The recently launched European General Data Protection Regulations (GDPR) attempt to set new standards for how companies collect, store, manage, and use information about their users. It’s designed to provide more transparency and ensure greater control of user data, by users. But how do users perceive how well social media, e-commerce, and financial services companies are managing this now? How well can users find, understand, and manipulate their own data privacy settings? What do UX industry leaders and key UX influencers believe are the right ways to design and implement a user interface for data privacy controls? And most importantly, how well do user expectations and their actual results line up with what those leaders and influencers say?
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
UXPA 2019 Validating GDPR and User Privacy Best Practices with UX Influencers and Users
1. @AnswerLab / #UXPA2019
UX Dimensions of
Data Privacy and GDPR
Validating GDPR and user privacy best practices with UX influencers and users
AnswerLab
@_bobberry
Bob Berry
Principal UX Researcher
4. @AnswerLab / #UXPA2019
AGENDA
How did we get here?
• What is GDPR?
• Why UX, GDPR, and data privacy?
Where are we?
• Our studies with users, influencers
• Key Findings
• User Experience Best Practices
• Business Best Practices
Where are we headed?
4
5. @AnswerLab / #UXPA2019 5
Bob Berry
Principal UX Researcher
AnswerLab since 2017
BS Computer Science / Math
25ish years in UX, e-learning
@_bobberry
AnswerLab.com
10. @AnswerLab / #UXPA2019
What are the
major
components
of GDPR?
10
1. Consent
2. Right to Access
3. Right to be Forgotten
4. Data Portability
5. Privacy by Design
6. Territorial Scope
7. Data Protection Officers
8. Breach Notification
9. Penalties
@AnswerLab / #UXPA2019
11. @AnswerLab / #UXPA2019
What are the
major
components
of GDPR?
11
1. Consent
2. Right to Access
3. Right to be Forgotten
4. Data Portability
5. Privacy by Design
6. Territorial Scope
7. Data Protection Officers
8. Breach Notification
9. Penalties
@AnswerLab / #UXPA2019
29. @AnswerLab / #UXPA2019 29
Almost no users
are aware of GDPR,
And many are
not knowledgeable
on privacy
@AnswerLab / #UXPA2019
30. @AnswerLab / #UXPA2019 30
In a study on online skills,
Privacy
was one of 20 topics
- but rated the lowest on:
• Maintaining privacy
• Understanding policies
• Ease of changing settings
• Confidence in settings
• Trust in online services
@AnswerLab / #UXPA2019
31. @AnswerLab / #UXPA2019 31
The Gap Widens
between predictive analytics and
users’ knowledge, tolerance, and
engagement
@AnswerLab / #UXPA2019
32. @AnswerLab / #UXPA2019 32
Why?
Users see little or no value,
or opt out due to fear and suspicion
@AnswerLab / #UXPA2019
34. @AnswerLab / #UXPA2019 34
Effectiveness of data
makes people think of
eavesdropping
and in other cases, what they see is
totally irrelevant
@AnswerLab / #UXPA2019
35. @AnswerLab / #UXPA2019 35
Savvy users
control their privacy
via their behavior,
not just
their privacy
settings
@AnswerLab / #UXPA2019
36. @AnswerLab / #UXPA2019
Power User
36
• Wary of stalking
• Checks in after leaving
• Keeps it vague
• Keeps it anonymous
39. @AnswerLab / #UXPA2019 39
Data is more valuable than product,
and ‘people have become the product’
One product transaction may be worth $100.
An algorithm derived from 1,000,000 user choices that can cause
10,000 users to buy that $100 product is worth $1M!
@AnswerLab / #UXPA2019
40. @AnswerLab / #UXPA2019 40
Overlapping intent
of UX and behavioral predictive analytics
@AnswerLab / #UXPA2019
43. @AnswerLab / #UXPA2019 43
general attitudes
”Where does this end, and
how extensive is it?”
”I don’t mind ads but don’t want
to be inundated.”
”Social media is more of a concern. They provide
their service for free, so we are the product.”
”When I’m done searching for it,
I don’t want to see it anymore.”
”I’m overwhelmed.
It’s too much.”
”I’m busy so not real motivated.”
