dos and Don’ts of Designing for Privacy

In July, Colorado joined California and Virginia in passing a major digital privacy bill, along the lines of the European Union’s GDPR. Six more states now have similar bills under consideration. Digital privacy is a hot topic these days in our state legislatures.

These laws are meant to help people take more control over their personal information and compliance requires input from many parts of a digital agency—including user interface (UI) and user experience (UX) designers.

These laws came about because companies were not being responsible with users’ personal information. They asked for too much of it, weren’t transparent about what they were going to do with it, and mishandled what they had. 

UI/UX designers have helped in this process, and now we can be instrumental in helping users take back control. 

Note to fellow designers: When in doubt, seek legal advice on how to comply with privacy laws! This is a complex area, and the recommendations below are just general guidelines.

Do find out which laws apply to the project 

It’s not just businesses in California, Colorado, Virginia or the EU who need to comply with these laws. Due to the global nature of e-commerce, these laws have far-reaching implications.

With each of the U.S. laws, there is a threshold that an organization must meet before it comes under the law, based on its revenue or how many residents it gathers personal information from. There are also certain exemptions; e.g., non-profits are exempt from the Virginia and California laws.  
But for large organizations with a national or international user base collecting personal information from users, there is a good chance that one or more of these privacy laws apply. 

Don’t cheat with cookie banners

Probably the most visible consequence of privacy laws (and the one most annoying to fellow UX/UI designers) is the cookie notification that is required by GDPR. These are necessary because GDPR requires user notification and consent whenever personal information is collected--including tracking cookies. 

GDPR has strict requirements for how to get consent, requiring the user to actively accept cookies before they can be dropped. Very few sites are doing this properly. In fact, the authors of a 2019 study concluded that the vast majority of cookie consent notices are non-compliant. 

For now, a GDPR-type banner is not explicitly required by any of the U.S. laws, so if your client isn’t targeting EU residents, you don’t necessarily need to include one on the site (though it can be an effective way to present the notifications and consent mechanisms that are required under U.S. laws). 

Don’t use dark patterns to get consent

The pre-checked “Please subscribe me to marketing emails” box is a thing of the past (or should be). Under GDPR and Colorado and Virginia laws, if your client wants to use a user’s personal information for marketing purposes, they need to get unambiguous consent. This means that the user needs to perform an affirmative act such as changing a checkbox or a select list. Clicking a submit button with pre-selected values is not enough for consent. You also cannot bundle several different permissions into one checkbox.
 

These laws also require your client to provide an easy way to opt out of information sharing. For California, this means that if your client sells users’ personal information, you will need to include a “Do Not Sell My Personal Information” link on the home page. This link should go to a form that allows a user to easily opt out of having their information sold. 

Do explain what will be done with data and don’t gather more than needed

Another aspect of consent is that users need to understand what will be done with their data when they provide it. This is particularly relevant on forms. Gathering data your client doesn’t actually need should be avoided and an explanation on why they’re asking for the data they do need should be provided. For example, if a user’s phone number is needed to confirm a purchase, this should be clear in the form. 

Do give users easy access to their data

Each of these privacy laws gives users the right to see what personal information has been gathered about them, correct it if it’s wrong, migrate it to another service, or ask for it to be deleted.

The actual mechanism for this is not specified, and an email address included in the privacy policy would likely comply. However, a more user-friendly approach is to create a self-service tool where users can see their personal information, download it, and make inquiries regarding it. A good example of this is Airbnb’s Manage your data section.

Don’t hide behind legal jargon

One of our favorite parts of GDPR is its requirement that any communication about data be presented in a “concise, transparent, intelligible and easily accessible form, using clear and plain language.” 

A privacy policy cannot be a thicket of legalese that hides what your clients are actually doing with people’s information. Follow plain language principles like using headers, chunking information, using shorter sentences, and common words. 

The design of privacy information should follow the same principles as the rest of the site, where communication with your users is as clear and simple as possible. This is an area where we designers can make a significant contribution.

Do treat privacy communications as an opportunity to build trust

It’s easy to see these privacy laws as yet another constraint that designers need to work around. However, privacy should be an essential consideration of any user-centered design practice. Good designers strive to meet the needs of users, and users have a need to feel that their privacy is respected.

When we are transparent with users and make it clear that we respect their privacy, we build a more trusting relationship with them and greater loyalty. 

We hope you enjoyed reading the Phase2 blog! Please subscribe below for regular updates and industry insights.