User Privacy Communication Guidelines

UPC Catalogue

The User Privacy Communication Catalogue (UPC Catalogue) provides research-based design guidelines for improving user-centred privacy interaction in digital systems.

Improving Privacy Policy

Guidelines in the 'Improving Privacy Policy' category aim to enhance the effectiveness of privacy policies in communicating critical information to users. These research-based guidelines focus on transforming complex privacy information into more user-friendly and understandable formats. The objective is to foster transparent and user-centred communication that empowers users by improving their understanding of data-handling practices communicated in privacy policies.

Improving Privacy Policy Visual Presentation

Research-based guidelines in this subgroup aim to enhance the visual engagement of privacy policies through visual resources, such as labels and icons.

GD1 — Implement Interactive Privacy Policy Interfaces
Traditional privacy policies are often static, making it hard for users to navigate, understand, and control their personal data. Interactive privacy policy interfaces provide a dynamic solution, allowing real-time enforcement of privacy preferences and offering a clear overview of data practices. By combining visual elements like icons and colour-coding with interactive features, these interfaces improve user engagement, transparency, understanding, and informed consent.
GD2 — Implement Visual Strategies for Effective Communication of Lengthy Privacy Policies
Online privacy policies are often hard to navigate and understand and time-consuming to read, making it difficult for users to protect their privacy and make informed decisions. User-friendly, visual alternatives to traditional lengthy policies can enhance transparency and improve understanding of data handling practices.
GD3 — Incorporate Icons to Improve Privacy Policy Communication
The absence of clear graphical symbols to communicate legal concepts is a significant issue, especially in lengthy, unappealing privacy policies. 'Companion icons' can guide users to key information, improving clarity, comprehension, and the usability of privacy policies by highlighting essential data protection concepts.

Improving Privacy Policy Readability

Explores techniques such as machine learning, NLP and Information Extraction to extract and highlight key policy information.

GD4 — Enhance Privacy Policy Communication with Automated Information Extraction
Privacy policies are often lengthy and complex to read. Automating the extraction and presentation of information from privacy policies helps users better understand complex data practices, improving transparency and trust.

Advancing Privacy Policy Assessment

Research-based guidelines in this category encompass efforts to evaluate policy compliance with regulations, compare various privacy policies and ensure they align with data protection principles.

GD5 — Enhance Privacy Policy Communication through Assessment Tools
Users often struggle to compare and assess privacy policies due to their complexity, length, and lack of standardisation. Using assessment tools, organisations can offer clear, concise, and compliant privacy information, improving understanding of data practices, building trust, and ensuring legal compliance.

Controlling Information Disclosure

Research-based guidelines in this category aim to enhance mechanisms for users to manage and control the disclosure of their personal information within digital environments.

Managing App Permissions

The guidelines under "Managing App Permissions" are aimed at providing users with enhanced control and visibility over the permissions they grant to various apps.

GD6 — Enhance User Privacy Controls in Mobile Applications
Mobile apps face privacy control gaps, such as limited visibility of third-party access, binary consent options, and insufficient user controls. To address this, more user-centric mechanisms are needed. Users can dynamically adjust permissions, make informed decisions, and better protect their data by incorporating contextual privacy controls, privacy-by-design principles, and user-friendly interfaces.
GD7 — Integrate Privacy Indicators for Informed App Selection
Integrate Privacy Indicators for Informed App Selection}: Users often lack clear, accessible, and timely privacy information when selecting and managing apps, leading to uninformed decisions and over-privileged permissions. Providing users with comprehensive insights into app permissions and data practices enables them to make informed decisions about which apps to install and which permissions to grant.
GD8 — Leverage Automated Decision-Making for Enhanced User Privacy Controls in Mobile Applications
Users face challenges in managing app permissions effectively. Advanced, context-aware, automated decision-making systems aim to help users manage app permissions effectively. These solutions provide tailored, dynamic privacy controls that align with user preferences and behaviours by employing machine learning, crowdsourcing, and personalised privacy assistants. This approach enhances user control, transparency, and security in mobile app interactions.

Managing Privacy Settings

Research-based guidelines in this subcategory address mechanisms that enable users to adjust controls, such as the visibility of personal information and access to specific data.

