Protecting user privacy through design

Profile picture of Lillian Xiao




Illustrations by {name}

Designers can help ensure that the users’ information and data they’re entrusted with are handled with care. Here’s how.

5 min read

A 3D illustration of a plastic bag with a card that reads “Accept Cookies” and an image of a large cookie, plus a nutrition facts label

Stay informed on all things design.

Thanks for submitting!

Shaping Design is created on Editor X, the advanced web design platform for professionals. Create your next project on Editor X. 

Get our latest stories delivered straight to your inbox →

Privacy is a more important issue than ever for designers. With recent regulations on data protection and privacy — such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) with its recent expansion via the California Privacy Rights Act (CPRA) — there’s a growing need for digital products that respect users’ data.

For designers, this means creating work that empowers people to make more informed decisions about their privacy, and giving them easier, more accessible ways to control their data. Let’s look at some of the key legislative requirements and explore how designers can advocate for better protection of their users’ data, activity and personal information.

1. Designing for transparency in data collection

Data minimization is one of the major requirements set forth by the GDPR and CCPA. It includes explaining why you’re collecting certain data, and asking for no more than is necessary for that purpose.

For designers, there’s opportunity here for creating forms that clearly explain why you’re collecting certain information. Generally, the more sensitive or private the information is, the more effort should be put into explaining why it’s needed. These explanations can include why you need the data, its benefit to the user, and the security measures that will be taken to handle the data.

Here’s a great example from Mailchimp. During the onboarding process, they clearly explain why, according to international laws, they need a physical address when setting up your account.

A screenshot of an onboarding online form on the Mailchimp website

Here’s another great example from Dropbox. This part of the sign-up flow asks for a preferred email if a user has signed up using Apple’s “Hide My Email” feature (which creates a randomly-generated email). The prompt explains the benefits of using an email address that your collaborators can recognize.

A screenshot of the Dropbox sign-up on mobile

Designing or redesigning products with user privacy in mind allows you to question existing UX practices, and to explore whether there are better alternatives for getting the same information. For example, if you need to ask for someone’s age, having them provide their date of birth would be considered asking for more information than you need. Not only are people more likely to provide false information when asked for data that seems too personal, it could also be unnecessarily risky if the data is not securely stored and protected.

Customizing forms on Editor X

In order to foster transparency in your data collection process, create descriptive input fields and forms on your Editor X site. You can fully customize your forms in order to make their content easy to understand and trust.

2. Receiving clear consent to automated data tracking

Another method for sites to collect data on users is through the use of cookies. Cookies are tracking scripts that record our site visits and activity. Under the GDPR, users have to provide active consent, such as opting in, to being tracked by most cookies.

For designers, empowering users to opt in (or stay opted out) to cookie tracking and allowing them to revoke access at any time is crucial. Users’ consent should be given as a conscious choice, rather than as something that they may not be aware of (such as with pre-checked boxes), and it should be just as easily withdrawn if users change their minds at any time. Designers should also provide information about the types of cookies used by the site, so that users can make informed decisions about their preferences.

A great example can be found on Slack’s site. The cookie consent form clearly explains each category of cookies (strictly necessary, functional, performance, and targeting), and allows users to opt in or out using a toggle switch.

A screenshot of a cookie consent form popup on the Slack website

The CCPA doesn’t require users to consent to cookie tracking, but it does ask that sites include a link labeled: “Do Not Sell Or Share My Personal Information.” Despite the laws around this, users are struggling to opt out of the sale of their personal information, from not being able to find the link to not receiving confirmation that the opt out was honored, at times through the use of deceiving dark patterns.