In the context of growing public concern about personal data and its (ab)uses, the session will invite an open discussion about privacy as a human and user experience.
More specifically, the current state of Privacy UX, as well as if and how the changing understanding of the data ecosystem might further transform regulations, business approaches, and therefore UX practices and services.
Participant Takeaways:
Privacy as human and user experience
The state of privacy UX and current debates
The impact of public concern on legislation, business, and UX practice
Towards user-centric data solutions
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
Privacy UX - UX Scotland 2023
1. The State of Privacy UX
UX Scotland | June 2023
Privacy as human and user experience
Gintare Venzlauskaite
A discussion
Duration – 90 min
2. 2
Intended outcomes
What you will learn in this session
► Why privacy matters
► What are current concerns revolving around data privacy
► How response to privacy concerns is evolving
► What design and UX has to do with data privacy
► Principles of of Privacy UX
► How to practice privacy personally and professionally
► What’s in the horizon for data privacy
► Personal privacy tips
3. 3
Outline
of the
session
What is privacy and why should we care?
What is privacy UX and how is it doing?
01
Final thoughts and questions
04
02
03 Where is privacy going? Hopes and worries
5. 5
Question time
How would you describe what is privacy?
What words come to mind when you think about privacy?
How would you define informational privacy?
What kind of things come to mind?
6. 6
Definitions
Privacy [prahy-vuh-see; British also priv-uh-see]
► Someone’s right to keep their personal matters and relationships secret (Cambridge dictionary).
► The right to be let alone, or freedom from interference or intrusion (IAPP).
Informational privacy
► The right to have some control over how your personal information is collected and used (IAPP).
► The right to have some control over who has access to their personal information and under what
circumstances (Law insider).
Right to privacy
► The right of a person to be free from intrusion into or publicity concerning matters of a personal nature
(Merriam-Webster).
7. 7
Your relationship with digital privacy
Please scan this QR code to enter Mentimeter questionnaire
8. 8
Even when you think you’ve done it all, they still get you…
Sitcom ‘Frasier’
9. 9
Users as data generators
How much data do we generate?
► According to DOMO (2020), an average
internet user generates 1.7 MB of data per
second
How do we generate data?
► The so-called data trail is accumulated by a
range of interactions with digital technologies
that we actively engage with, wear, register for,
check-in at, etc.
10. 10
Users as data generators
What happens to our data?
► Data can be harvested through tracking, scraping,
proxies; then mined and aggregated
► It benefits us – efficiency, convenience, discounts,
accuracy, scientific development
So what?
► It makes us data subjects whose information is collected
and used for profit
► This data is monetised by first parties and may be also sold
to third parties, e.g., to data brokers – companies who
then sell it on to other market actors
► It makes us vulnerable. The real-life short- and long-term
implications are difficult to anticipate, grasp, or control
11. 11
Data economy
Carissa Véliz on dangers of data economy
Full video: https://www.youtube.com/watch?v=luCXlPYrTP4&pp=ygUMY2FyaXNhIHZlbGl6
12. 12
Digital privacy as human experience
Real-life consequences of data economy
► Individual (e.g., abused vulnerabilities, prevention of opportunities, physical and digital harassment,
identity theft)
► Socio-political impact (e.g., targeted political advertising, social polarization)
► National security (e.g., cyber attacks targeting people’s data)
13. 13
Privacy concerns, awareness and regulations are on the rise
Legislation Research Products and Services
► GDPR
► UK Data Protection Act
► US state privacy laws
► 71% of countries with some
kind of legislation around
data protection and/or
privacy
► Academic literature
► Journalism
► Guidelines and
advice for users
► Browsers
► Automatic opt-out engines
► Removal of data from
commercial and data broker
databases
► Tracker/cookie blockers
► Data breach alerts
► Product reviews
14. 14
► $275mil.
collecting
personal
information
from children
under 13
► $245mil.
deployment of
deceptive
design for
making
unintended
purchases
► €746 mil.
tracking
without
consent
► $30 mil.