GD9 — Enhance Parental Control in Smart Toys
Smart toys raise significant privacy concerns about protecting children's data. Current privacy control tools are often too complex for parents and guardians, who may lack technical expertise. To improve children's privacy protection, these tools must be more user-friendly, standardised, and comprehensive.
GD10 — Explore Diverse Techniques for Privacy Control
Users struggle to manage privacy settings across various smart devices and apps. Traditional models are cumbersome, causing fatigue, reduced awareness, and inadequate protection. Implementing diverse techniques can make privacy management more intuitive and less burdensome.
GD11 — Implement Integrated Personal Data Storage to Allow Users to Store and Manage Their Personal Data
In the digital age, users generate vast amounts of personal data across various platforms, leading to fragmented storage managed by multiple providers. This fragmentation complicates privacy, security, and user control. Without proper tools, users face unintended data exposure and weak privacy protection. Personal data vaults (PDVs) can empower users by offering robust privacy settings, support for privacy rights (e.g., access, erasure, portability), and automated privacy decision-making, ensuring compliance while maintaining user control.
GD12 — Implement Interactive Consent Forms for Enhanced User Engagement
Interactive consent forms, using drag-and-drop and question-and-answer formats, greatly improve user engagement and attention to privacy settings compared to traditional methods. Evaluations show these approaches enhance recall, understanding, and satisfaction, leading to more informed consent. While traditional checkboxes are quicker, they are less effective at engaging users and ensuring comprehension of data-sharing terms.
GD13 — Integrate Automated Tools and Custom Options for Privacy Settings
Managing online privacy is challenging due to complex, hidden privacy settings and non-intuitive adjustments. Users often struggle to find options or understand their impact. This guideline focuses on simplifying privacy management by integrating automated tools and customisable options, making it easier to locate and adjust settings. The goal is to enhance user control, transparency, and awareness, allowing for informed decisions with less effort.
GD14 — Leverage Personalised Recommendations for Enhanced User Management of Privacy Settings
It is challenging to manually configure privacy settings for each shared piece of content, whether text-based posts or images. Automating privacy settings recommendations aims to enhance user privacy protection, reduce accidental data exposure, and ease the burden of navigating complex settings.
GD15 — Provide Users with User-Friendly Tools to Manage Their Privacy Settings
Complex privacy settings make it difficult for users to manage them effectively. Intuitive, user-friendly tools with clear, real-time feedback can simplify privacy settings, improving understanding and overall privacy management.

Managing Multiparty Privacy

This category explores collaborative and automated systems designed to meet the privacy needs of various stakeholders in shared digital content.

GD16 — Encourage the Consideration of Interdependent Privacy Management in Cloud Applications
The interconnected nature of user data and shared files amplifies privacy risks in cloud storage services. Third-party apps often request full access to files, including those shared with collaborators, posing risks for all parties. Mitigating these risks requires mechanisms that address interdependent privacy concerns, inform users of collaborators' privacy decisions, and promote privacy-preserving behaviours.
GD17 — Enhance Collaborative Privacy Management in Photo Sharing
Photo sharing in online social networks involves multiple stakeholders, requiring collaborative privacy management. Effective protection demands fine-grained control, context-aware enforcement, and scenario-based policies, as existing privacy controls are too coarse. Users need more intuitive, automated systems to manage their privacy with minimal effort.
GD18 — Implement Collaborative Privacy Management for Shared Data in Social Networks
Managing multiparty privacy in online social networks is essential due to collaborative data sharing. Effective management requires systems that support joint privacy settings, resolve conflicts, and offer user-friendly interfaces. These strategies can improve privacy protection and user trust.

Raising Privacy Awareness

Research-based guidelines on Raising Privacy Awareness emphasise educating users about privacy risks and the careful sharing of information, thereby supporting informed decision-making. By raising awareness and understanding, this category aims to equip users with the knowledge needed to make informed choices about their privacy and data sharing.

Assessing Risk and Nudging Privacy Behaviour

Research-based guidelines in this subcategory focus on strategies and tools that help users assess privacy risks and adopt safer practices. Through personalised notifications, risk scores, and interactive feedback mechanisms, these guidelines aim to promote privacy communication that enhances users' awareness of their privacy exposure and encourages adjustments in their privacy settings and behaviours to mitigate risks.

