Stop hiding behind your privacy policy: build consumer trust (ADM.be, 2015)

www.collibra.com Stop hiding behind your privacy policy: Building Consumer Trust –ADM info session on Privacy & UX

building consumer truststop hiding behind your privacy policy

Ann Wuyts (@vintfalken)Visual & UX Designer at

Stop hiding behind your privacy policy: Building Consumer Trust –ADM info session on Privacy & UX

Having knowledge of the customer is the only durable competitive advantage for companies.

Bruce Kasanoff, the author of Smart Customers, Stupid Companies


Four phases of cognizant computingGartner, Future of Smart Devices, 2013

1. SYNC ME

2. SEE ME

3. KNOW ME

4. BE ME

Store copies of my digital assets and keep it in sync across all end points and contexts

Know where I am (and have been) on the internet and in the real world. Understand my mood and context to better align services

Understand what I want and need and proactively present it to me

Act on my behalf based on learned and explicit rules

94% COMPLETED

82% WEARABLES UPDATE

31% … LOADING DATA

INITIALIZING.. 12%


‘Know me’ lock-in

I’m not leaving these behind Could not do without.. So easy that you remember!

On top of increased spend due to personalization of offers


Users expect Personalistation & Personal

Experiences for the ‘most personal device ever’ are..

RELEVANTare you engaging at the right moment?

GLANCEABLE can you deliver value in milliseconds?

PERSONAL do you approach people in the right

manner?


No other Apple device has ever been so connected to the wearer. It is important to be mindful of this connection .Apple Watch Human Interface Design Guidelines, 2015


Machine-to-human relationships are now about human-to-human values

UNDERSTANDING PERSONALISATION

H2H M2H

TRUST PRIVACY


The Privacy ChallengeConcern about privacy jumped 5 points between 2014 and 2015. 2nd Annual Poll on How Personal

Technology is Changing our Lives -January 2015, Microsoft


Loss of control

Privacy challenge: user point of view

91% of adults ‘agree’ or ‘strongly agree’ that consumers have lost control over how personal information is collected and used by companies.

Pew Research Privacy Panel Survey, January 2014


Lack of transparency


People are fearful of sharing their data largely because companies and government have not been good at clearly explaining how they use it.

Data Dialog, Demos 2012


Understanding ‘privacy’


Pew Research Privacy Panel Survey, January 2014


“Privacy ≠ Security

Co-founder of AlertMe- Pilgrim Baert

Security is a very important topic, but it’s primarily a technical topic, and to a large extent it’s a very well-understood one. If you pay attention to security, it is possible to get it right, whereas privacy is something that’s much more fluid and is much more about social norms, expectations, implicit contracts between consumers and providers.”


1. ComplianceWhy should organisations care about privacy?


2. Competitive advantage

Privacy is not only a fundamental right, it can also be a competitive advantage .

Neelie Kroes

Conform to EU legislation? Ready for the world market!

People can trust you with their digital identities? Sets you apart from competition

Why care?


“2014 US Consumer Data Privacy Study: Consumer Privacy Edition, TRUSTe

9 out of 10 consumers avoid doing business with companies who they feel are not protecting their privacy online


3. Privacy is part of the productWhy care?

proportionality

trust

PRIVACY PILLAR

PRODUCT


Privacy as a Trading Function?Customer Data: Designing for Transparancy and Trust – by Timothy Morey, Theodore Forbath, And Allison Schoop, May 2015 (Harvard Business Review)


Data in exchange for saving money, time, and energy


“ 61% of adults “disagree” or “strongly disagree” with the statement: “I appreciate that online services are more efficient because of the increased access they have to my personal data.

But are we doing a good job at offering them these savings?

Pew, 2014


Privacy is a fundamental component of the product experience

BUSINESSVALUE

CONSUMERVALUEPRIVACY

PERSONALISATION

GREAT UX


Being credible

useful

usable desirable

credible

valuable

findable accessible

User Experience Honeycomb (Peter Morville)

credible2004

the information you present to users

2015taking responsibility to

keep personal data safe


Delivering understanding & trustWe owe it to both our users and the people who hire us to actively think about privacy, and to implement privacy in the flows and designs we deliver.

B. We need to deliver trustworthy products.

A. We need to deliver great, personal experiences.


• Privacy• Personalisation• Both• Neither

Q 01 What do you feel has most weight in your organisation?


Privacy requires a clear mandate to get things doneYou can’t do it alone. It is multi-disciplinary and cross-departmental.

Everybody accepts it is important –but not a single department has it as

a priority.

Have privacy as part as the project plan and estimates as soon as

possible.

