Privacy By Design Checklist


I’ve been scouring around for guidelines that will keep lawyers and companies on track when composing & displaying Privacy Notices. It’s obvious — we need a clearer conception of what it means to ‘clearly & conspicuously’ give consumers notice of their rights.  People should be able to understand what will happen if they engage with a product or service — whether online or off.

I’ve collected together some useful writings and guides on what could be done to make privacy notice more effective.

Information Design Model - Open Law Lab

Aleecia M. McDonald, a former Carnegie Mellon University PhD made a presentation on “Visualizing Privacy,” summarizing her findings and research on the effectiveness of privacy designs.

She called out 6 Fundamental Rules for Privacy Policies:

  1. Keep it simple
  2. Good design matters
  3. Design to avoid bias
  4. Whole-to-part design is critical — “Without context, they understood virtually nothing”
  5. Standardization is effective
  6. Disclosure table is critical

But if these are a little to high level, then let’s go point by point. McDonald points to four elements of a notice design that should be composed carefully:

  1. Title
  2. Framing
  3. Disclosure Information
  4. Opt-Out Options

Each of these four has its own little checklist of what to avoid and what to do.  Here we go!

The rules guiding the designs of Titles:

  • Attract consumers’ attention so that they will read the notice
  • Avoid inflammatory language
  • Helps consumers understand that the information is from you
  • State clearly — this is about sharing of your data
  • State clearly — their personal information is currently being collected and used by the company
  • Explicitly mention consumer rights

The rules about Framing:

  • Give the user the context of why you are telling them about this information collection
  • Tell them why it may be important to them
  • Tell them why you are collecting and using information
  • This framing will provide them with context and support their understanding of your data practices
  • Provide a KEY FRAME, that details the essential points on your data scheme
  • Provide a SECONDARY FRAME, with nice-to-have info like FAQs, details, and mandates

The rules about the Information Disclosures

  • Identify what the Goal of the Disclosure is
  • Present these goals in a numbered list to the consumer
  • Detail exactly when you will or may share their information
  • Detail exactly what you will disclose
  • List what customers can opt out of
  • Present a direct comparison of how your disclosures compare to other similar companies

The rules about Opt-Out Option:

  • If you can, put it on a separate page to make it easy to mail in
  • Give clear path of action to opt-out, ideally with link or means of action
  • Should be designed to help consumers understand how to opt-out
  • Must be structured by type of sharing consumers can opt-out of