Implement Visual Strategies for Effective Communication of Lengthy Privacy Policies
Problem Summary
Online privacy policies and software agreements are often not effectively communicated to consumers. These documents are typically difficult to navigate and understand, and they are time-consuming to read. This complexity makes it challenging for users to protect their privacy and make informed decisions about their data. While visual strategies can enhance understanding and engagement, balancing visual appeal with comprehensibility remains a challenge, highlighting the need for improved methods of presenting privacy information.
Rationale
User engagement is crucial in communicating privacy policies and EULAs (End-user license agreements). Creating more accessible and standardised formats for presenting privacy information enhances transparency and promotes user comprehension of data handling practices. This involves introducing user-friendly formats such as privacy labels inspired by familiar concepts, using visualisations to enhance attention and understanding, and considering a holistic approach that addresses comprehension, perceived control of privacy, and trust perception.
Solution
Create visual, user-friendly alternatives to traditional, lengthy privacy policies. These solutions aim to provide concise, more easily understandable, and standardised representations of privacy policies to improve user understanding, engagement, and transparency regarding data handling practices.
Kelley et al. [1] introduced the Privacy Nutrition Label, inspired by nutrition labelling principles to enhance the presentation and comprehension of privacy policies. The label features a bold title to set the context, with short labels for column and row headers and longer definitions available on a Useful Terms page. Information not collected is indicated with a saturated label and a row filled with the lightest symbol. A scale of four symbols, ranging from light to dark, represents the severity of certain privacy practices. Consistent row and column locations enable easy visual comparison of two policies side-by-side. Additionally, a legend explains the meaning of each symbol.
Reinhardt, Borchard, and Hurtienne [2] developed a Visual Interactive Privacy Policy (VIPP) to enhance the usability of online privacy policies through visual representation formats. They gathered qualitative feedback from users on typical privacy policy contents and evaluated both existing and newly designed visual formats. Based on this feedback, VIPP incorporated a Privacy Policy Nutrition Label enriched with control options and interactive elements, such as mouse-over help icons, expandable rows, and clickable cells for additional explanations and information. They avoided using legends (as in the Privacy Nutrition Label) in their VIPP prototype, considering that legends can be easily overlooked and add more clutter. They aimed for the representation to be self-explanatory or to contain contextual explanations.
Barth et al. [3] proposed the Privacy Rating visualisation tool. The development process began with identifying 12 key privacy attributes from extensive analysis and expert consultations [8]. After a card-sort study and further expert advice, these attributes were categorised into four main clusters: collection, sharing, control, and security. Each attribute was operationalised using a three-point scale (good-neutral-bad) to rate online services, which were then classified into seven privacy risk classes, from A (lowest risk) to G (highest risk). The visual design, created in collaboration with a professional design agency, prioritised simplicity, clarity, recognisability, and attractiveness. The design features an EU energy label-inspired format, using letters and colours to indicate privacy classes and icons for the four privacy aspects for quick understanding, with deeper, clickable layers for more detailed information. The practical application of the Privacy Rating involves a self-assessment form on a dedicated website, allowing service providers to generate a tailored privacy label in HTML and PNG formats for easy integration into online services.
Kay and Terry [4] proposed the Textured Agreements - visually enhanced software agreements that utilise visual design methods, like typography, layout, warning symbols, and visual diversity, to enhance software agreements' clarity and user engagement while preserving the original content. The visual diversity includes for example the use o factoids and vignettes. Factoides are small, distinct pieces of interesting or noteworthy information presented separately from the main text to emphasise and highlight relevant details within an agreement or document. They aim to draw attention to specific information, making it more noticeable and memorable for the reader.
Vignettes are brief, illustrative narratives or visual stories that relate to the content of an agreement or document. They aim to engage users by depicting interactions or scenarios involving the software or the agreement itself, typically in a comic-like format. These vignettes serve to create a more direct and engaging connection with the reader, making the content more relatable and personally relevant.
Kitkowska et al. [5] investigated the impact of visual design on the effectiveness of privacy notices presenting privacy policy text for review. They explored visual strategies such as the use of framing, layout, and interactive elements to enhance user engagement and comprehension. Their study demonstrated that incorporating visual cues and controls, such as sliders and interactive icons, can significantly improve users’ understanding and management of their privacy. The research emphasised the role of visual design in activating curiosity, providing users with control, and inducing positive feelings towards privacy notices, ultimately leading to better privacy-aware behaviours.
Platforms: personal computers, mobile devices
Related guidelines: Enhance Privacy Policy Communication with Automated Information Extraction, Implement Interactive Privacy Policy Interfaces, Incorporate Icons to Improve Privacy Policy Communication
Example
A "nutrition label" for privacy [1]. (See enlarged)
Visual Interactive Privacy Policy (VIPP) [2]. (See enlarged)
Privacy Rating [3] (See enlarged)
Exemplo de Acordos Texturizados [4]. (See enlarged)
Excerpts of privacy notifications from [5]. (See enlarged)
Use cases
- Improvement of privacy policies communication and comprehension of how user data is handled with visual strategies.
- Improvement of user engagement with privacy policies.
Pros
- Participants experienced improved information retrieval, faster task completion, and comparable or superior accuracy when using the privacy label compared to a natural language policy, along with a more pleasant experience [1].
- Designed to be used on-screen and in print [1].
- User research findings indicated that the Privacy Rating is usable and useful and significantly impacts users' trust in online services, and participants expressed a desire for such a label to become an established standard [3].
- The Visual Interactive Privacy Policy (VIPP) builds upon the Privacy Nutrition Label proposal to address participants' concerns regarding missed information and direct privacy control options. Additionally, a pre-study indicated a preference for the simple table structure of the Privacy Nutrition Label, forming the foundation for VIPP [2].