Alexa/Ring
invasion of
privacy
Privacy concerns, awareness and regulations are on the rise
Sources: Termly; TechCrunch; US Federal Trade Commission
► €159 mil. not
giving users
easy way to
refuse cookies
on Google and
Youtube
► $50 mil. for
poorly
structured
privacy
consent
agreements
► $7.8 mil.
sharing users’
sensitive data
with outside
companies
► £12.7 mil.
illegally
processing
data of
children under
13 without
checking for
parental
consent
► €60 mil. not giving users
easy way to refuse
cookies on Facebook
► €225 mil. unclear privacy
policies and lack of
transparency
► €405 mil. mishandling
teenagers’ data on
Instagram
► €390 mil. forcing consent
► €265 for exposure to data
scraping
► € 1.2 bil. for unlawful
transfer of data of EU
citizens to the US
15. 15
Data privacy concerns on popular TV
Last week tonight with John Oliver on Data brokers:
https://www.youtube.com/watch?v=wqn3gR1WTcA&t=1s
Parks and Recreation on cookies:
https://www.youtube.com/watch?v=8xn1rO1oQmk
Documentary exploring social media
through the case of Cambridge Analytica
Documentary on implications of social networking
and how it is set up to manipulate and influence
The final season of TV series
‘Succession’ dropping a few
references to data economy,
lack of people’s
understanding of how it
works, and business
overtures to bypass
governmental regulation
17. 17
It is hard to know what you don’t know
The internet and technology has not been kind on
our privacy
► Data economy prompts practices are aimed at collecting
more data. Privacy is often inadvertently neglected or
purposefully undermined in user-facing versions of
products and service
► Our understanding of how data is harvested, mined,
processed and utilised is limited. And that causes so-
called digital resignation
► Putting much of responsibility on individuals is unfair
(David Solove)
• Privacy problems are systematic
• Individuals lack time and expertise
• Personal data is interrelated with other people’s data
18. 18
It is hard to know what you don’t know
Design is part of the problem
► Design contributes to maximising data collection
► Difficult language, lack of visibility, ambiguous choices, deceptive
patterns or lack of user-focused controls
UX design paradox
► Human-centred philosophy and commitment to serve user needs
through an optimal experience
► Value conflict when privacy is compromised
► Well-meaning teams get into the grey area of deceptive design
20. 20
Question time
Do you ever take note of privacy-related
interfaces and designs?
Feel free to give examples.
What do think makes a design privacy-
unfriendly?
Feel free to give examples.
How many of you heard the term Privacy UX?
What do you think it refers to?
21. 21
Privacy UX
Privacy UX generally refers to:
► Approach promoting privacy by/in design
► Practices bridging data privacy protection regulations and their
translation into user-friendly interfaces, journeys and content
► Application of UX principles in the user-facing versions of
products and services relevant to privacy by being transparent,
tailoring explanations, providing options, enabling user to make
meaningfully informed decisions about what they
share/provide/act upon
► Acknowledgement that privacy is an important element of user
experience (as broadly understood) and should not be exploited
by way of deceptive design practices
22. 22
Deceptive patterns
Definition
► Deceptive patterns (also known as “dark
patterns”) are tricks used in websites and
apps that make you do things that you
didn't mean to, like buying or signing up
for something (deceptive.design).
► Dark patterns deceive or manipulate
users, making them behave in certain way
without realizing it, or against their own
interests (fairpatterns.com).
Deceptive patterns relevant to
privacy
► Preselection
► Forced action
► Privacy zuckering
► Confirm-shaming
► Hard to cancel
► Visual interference
► Decisional interference
► Hindering
23. 23
Deceptive patterns relevant to privacy
Preselection
Employing the defaults, options that
are already chosen for them. In
general, it most often refers to
preselected boxes, preselected steps
this way manipulating people’s
awareness; if users don’t notice it,
their choice and autonomy is
undermined (Deceptive design)
24. 24
Deceptive patterns relevant to privacy
Forced action
A transactional pressure to choose an option that is
better for the provider in return for something that
user want; it can also come in form of a ”bundled
consent” whereby agreeing or providing something
mandatory, the user is also agreeing to something
else (Deceptive patterns).
Source: Luiza Jarovsky @ Privacy Whisperer
25. 25
Deceptive patterns relevant to privacy
Privacy zuckering
Similar to forced action, this is a term originating
from Facebook scandals in 2018. Linked to forced
action, this refers to ricking users to sharing more
personal information than intended (photos,
address, phone number, preferences, date of birth)
Source: Uxcel
26. 26
Deceptive patterns relevant to privacy
Confirm shaming
Influencing user’s decision making by
triggering uncomfortable emotions around
choice that would be more beneficial for
them (Deceptive patterns)
Source: The Mobiversal blog
27. 27
Deceptive patterns relevant to privacy
Hard to cancel or opt-out
(roach motel)
Typically, easy to subscribe or sign up with a
service but very difficult to cancel. This can
cause user resignation and leaving them with
staying with the service longer than intended
(Deceptive patterns).
