Policy Design & Creating Effective Privacy Policies Presentation by Travis Pinnick User Experience Designer, TRUSTe NTIA Privacy Multistakeholder Process:

Policy Design &

Creating Effective Privacy Policies

Presentation by Travis Pinnick

User Experience Designer, TRUSTe

NTIA Privacy Multistakeholder Process: Mobile Application Transparency

November 30, 2012

Washington DC.

Problems with Privacy Policies

• Privacy Policies are difficult to read (Anton 2007)

• Misconceptions about protections (Hoofnagle 2008)

• Time required to read policies is too great (McDonald 2008)

• Lack of market differentiation (KnowPrivacy 2009)

Machine-readable Policy Summaries

Policy Short Notice Designs

Icon-based policy summaries


Layered Policy Design

Policy Summary Data in Product Design

User Testing - Policy Summaries

•Users don’t seem to have preconceived notions of what categories make the most sense regarding privacy •Icons aren't as important as presentation and finding the appropriate vehicle and context for delivery

•Users appreciate attempts to visually simply policy data, but that doesn’t mean it will necessarily influence their behavior


Icon-reading user agents

User Testing - Policy Summaries part 2

•Users respond positively to the idea icon-based summary data, but aren’t really able to articulate the meaning of the categories even after having viewed the descriptions •Once again, users appreciate attempts to visually simply policy data, but that doesn’t mean it will necessarily influence their behavior

Mobile-optimized Policies

Policy Summary Data in Mobile

Challenges

Fundamentally, how useful is policy summary data?

1. Users report caring about privacy in vast majorities when polled, yet this attitude is not reflected by their actions

2. While summary data provides a helpful layer of transparency, there’s no reason to assume it will affect user behavior

3. Depending on whether summary data is self-attested or crowd-sourced, it may not be useful for enforcement

Recommendations

An effective policy summary should:

1. Support a user’s ability to assess a site or app’s privacy practices at an appropriate time and in the right context (like a decision making moment such as app download)

2. Support a method of delivery that is informative without being overwhelming or intrusive to the user experience

3. Provide only the information that is most relevant, like the data collection practices which are invisible to users

Documents

Policy Design & Creating Effective Privacy Policies Presentation by Travis Pinnick User Experience Designer, TRUSTe NTIA Privacy Multistakeholder Process: