Privacy Short Notice Design

February 17, 2011

By Travis Pinnick
User Experience Designer | TRUSTe

Part III: Proposed Design
[This is part 3 in a series about the design of a TRUSTe Privacy Short Notice. For background on the project see part 1 and part 2.]

TRUSTe Short Notice and Icon Design
TRUSTe is currently in the process of designing an icon-based privacy short notice for simplifying and summarizing consumer-facing privacy statements in a browser-based client. The tool will initially be a simple, consumer-facing presentation layer of a TRUSTe-hosted XML-based policy database, but could ultimately become an open-source standard for inclusion by browser manufacturers available for certification by other third-party privacy authorities.

Initial proposed short notice design [view interactive demo]

Short Notice / Icon Design User Testing
In January I conducted a qualitative user assessment [view video highlights] of variations of two short notice designs, the focus of which was to ascertain the following:

  • Do consumers conceptually understand the concept of a privacy short notice?
  • What are the short notice categories users find relevant?
  • How should the icons be designed / categories be presented to best represent how consumers think about privacy?

The test consisted of 10 users (5 intermediate and 5 advanced based on self-attestation of technical ability).

TRUSTe Short Notice Categories
One of the first considerations for the privacy short notice is deciding which categories should be represented, and how these categories can be dynamically populated based on the content of our XML policy dataset – attempting to represent the dataset in its entirety with icons is counterproductive for the short notice design.

For my initial user tests I created short notice designs based on Alissa Cooper’s W3C Privacy Ruleset and Aza Raskin’s Privacy Icons. In both cases the categories are variations of the concepts of data use, data sharing, and data retention (focused on how data is used, not what data is collected).

Alissa Cooper’s (CDT) W3C Privacy Ruleset

  • Data Sharing – internal, affiliates, unrelated, public
  • Secondary Use – contextual, customization, profiling
  • Data Retention – none, short, long

Aza Raskin’s (Mozilla) Privacy Icons

  • Secondary Use
  • Data Bartered or Sold
  • Data Shared with Advertisers
  • Data Retention

The Raskin design uses the 4 categories and corresponding icons Raskin proposed. Each category can have only one binary value in the short notice (ie. site either DOES or DOES NOT share data).

Raskin design- binary value categories:

The Cooper design uses the 3 categories Cooper proposed in conjunction with icons I designed. These categories have scaled values (ie. site shares data internally, or with affiliates, or with advertisers) which range from most restrictive to least restrictive data practices. I also added my own category, ‘third party tracking’ which links to the TRUSTe tracker preference manager.

I tested two variations of this design (one where the values are NOT mutually exclusive (ie. data sharing may have all three values- ‘internal, affiliates, and advertisers’), and one version where the values ARE mutually exclusive (each value presupposes it includes the values below it). [Note: After the first 4 users I made a subtle adjustment to this design: I altered the icons in an attempt to test more icon designs with a limited user set].

Cooper design – non-mutually exclusive values left, mutually exclusive right:
[click to enlarge]

Category Descriptions
Both designs consisted of a summary screen (shown above) and a more detailed category description page shown here. For each category I used red to indicated the most extreme / least restrictive value, though the tool could potentially support user preferences to determine which values should trigger a ‘red icon’, alert, etc.

Category descriptions- Cooper scaled values left, Raskin binary values right:
[click to enlarge]

User Testing Conclusions
Based on the results of the user testing I reached the following conclusions regarding short notice design:

1] Advanced users grasp the concept of online privacy and the purpose of a short notice more easily. Of the 5 advanced users tested, all were able to given a reasonably adequate description of a privacy short notice prior to be being shown the design, whereas the intermediate users had a more difficult time articulating their expectations, or had none at all.

2] Users don’t seem to have preconceived notions of what categories make the most sense regarding web privacy, they expect an authority (like TRUSTe) to do that for them. Every user tested was unable to articulate what categories they expected to see, but also every user agreed that the first categories they were shown met their expectations, regardless of what they were.

3] Users don’t seem to have a preference whether the categories have binary values or scaled values, but all users preferred each category to use a single, mutually-exclusive value to describe a given practice. Users universally agreed they preferred the single, mutually exclusive value presentation to the multiple value presentation, but were perfectly comfortable with the scaled value categories presuming the summary only showed one value per category.

4] Users have no clear preference whether there are different icons for the values within a category, but they expect the icon to change state, preferably with color. Users like for the tool to tell them which practices are the most restrictive and which are the least, and they like this conveyed with color. Users had no preference regarding the use of alternate icons designs depending on state (Raskin) versus altering the color of the same icon design.

5] Icon Design may not be as important for the short notice as category selection and taxonomic presentation. While users generally preferred the lighter (white background) icon designs with color used to indicate state (yes/no, or least restrictive/most restrictive), the actual icon used seemed to be of minimal importance compared to user concerns over taxonomic presentation of the category/value concept. No user was able to articulate clearly what icons they associated with the categories other than the ones shown, and 3 of 10 users made some variation of the comment that initially the purpose of the short notice is to educate, and as long as the icons made reasonable sense in the context of the categories they would eventually come to be associated with their intended meanings.

Possible revised short notice design [view interactive demo]

Future Work
This project is currently ongoing. Based on the results of this test and learnings from similar work in this space we will continue to refine our short notice design with an expected release date of mid-2011. Feedback is invited and welcome, and TRUSTe is looking forward to continue to provide input and contribute to this important project. If you have any questions or comments please contact Travis Pinnick, TRUSTe User Experience Designer at

Follow me on twitter at @xtratrav.

2 thoughts on “Privacy Short Notice Design

  1. This is good stuff. I must defer to the privacy experts on issues like taxonomy and specific categorizations. But in terms of presentation, could the initial display state simply be icon, label, and status? If the user only wants a cursory review, that might be all they’d need. If a more savvy or privacy-conscious user wants to drill down for more detail, perhaps they could click or hover over the icon to reveal the explanatory text and any related actionable items (links, buttons, etc).

    Also, has there been any discussion on a standardized method of weighting these criteria to provide a score? Again, a savvy user might reasonably be expected to know a site that gathers financial data and barters it with unaffiliated third parties is risky. But a less sophisticated one might need more guidance, similar to how local health departments rate restaurants and summarize the results. They may not understand how ad networks function, but would understand 20/100 vs. 90/100.

Leave a Reply

Your email address will not be published.