Source: noyb.eu
28. 28
Deceptive patterns relevant to privacy
Visual interference
Purposefully hiding, disguising or obscuring
choices by way of lower contrast, smaller
text or general prominence of associated
design components (Deceptive patterns)
29. 29
Deceptive patterns relevant to privacy
Decisional interference
Limited or absent choices or alternatives that
otherwise would be preferable to an individual
(Privacy Wiki)
30. 30
Deceptive patterns
12 minutes (and not done unchecking)
Hindering
Delaying, hiding or making it difficult for the user to adopt
privacy-protective actions (difficult rejection, complex
settings, hiding opt-out, deletion, or revoking of consent,
privacy-negligent defaults).
31. 31
No way to disallow all advertisers at once on Facebook
32. 32
No option to select all advertisers to prevent them sharing my activity with
Facebook
33. 33
Compliant does not mean user- or human-friendly
The above examples show that laws and regulations are not
enough
► Just because a company complies it does not mean that it will
do so with the best user’s interest at heart
► Your data and privacy protection legally depends on where
you live
► It is hard to check if company honours your choices
► For big companies, paying the penalty bill may be seen as
lesser price to pay than profits they get from commodifying
people’s data
The business are doing their
best to make money, which
means that loopholes are likely
to be exploited including in the
form of deceptive design.
— Harry Brignull
35. 35
Question time
So, shouldn’t designers know better?
What do you think are the challenges of UX professionals when it
comes to creating with privacy in mind?
Have you ever received any training around data
privacy (either in education and/or your organisation)?
Feel free to give examples.
Are you aware or involved in your organisation’s
privacy strategy?
Please share your experience if appropriate.
36. 36
Challenges of practicing Privacy UX
What limits designers
► Lack of privacy-forward requirements and
direction from upper echelons of the
organisation/company
► Lack of voice in decision making
► Lack of awareness of the relevant regulations
► Lack of education and training
► Lack of collaboration with other privacy
stakeholders (lawyers, engineers)
► Lack of guidelines and standardized practices
► User-unfriendly legal documents
37. 37
Your priva-Cs. How to practice privacy UX
Choice Clarity
Control
Consciousness Curiosity Championing
Adopted from IAPP; Fairpatterns
39. 39
Question time
What is your knowledge about changes in data privacy
landscape?
Regulations? Tools? Projects? Approaches? Innovations?
Is privacy too hard to do?
What do you think?
Have you heard of any privacy concerns related to AI?
What are they and what are your thoughts?
40. 40
Developments in sight signal hope
Growing consumer awareness
► KMPG in 2021 revealed that 86% of respondents
reported growing concerns about their data
privacy.
► 63% of consumers worldwide think companies
aren't honest about how they use their personal
information, and nearly 48% have stopped
purchasing from companies because of privacy
worries. (Tableau)
41. 41
Developments in sight signal hope
Emerging laws and regulations
► Steady and continuous growth in global privacy laws –
by 10% every year.