- The VIPP was visually and textually simplified by removing unnecessary words and by replacing technical jargon (e.g., ‘opt-in’ or ‘profiling’) with more common words or universally understood icons [2].
- User focus is directed through the strategic use of coloured title rows and columns (in orange and blue) to highlight significant elements, such as a ranking of privacy policy terms derived from a user study, while less crucial aspects are nested within deeper layers [2].
- Textured agreements engage users more than plain-text ones, supported by experiment results [4].
- Visual designs activating curiosity and providing control could improve usability and strengthen privacy-conscious behaviours [5].
Cons
- Participants were confused by the terms 'in' and 'out' (rather than 'opt-in' and 'opt-out') [1], but they were also unfamiliar with 'opt-in' and 'opt-out' [2].
- Online service scores based on self-reporting can hold service providers accountable for discrepancies, yet the ideal approach would involve obtaining privacy ratings directly from policies, either through natural language processing or independent organisation (user study shows that they would prefer the independent organisation approach) [3].
- Although the VIPP showed improvements over the Long Text in several areas, it did not consistently demonstrate statistically significant advantages over the Nutrition Label, despite some noticeable positive changes in terms of stimulation, novelty, and perceived control [2].
- Long-term evaluations of textured agreements are needed to assess their resilience against user desensitisation and habituation [4].
- It could be misused as a "dark pattern" by malicious actors, manipulating users' attitudes towards privacy concerns to increase trust and disclosure, potentially tricking them into sharing more information than intended [5].
Privacy Notices
Such solutions aim to communicate personal data handling practices through privacy notices [6]. It can also be integrated with privacy choices [7], enabling users to make immediate decisions, which researchers find more effective. Considering the design space for privacy notices, this guideline can be applied to the following dimensions:
- At Setup
The proposed guideline can be used to present a privacy notice to users when they are using the system for the first time, so they can be aware of the data handling practices.
- On demand
The proposed guideline can be used to present a privacy notice to users when they actively seek privacy information, for example, in privacy dashboards or privacy settings interfaces.
- Decoupled
This guideline can be applied to privacy notices decoupled from privacy choices.
- Non-blocking
This guideline can be coupled with non-blocking controls, providing control options (privacy choices) without forcing user interaction.
- Visual
This guideline is for a visual notice, using visual resources such as colours, text and icons.
- Primary
This guideline is primarily applied to the same platform or device the user is interacting with.
- Secondary
This guideline can be applied to secondary channels if the primary channel does not have an interface or has a limited one.
Transparency
Transparency [8] is the main privacy attribute since the aim of the discussed solution is to make privacy policies more understandable and accessible to users, moving away from complex legal jargon and helping users make privacy-informed decisions. Other related privacy attributes:
Providing users with comprehensive and comprehensible insights into data handling practices leverages control by allowing users to make self-determined decisions about the sharing of their personal data. Some of the solutions discussed in this guideline also aid informed consent (and thus control) through interactive elements, allowing users to customise their privacy settings and understand the implications of their choices.
References
[1] Patrick Gage Kelley, Joanna Bresee, Lorrie Faith Cranor, and Robert W. Reeder (2009). A "nutrition label" for privacy. In: Proceedings of the 5th Symposium on Usable Privacy and Security. New York, NY, USA: Association for Computing Machinery, 2009. (SOUPS ’09). https://doi.org/10.1145/1572532.1572538
[2] Daniel Reinhardt, Johannes Borchard, Jörn Hurtienne (2021). Visual Interactive Privacy Policy: The Better Choice? In: Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems. New York, NY, USA: Association for Computing Machinery, 2021. (CHI ’21). ISBN 9781450380966. https://doi.org/10.1145/3411764.3445465
[3] Susanne Barth, Dan Ionita, Menno D. T. de Jong, Pieter H. Hartel, and Marianne Junger (2021). Privacy rating: a user-centered approach for visualizing data handling practices of online services. IEEE transactions on professional communication, IEEE, v. 64, n. 4, p. 354–373, 2021. https://doi.org/10.1109/TPC.2021.3110617
[4] Matthew Kay and Michael Terry. Textured agreements: re-envisioning electronic consent. In Proceedings of the Sixth Symposium on Usable Privacy and Security (SOUPS '10). Association for Computing Machinery, New York, NY, USA, 2010, Article 13, 1–13. https://doi.org/10.1145/1837110.1837127
[5] Agnieszka Kitkowska, Mark Warner, Yefim Shulman, Erik Wästlund and Leonardo A. Martucci (2020). Enhancing privacy through the visual design of privacy notices: Exploring the interplay of curiosity, control and affect. In Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020) (pp. 437-456). https://www.usenix.org/conference/soups2020/presentation/kitkowska
[6] Florian Schaub, Rebecca Balebako, Adam L Durity, and Lorrie Faith Cranor (2015). A Design Space for Effective Privacy Notices. In: Symposium on Usable Privacy and Security (SOUPS 2015). [S.l.: s.n.], p. 1–17. https://www.usenix.org/system/files/conference/soups2015/soups15-paper-schaub.pdf
[7] Yuanyuan Feng, Yaxing Yao, and Norman Sadeh (2021). A Design Space for Privacy Choices: Towards Meaningful Privacy Control in the Internet of Things. In CHI Conference on Human Factors in Computing Systems (CHI ’21), May 8–13, 2021, Yokohama, Japan. ACM, New York, NY, USA, 16 pages. https://doi.org/10.1145/3411764.3445148
[8] Susanne Barth, Dan Ionita, and Pieter Hartel (2022). Understanding Online Privacy — A Systematic Review of Privacy Visualizations and Privacy by Design Guidelines. ACM Comput. Surv. 55, 3, Article 63 (February 2022), 37 pages. https://doi.org/10.1145/3502288