44. @AnswerLab / #UXPA2019 44
acceptance
“That ship has
sailed.”
”There’s not too much I can
do about it.”
“Need to accept a
lack of privacy to
get the convenience.”
“Accept that
they’ll use
your data,
or don’t use
their system.”
45. @AnswerLab / #UXPA2019 45
control ”I have not figured out
how to control this.
It’s beyond me.”
”Eventually, they will
change it and force
me to do it again.”
”I’m trying to be
proactive about my
future, and I don’t see
how. It’s all history.”
”Don’t tell me what
you think I should be
reading or interested
in.”
”I prefer companies that
leave me alone. I want a
choice.”
46. @AnswerLab / #UXPA2019 46
trust
“They say it’s secure,
but you’re never 100% sure.”
“Negative things could happen
and I might not know.”
”Companies will always
choose their bottom line.”
“What do they mean
extra secure? What is
less secure?”
48. @AnswerLab / #UXPA2019 48
Most of these are theoretical to users
track my history
see relevant content
get personal offers
see better reviews
Potential
Benefits for
Users
get better service
discover interests
meet new friends
save life events
49. @AnswerLab / #UXPA2019 49
How can we, as UX professionals, enhance this?
track my history
see relevant content
get personal offers
see better reviews
Potential
Benefits for
Users
get better service
discover interests
meet new friends
save life events
54. @AnswerLab / #UXPA2019 54
USER EXPERIENCE Best Practices
• General: how easily can your users find out what you’re collecting
and what you’re doing with it, and how easily can they control that?
• Consent: what are users consenting to? How do they find out what
they are consenting to?
• Right to access: how easily can users access their data and get clear
descriptions of what it is? How well do they understand it all?
Consider: Start with GDPR
55. @AnswerLab / #UXPA2019 55
USER EXPERIENCE Best Practices
• Right to be forgotten: do you allow accounts to be deleted? How else
can users choose to ‘be forgotten’ and what does that mean? Under
what circumstances?
• Data portability: do you allow downloading of user data? How can
users interpret that download? Where and why would they do that?
• Privacy by design: do you build it in from the start? How ‘integrated’
is your privacy user experience, or is it an after-thought?
Consider: Start with GDPR
56. @AnswerLab / #UXPA2019
Privacy
by Design
Principles
56
Proactive
not reactive,
preventative
not remedial
Privacy as
the default
Privacy
embedded
into design
Full
functionality
– positive-
sum, not
zero-sum
End-to-end
security –
full lifecycle
protection
Visibility,
transparency –
keep it open
Respect
user privacy
– keep it
user-centric
64. @AnswerLab / #UXPA2019
Use colors,
icons, and
visual cues
64
USER EXPERIENCE Best Practices
@AnswerLab / #UXPA2019
65. @AnswerLab / #UXPA2019
Many more
65
USER EXPERIENCE Best Practices
Meta Approaches
• Explain the benefits
• Provide Help and FAQ
• Consider video tutorials
• Create wizards or
assessment tools
• Update your update dates
• Inform users when settings
or systems change
• Check in if users haven’t
shown up for awhile
• Ensure functional integrity
Core UI
• Provide access at sign-
up and anytime
during active use
• Summarize policies
• Clearly label controls
• Minimize steps
• Minimize paths
• Show progress
• Layer complexity
• Simplify terminology
• Clarify end-points
• Reward success
@AnswerLab / #UXPA2019
66. @AnswerLab / #UXPA2019
Top Reasons
to create effective
experiences for
data privacy
controls
66
1. Stay out of trouble
2. Acquire, retain customers
3. Sustain customer satisfaction
4. Use analytics well
5. Sustain public image
6. Do the right thing
@AnswerLab / #UXPA2019
67. @AnswerLab / #UXPA2019
Best practices
start in the
operation
67
For stakeholders:
BUSINESS Best Practices
@AnswerLab / #UXPA2019
69. @AnswerLab / #UXPA2019
Know your business
model and the role
of data
Balance investment
with business model
69
For stakeholders:
BUSINESS Best Practices
@AnswerLab / #UXPA2019
70. @AnswerLab / #UXPA2019
Test, validate,
iterate,
re-test
70
USER EXPERIENCE Best Practices
@AnswerLab / #UXPA2019