Implement Interactive Privacy Policy Interfaces
Problem Summary
Traditional privacy policies are often static, making it difficult for users to navigate, understand, and enforce control over their personal data.
Rationale
Interactive privacy policies enhance transparency and user engagement. These policies' interfaces allow users to enforce their privacy preferences in real-time, providing a detailed yet comprehensible overview of data processing practices.
Solution
To implement interactive privacy policy interfaces that offer a dynamic approach to presenting privacy policies.
Drozd and Kirrane [1] highlighted that privacy policies are the "de facto standard for consent requests" and that several studies show such policies are rarely read. They proposed the CURE prototype as a solution to enhance the effectiveness of privacy consent requests. It addresses the complexities of traditional privacy policies by providing a visually engaging and interactive interface. Through customisable elements like sliders and checkboxes, CURE aims to improve users' understanding and management of their data processing consents. This approach transforms consent requests into a more user-friendly format, thereby enhancing transparency and control for users, targeting the visual and interactive presentation of consent forms within privacy policies. The code for the prototype is available at https://bit.ly/2GErFC7 .
Reinhardt, Borchard, and Hurtienne [2] presented the Visual Interactive Privacy Policy (VIPP) as a solution to the usability issues of traditional privacy policies. The VIPP incorporates interactive features like mouse-over help icons, expandable rows, and clickable cells to provide optional explanations and further information. This design lets users directly control and enforce their privacy settings within the policy interface, improving user engagement, comprehension, and transparency compared to standard static privacy policy texts.
Both studies acknowledge that the Privacy Nutrition Label does not allow direct manipulation of the privacy policy, such as managing privacy settings/consent directly. Drozd and Kirrane [1] argue that this approach does not allow users to visualise the data processing activities fully. Reinhardt, Borchard, and Hurtienne [2] incorporated a Privacy Nutrition Label enriched with control options and interactive elements into their VIPP solution, enhancing user engagement and control.
Angulo et al. [3] presented the "Send Data?" prototype, a browser extension designed to simplify privacy policy management using the PrimeLife Policy Language (PPL). The solution introduces "on the fly" privacy management, allowing users to adjust their privacy settings during online transactions. It features predefined privacy levels (High, Medium, Low) that users can customise, making the initial configuration more accessible. Additionally, the prototype uses visual elements like tables, icons, and colour-coded indicators to clearly present privacy settings and mismatches.
Platforms: personal computers
Related guidelines: Implement Visual Strategies for Effective Communication of Lengthy Privacy Policies
Example
![The CURE prototype <a href="#section1">[1]</a>.](/upcguidelines/media/uploads/guideline_images/thumbnails/uploads/guideline_images/privacy-cure.jpg)
Top: The CURE prototype: (1) Slider and (2) Consent per purpose. Bottom: Example of a detailed overview of the data processing required for the purpose of “deriving calories burned” [1]. (See enlarged)
![Interactive capabilities of the Visual Interactive Privacy Policy <a href="#section2">[2]</a>.](/upcguidelines/media/uploads/guideline_images/thumbnails/uploads/guideline_images/VIPP-toggle.jpg)
Interactive capabilities of the Visual Interactive Privacy Policy (VIPP): Consent options, explanations and additional information [2]. (See enlarged)
![The "Send Data?" prototype <a href="#section3">[3]</a>.](/upcguidelines/media/uploads/guideline_images/thumbnails/uploads/guideline_images/send-data.jpg)
The look-and-feel of the seventh iteration cycle of the "Send Data?" prototype [3]. (See enlarged)
![The "Send Data?" prototype <a href="#section3">[3]</a>.](/upcguidelines/media/uploads/guideline_images/send-data.png)
![Interactive capabilities of the Visual Interactive Privacy Policy <a href="#section2">[2]</a>.](/upcguidelines/media/uploads/guideline_images/VIPP-toggle.png)
![The CURE prototype <a href="#section1">[1]</a>.](/upcguidelines/media/uploads/guideline_images/privacy-cure.png)
Use cases
- Enhancing transparency and user engagement with privacy policies.
- Implementing dynamic approach to presenting privacy policies.
Pros
- The UI was well received by participants in a usability evaluation, who completed tasks quickly, easily, and with minimal errors. Positive feedback included high comprehension levels of the consented information and better performance in comparison tasks against traditional consent requests and a Usercentrics solution [1].
- The Visual Interactive Privacy Policy (VIPP) builds upon the Privacy Nutrition Label proposal to address participants' concerns regarding missed information and direct privacy control options. Additionally, a pre-study indicated a preference for the simple table structure of the Privacy Nutrition Label, forming the foundation for VIPP. User focus is directed through the strategic use of coloured title rows and columns (in orange and blue) to highlight significant elements, such as a ranking of privacy policy terms derived from a user study. At the same time, less crucial aspects are nested within deeper layers [2].