GD19 — Communicate Privacy Risk with Colour-Coded Privacy Indicators
For users to make privacy-informed decisions, information must be presented in an easily understandable way, with visual communication of privacy properties, direct feedback, and the use of familiar concepts so that users can align their behaviour with their concerns. Providing visual privacy risk indicators that are informative, simple, and easy to understand in decision-making contexts (e.g., information disclosure, app permission granting) can help users make privacy-informed decisions.
GD20 — Encourage Users to Consider Privacy Implications Before Sharing Online
The online privacy decision-making process is complex, and users may not fully understand the audience and potential risks associated with sharing information online. This guideline supports users in making more informed and cautious privacy decisions by using mechanisms such as privacy awareness models, visual cues, interactive prompts and others.
GD21 — Enhance Privacy Awareness by Communicating Privacy Risks
Users face privacy risks from sharing personal information across multiple platforms, often worsened by a lack of awareness about how others can access and use this data. The complexity of managing privacy settings and quantifying potential privacy leakage adds to the challenge. User-friendly interfaces can help users make more informed decisions about their information sharing by providing clear risk assessments and actionable insights.
GD22 — Implement User-Customisable Multi-View Privacy Notifications
Single-view privacy notification interfaces offer limited information on privacy risks. Multi-view interfaces can improve users' understanding by tailoring privacy information to their interests and expertise.
GD23 — Promote User Awareness and Decision-Making on Permission/Authorisation Requests
Promote User Awareness and Decision-Making on Permission/Authorisation Requests}: Users often lack awareness when disclosing personal information during permission or authorisation requests. This is due to factors such as overlooking lengthy permission lists, being unaware of third-party access, the sensitivity of disclosed data, and the risks of accepting requests. Providing clear insights into privacy threats posed by permission requests would enhance user awareness and guide privacy-informed decisions.

Visualising Disclosed Information

Research-based guidelines in this subcategory focus on improving users’ understanding and managing disclosed personal data through diverse visualisation tools and interfaces.

GD24 — Enable Exploration of Data Exports
Enable Exploration of Data Exports}: Users often lack the tools and understanding necessary to manage and comprehend their exported personal data effectively. Despite regulations such as the GDPR that grant users rights of access and control over their data, many users face significant challenges in interpreting their data exports. This guideline aims to empower users by providing effective visualisations for exploring and understanding exported data. By enabling detailed exploration of data exports, users can gain insights into the data shared by service providers and make informed decisions about their personal information.
GD25 — Support the Visualisation and Comprehension of Disclosed Data
Users often struggle to understand the scope and implications of their disclosed data, even with access to privacy policies and settings. This can lead to unintentional data exposure and a lack of control. This guideline seeks to improve user understanding by providing clear visualisations that help users understand their data disclosures, manage privacy settings more effectively, and exercise their data rights.

This catalogue compiles privacy communication guidelines grounded in research. Each guideline was developed by synthesising findings from multiple studies and structured to offer practical, actionable recommendations applicable across diverse privacy-aware contexts.

All guidelines follow a standardised structure, consisting of:

Problem summary: A concise description of the privacy problem addressed by the guideline.
Rationale: Explains the reasoning behind the proposed solution.
Solution: Describes the proposed solution to the problem addressed by the guideline.
Example: Taken from the supporting research, which illustrates the discussed proposal in the literature.
Use cases: Describe contexts where the guideline is most applicable.
Advantages and disadvantages: Extracted directly from supporting research.
Privacy attributes: Align each guideline with privacy attributes such as transparency and control.

These guidelines can be used as:

Reference material during interface design involving privacy-aware interactions
Supporting material for research in privacy-aware interaction design

Readers are encouraged to explore the guidelines according to their needs, using the navigation or available filters to identify relevant recommendations. The catalogue structure supports both quick consultation and in-depth exploration.

Tip: Filtering Guidelines

You can filter guidelines by title, keywords, group, subgroup, and privacy attributes to narrow down relevant design recommendations.

Quick Facts

Based on over 100 empirical studies
Structured around 3 groups and 8 subgroups
Designed for practitioners and researchers to help with the design of more transparent and user-centred online interactions