This is one in a series of articles about Privacy by Design and privacy engineering. Others are grouped under the Privacy by Design tag.
One of the many significant changes being introduced in the forthcoming European Union General Data Protection Regulation (GDPR) is the requirement to adopt principles of Privacy by Design (PbD) when creating or revising processes or technology.
Given their public-facing nature and role in collecting personal data, websites need to be first in line as companies consider the changes they will need to make to comply with the new rules. Websites are often the first and sometimes the only point of contact between an organisation and its prospects and customers. An organisation’s website therefore sets the tone for the brand.
It also collects personal data from users by a variety of mechanisms. Increasingly consumers are concerned about what companies do with their personal data. How is it used? Who is it shared with? For what purpose? Addressing these concerns is the purpose of PbD.
A PbD approach to web design and development needs to take into account the two broad modes by which visitor privacy is impacted:
Volunteered personal data
Automated personal data collection
Volunteered personal data
The volunteered data part, generally the information provided via online forms, is relatively easy to deal with, although there are a few things to look out for. For example, the site must be clear about all the potential uses for the data, not just the uses the subject expects.
What happens to the submitted form data is a crucial design issue. Any change in the way personal data is used is likely to require a clear opt-in mechanism each time this occurs as well as an opt-out box to allow users to change their mind. If the data is to be copied, stored in a CRM or transferred elsewhere, this will also require consent.
Not all volunteered data is captured directly through web forms, however. Can people set a language preference on your site? Do any interactions result in content being personalised? This could be considered volunteered personal data. How are people notified about this? How is the information saved, for how long? These are all valid PbD considerations.
Automatically collected personal data
A big change in the draft legislation is that cookies that act as unique device or user identifiers – such as those used for online tracking and user login – are likely to be considered as personal data. This means that you will need to evaluate all elements of your website that set cookies and identify whether these carry personal data.
This has particular implications for technologies that set third-party cookies. In particular, it would no longer be possible to make the argument that “we are not responsible for third-party cookies”.
For example, PbD principles suggest that you can’t just add a standard Facebook Like button to your pages by default. You would need to ask users to opt-in to such features, while also making sure that they are aware of the privacy implications of doing so.
A requirement to follow PbD principles means giving consideration to the impact of these throughout the process of development. This is no easy task as many technologies designed to be integrated into other sites are not clear about their data collection practices.
The impact on the user interface
PbD requires a thorough examination of the architecture of a website and its privacy impacts. It also requires mechanisms for visitors to be able to make realistic privacy choices. This, of course, means that there is a need for interfaces to support such choices, and this may be one of the greatest challenges for web design.
The kind of notices that we have seen arising from attempts to comply with the cookie law will not readily suffice – they are neither granular enough nor present enough to allow real choice. What will be needed is more dynamic interfaces, showing and hiding content and functionality based on choices made.
Such interfaces are not uncommon – the best web design already configures content and services around users. This is what “personalisation” is. However, interface personalisation is generally not clear to the user, especially when and why it occurs. PbD means not only making the fact of personalisation explicit, but providing explicit choices about whether or not it should take place.
Allied to this, designers will also have to take into account whether or not they want to give access to content and services to people who make privacy choices that go against the economics of the site. Sites that offer free ad-funded content may need to decide whether they will allow accesses to visitors who use ad-blocking technologies, for example.
Clearly these are not just decisions for “designers” in the traditional sense – they are also examples of some fundamental questions for digital strategy. The new law will mean there will be no getting away from questions like these when it comes to a new web build. The time is fast approaching when some answers will be needed.
Richard Beaumont is a privacy and cookie law specialist at Governor Technology