- The concept of "on the fly" privacy settings is both understood and appreciated by users. Additionally, users found the selection of credentials using a card-based approach, clearly grouped by rows, to be effective [4].
Cons
- Users initially found the "Send Data?" interface confusing and needed some time to interact with it before fully grasping its purpose and benefits. This initial confusion indicates a learning curve, which may hinder immediate user comprehension and usability [3].
- Although the VIPP showed improvements over the Long Text in several areas, it did not consistently demonstrate statistically significant advantages over the Nutrition Label, despite some noticeable positive changes in terms of stimulation, novelty, and perceived control [2].
- A potential limitation of both studies is that the prototypes were evaluated only on personal computers and desktops. This restriction may not fully capture the usability and effectiveness of the interfaces on other devices, such as tablets or smartphones, which are increasingly used for internet access.
Privacy Notices
While its core objective is to enhance how privacy information is communicated to users, the guideline also integrates aspects of privacy choices [5], particularly in the control dimension. This includes allowing users to manage and enforce their privacy preferences directly within the notices, thereby adding an element of interactivity to the traditional privacy notice [4] framework.
- At Setup
The guideline can be applied by providing clear, interactive privacy notices during system setup, allowing users to make informed decisions before using the service.
- On demand
The guideline aligns with making privacy notices and controls available on demand through privacy settings interfaces or dashboards.
- Context-dependent
The guideline supports providing additional notices or controls based on the user’s context, ensuring that privacy decisions are relevant to the situation.
- Just in time
Interactive interfaces can provide contextual notices when data is being collected or shared, aligning with the just-in-time notice approach.
- Non-blocking
The guideline provides integrated controls within the notices that can be applied in non-blocking situations.
- Blocking
The guideline provides integrated controls within the notices that can be applied in blocking situations.
- Visual
This guideline uses visual resources such as colours, text, and icons to make a visual notice.
- Primary
This guideline is primarily intended for the same platform or device the user interacts with.
- Secondary
The guideline encourages using the primary channel for delivering privacy notices within the system context but also supports secondary channels for constrained devices.
Control
The interactive and customisable elements of the proposed solutions are designed to empower users to decide what to share and for which purposes, aligning closely with the core elements of the Control [6] attribute. Other related privacy attributes:
The interactive interfaces aim to make privacy policies more understandable, helping users obtain clear information about how their data is handled. This aligns with the proactive distribution of information to users, allowing them to make informed decisions.
By making privacy policies more transparent and interactive, service providers demonstrate their commitment to being held accountable for data practices. The clear presentation of data handling practices and user controls can reinforce trust and accountability.
The interfaces help clarify the purposes for which data is collected and processed, providing users with a better understanding of the legal bases for data processing and the specific uses of their personal data.
The guideline addresses data sharing by allowing users to manage and control the extent to which their data is shared with third parties.
References
[1] Olha Drozd and Sabrina Kirrane (2020). Privacy CURE: Consent Comprehension Made Easy. In: Hölbl, M., Rannenberg, K., Welzer, T. (eds) ICT Systems Security and Privacy Protection. SEC 2020. IFIP Advances in Information and Communication Technology, vol 580. Springer, Cham. https://doi.org/10.1007/978-3-030-58201-2_9
[2] Daniel Reinhardt, Johannes Borchard, Jörn Hurtienne (2021). Visual Interactive Privacy Policy: The Better Choice? In: Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems. New York, NY, USA: Association for Computing Machinery, 2021. (CHI ’21). ISBN 9781450380966. https://doi.org/10.1145/3411764.3445465
[3] Julio Angulo, Simone Fischer-Hübner, Erik Wästlund, Tobias Pulls (2012).Towards Usable Privacy Policy Display & Management. Information Management & Computer Security, Vol. 20 No. 1, pp. 4-17. https://doi.org/10.1108/09685221211219155
[4] Florian Schaub, Rebecca Balebako, Adam L Durity, and Lorrie Faith Cranor (2015). A Design Space for Effective Privacy Notices. In: Symposium on Usable Privacy and Security (SOUPS 2015). [S.l.: s.n.], p. 1–17. https://www.usenix.org/system/files/conference/soups2015/soups15-paper-schaub.pdf
[5] Yuanyuan Feng, Yaxing Yao, and Norman Sadeh (2021). A Design Space for Privacy Choices: Towards Meaningful Privacy Control in the Internet of Things. In CHI Conference on Human Factors in Computing Systems (CHI ’21), May 8–13, 2021, Yokohama, Japan. ACM, New York, NY, USA, 16 pages. https://doi.org/10.1145/3411764.3445148
[6] Susanne Barth, Dan Ionita, and Pieter Hartel (2022). Understanding Online Privacy — A Systematic Review of Privacy Visualizations and Privacy by Design Guidelines. ACM Comput. Surv. 55, 3, Article 63 (February 2022), 37 pages. https://doi.org/10.1145/3502288