By Jen King on February 26, 2020 at 12:33 pm
Yesterday I submitted a second set of comments (see the bottom of this post for a copy) to the California Attorney General’s office for the February round of the California Consumer Privacy Act (CCPA) rulemaking process. I had the privilege of working with Tianshi Li, a fourth year Ph.D student in human-computer interaction at Carnegie Mellon University this round, which was useful as our primary topic was one that fit squarely in the intersection of design, usability, and policy: the proposed logo required by the statute to identify a company’s Do Not Sell My Personal Information link.
Our colleagues at Carnegie Mellon University recently conducted a study to explore how best to communicate the Do Not Sell concept to the public. Their specific recommendation, which was submitted to the Attorney General’s office, was a “toggle” icon with the Do Not Sell My Personal Information” tagline:
If the AG’s office must adopt a logo, we support CMU’s proposed design, which was methodically tested and documented in their report. However, if the AG can dodge the issue of a logo at this juncture, we recommend that path as we think a better approach would be to evaluate the larger landscape of how we present privacy policies and other privacy options rather than tacking on yet another visual signifier. Finally, we do not recommend the AG adopt the option presented in the 2/10 draft regulations: a red toggle button which appears to be based on Apple's iOS user interface guidelines (below).
We outline the reasons in depth in our comments, but in a nutshell: it’s confusing. We argue people are more likely to misconstrue this as an actual interactive toggle switch and not a logo, which can lead them to believe that they are already opted-in to Do Not Sell, and may reduce the discoverability of the actual controls (which, to be clear, would be linked to a separate webpage from this proposed logo; the logo is not intended to be an actual control). Even when paired with a tagline (see below), in a very informal survey I conducted my participants all thought this was an interactive element that conveyed an actual system status (that Do Not Sell on the website was set to "off").
The design of notices, icons, logos and links is an area that requires expertise from visual designers and human-computer interaction experts (including interaction designers and user experience researchers). Done on the fly and without the insights of these professionals, we risk legislating ineffective design that puts consumers at a disadvantage in terms of exercising the very rights these laws are attempting to provide.
zohar March 1, 2020 at 6:19 amPermalink
Very interesting. Agreed that many people might find the toggle icon confusing. We are conducting similar research projects on privacy icons in Europe, with quite a differen set of transperancy requirements under the GDPR, however: https://privacyiconsforum.eu/. That said, the medodological challanges are similar. Happy to share insights.
Add new comment