• As of late 2022, there are 157 countries with some kind
of data privacy law. That is 50% more than 10 years
ago
• In the US, the number of state privacy laws is also
growing
► The EU’s AI Convention aims to protect fundamental
rights against the harms of Artificial Intelligence, and is
expected to become blueprint globally, as non-European
states such as the United States are considering
becoming signatories
(Source: IAPP)
42. 42
Developments in sight signal hope
Growing business awareness
► We see more pleads for commitment to privacy
► Privacy is increasingly seen as the next
component of Environmental, social and
governance (ESG) framework to gaining and
maintaining consumer trust and loyalty (Brian
Lesser)
► Companies witness an average return on
investment of 1.8% from their privacy-related
expenditures, and 92% acknowledge they have a
moral obligation to use consumer data honestly
and transparently (Cisco)
Businesses now understand that if
they want to keep the customers
they have and attract new
opportunities, they’re going to
have to sell privacy as part of what
they are offering
— Ann Cavoukian
43. 43
Developments in sight signal hope
Adoption of standards and initiatives for guidelines
► ISO adopted Privacy by design standard (ISO31700 in Feb
2023)
► Draft report with opinions and advice on cookie banners (EU)
► New rules for apps to boost consumer security and privacy
(UK)
► Good practice initiative for cookie banner consent
management (Germany)
► Privacy-enhancing design heuristics
44. 44
Developments in sight signal hope
Demand for privacy professionals
► Privacy engineering field is growing
► The effort to define the field as well as the role
and concepts for privacy by design
► More courses, programmes, literature focusing
on how to protect personal data in digital
environment
45. 45
Developments in sight signal hope
Communities and services of
practice
► We see more initiatives, individuals, and
communities dedicated to advocating for
privacy
► More examples of privacy-by-design
services, off-the-shelf solutions, and
consulting firms providing fairer privacy
design advice, assessment, and products
46. 46
Developments in sight signal hope
Solutions and products for
consumers
► Opt-out consent to collect data and target
you for you
► Removes data from commercial
databases on your behalf
► Requests data brokers to delete your data
► Blocks trackers/cookies
► Let you know when your data has been
compromised
► Reviews products and websites for privacy
Examples of privacy-forward products
47. 47
Developments in sight signal hope
Privacy Technologies
► The number of privacy tech companies
increased by 777% since 2017 (from 44 in
2017 to almost 370 in 2022)
► Growing trend of real-world application of
Privacy-enhancing technologies (synthetic
data, homomorphic encryption, federated
learning, data minimisation)
48. 48
Developments in sight signal hope
Shift in approach to personal data
and privacy
► Belief that technology is not only part of the
problem but also part of the solution (Jaap
Henk-Hoepman)
► Ideas around your data working for you not
against you (Prifina)
49. 49
... But it is still an uphill battle
Surveillance goes on
► Every day, we keep feeding companies with our
data, and the tracking, profiling, and behavioural
data exploitation goes on
► We keep seeing (and fall victims for) unsavoury,
privacy-undermining practices and data breaches
► Companies say they embrace privacy but there is
also lot of privacy washing and privacy-branding
with continuous profiling of personal data by
organisations of all sizes
50. 50
... But it is still an uphill battle
Limited control and scrutiny
► No global data privacy standards
► Gaps and flaws in exiting laws
► The approach from regulators is largely reactive
rather than proactive
► Too much industry appeasement and reservations
about disrupting business models (Wolfie Christl)
► Limited resources in watching what companies are
doing
51. 51
... But it is still an uphill battle
Regulation vs innovation
► View that regulation is slowing down and
curbing innovation
► Ground-breaking developments in
technology distracts from difficult debates
► Limited public knowledge about other
areas of privacy, e.g., cognitive, biometric
53. 53
The key takeaways
Privacy…
► matters and it is a part of our human and
user experience
► has been undermined by the development
of digital technology
► is everyone’s business to care about and
advocate for
► is becoming important value and
component of business strategy
► should not be sacrificed for the sake of
aggressive innovation
► is a part of user experience, therefore
should be part of responsible UX design
Do the best you can until
you know better.
When you know better, do
better.
— Maya Angelou
55. 55
Personal privacy tips
Ask yourself:
► What information I am comfortable giving
(even the most basic information can be
sensitive, and not all information must be
accurate)
► How can I reduce exposure to my personal
data
► The usage of apps on your phone – are you
using everything?
► Does the website/app needs as much
information as it is asking?
► Does the website/app provide privacy controls
they are committed to by law? (e.g., consent,
right to be forgotten, right to delete or correct
personal information); should I report them to
local data privacy watchdog?
Beware of:
► Default settings - you maybe sharing more (and
publicly) than intended
► Deceptive design (aka dark patterns)
► Tracking
► Apps that require a login – if you don’t log out, they
may be running in the background and collecting
your data
For families and parents/guardians:
► Be proactive of family privacy settings on your
devices
► Check parental controls and privacy settings for
children (Parent Club has a great set of information
and resources about online safety)
► Pause before “sharenting”
► Look for privacy guides for parents
56. 56
Who/What to follow?
If you are interested more, give me a shout, and I will
give you some pointers
Email me at gintare@uservision.co.uk
Linkedin me at gvenzlauskaite