Privacy & Information Security Law Blog

On May 14, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP published a study on how the ePrivacy Regulation will affect the design and user experiences of digital services (the “Study”). The Study was prepared by Normally, a data product and service design studio, whom CIPL had asked for an independent expert opinion on user experience design.

Using examples, the Study examines already established user experience design principles and potential new principles that support an approach to design with user privacy in mind. The Study further details how Articles 6, 8 and 10 of the proposed ePrivacy Regulation will affect user experience design, and emphasizes that greater flexibility in how the ePrivacy Regulation is formulated would facilitate design that would enhance options and the experience for end users.

Key findings of the study include:

• While principles for good user experience design already exist (i.e., designs must be timely, efficient, personal and convenient), there is more work to be done to create privacy centered design principles.
• Design principles which enable design for privacy could include (1) transparent designs which ensure a user is informed to engage meaningfully; (2) empowering designs which enable users to make active choices and control their personal data; and (3) conscientious designs which recognize users can be lax with their privacy and proactively remind individuals of their choices and their ability to control or adjust them.
• Article 6 of the ePrivacy Regulation—which requires that communications content only be processed with consent for a specific purpose—creates specific design challenges in respect of many digital services (e.g., obtaining group consent for group message chats and the ePrivacy Regulation applicability to smart messaging).
• Article 8 of the ePrivacy Regulation—which states that service providers may collect information from a user’s device or use the device’s processing and storage capabilities only if it is technically essential or if the user has expressed consent for a specific purpose—creates specific design issues in respect of obtaining cookie consent. Cookie walls create the risk of fatigue to users and can hinder the “open web.”
• Article 10 of the ePrivacy Regulation requires that software providers must allow users to prevent third parties from collecting information from their device or to use the device’s processing and storage capabilities, and suggests that the best moment for providers to exercise this responsibility is at the moment of installation. By frontloading such choices at installation, users will be asked to make blanket privacy choices before interacting with the digital services that these decisions will affect, thus inhibiting a user from making a fully informed choice.
• In order to find solutions to the problems posed by the proposed ePrivacy Regulation, designers need more freedom to select and sequence privacy controls throughout the user experience, not just upfront. Distributing the controls across the user journey avoids overloading the onboarding experience, helps users engage with privacy settings through contextual relevance and allows for user understanding to build over time.

To read more about the Study’s key findings, along with all its other conclusions, please see the full Study.