A continuous need to explain the significance of privacy in the overall

product & company picture

Have privacy as a deliverable, avoids the delays & soring costs of adding it after

the facts.


• Yes, very much so• Mostly legal• Mostly IT• It’s a department on its own

Q 02 Do you feel ‘privacy’ is treated as cross-departmental at your organisation?


Making a case for education(knowledge = control)


“Reality check on IoT

Acquity Group, 2015

87% of consumers has never heard of the Internet of Things

However, they are more familiar with connected objects in specific contexts.

• ‘IoT’ is an industry term

• Consumer understanding is limited to the vertical (industry-specific) level, where as the IoT is inherently horizontal


“Understanding the connected ecosystem

Consumer understanding of IoT as a term, neverminda phenomenon, is extremely low. To understand that a device is connected is not the same as understanding the implications of a connected ecosystem—of the Internet of Things.

Altimeter, 2015


“Please explain

85% of consumers wants to understand more about how their data is collected before using connected devices

2014 TRUSTe Privacy Index: Internet of Things Edition, TRUSTe


“Privacy policies is no guarantee (but the consumer does not know that)

65% do not know that the statement “When a website has a privacy policy, it means the site will not share my information with other websites and companies without my permission” is false.

The Tradeoff Fallacy: How Marketers are Misrepresenting American Consumers and Opening them Up to Exploitation

Turow, Hennessy, Draper


So let’s just do this?

email

password

If have read and agreed to the terms of service and privacy policy.

SIGN UP


Let’s don our white hats!

Educate userson privacyand security.

Marketing then gets to sell this as if we are white knights in shiny armor saving the users in distress. ;)


Axiom’s AboutTheData


Google ads on the London Tube


Education: seize the moment

Can everybody access your email on your phone?

Make sure only you can access your email – and password resets – on

your phone.

Protecting your iOS or Android device using an access code or

gesture takes only 2 minutes to set up. Let’s show you.

Hi! Instructions to reset your password have been sent to

i**** @ g****.com

If they do not arrive within 5 minutes, please click here.


Education: don’t be afraid to point to third party resources or tools

Bye bye little black book. Have you ever tried a password manager?

A password manager is a software application that helps a user store

and organize passwords. Learn more on wikipedia.

(Because so many of you asked: here at the Xcomp offices, we use

Last Pass)

Hi! Instructions to reset your password have been sent to

i**** @ g****.com

If they do not arrive within 5 minutes, please click here.

**********************************


In case of breach• Consider a breach likely – and

prepare accordingly• Do not play the victim• Be accountable• Take ownership• Express regaret

1. What happened? (tell what you know at that time)

crisis communications(works for downtime communication too)

2. What is being done *NOW*? (investigate, take systems offline, ..)

3. How does this affect your customers? (both short- and long term)

4. What are you doing to minimize risk? What can your customers do?

5. How do people get more information or updates?

(folluw up) 6. What are you doing prevent this from happening again?


• Yes• No• Somewhat

Q 03 EducateDoes your organisation provides additional informational resources around privacy and security? (e.g. disclosures, partner lists, risks, opportunities, 3rd party resources or tools, risk assessment tools, .. )


Informed consent(transparency & control) Yes, I do!


“Step 1: Get consent

Privacy does not benefit from a “do first, ask forgiveness later” strategy.

(avoid: “Hey, we just lost all this data of yours you did not we had in the first place.”)

(what), why, where, to whomset correct expectations


“Step 1: Get explicit consent

By signing this contract, you agree we have the right to collect and pass on all your information. In case you do not want your bank to pass on your credit information to third partners and other divisions, please write ‘I do not agree’ on the contract and hand it over to the person behind the till.

EXPLICIT EXPLICIT NOT EXPLICIT(hidden opt-out)

NO YES

IF YOU AGREE, PLEASE CHECK THIS BOX:


“Step 1: Get informed, explicit consent

Users don’t want simple things. They want things they can understand.

@jnd1er (UX lx 2011)


Design for informedNo surprises

Option:

Offer a tldr; summary


One-page privacy policiesNo surprises

• one-page privacy policy

• will go in effect October 15

• “simpler, clearer and more transparent” (Chief Legal Officer Harvey Anderson)

• challenged other companies to do the same


“AVG’s new privacy policy is uncomfortably honest about tracking users.”In making its privacy policy easier to understand, AVG has also opened itself up to a backlash.

- Columnist Jared Newman

Damned if you do, and damned if you don’t. Resulting PCWorld headline:


Fix?• Add a paid option that collects

and passes on fewer data (‘business’?)

• Offer a clear comparison

Aka

give people CHOICE

Rather we have only the essential data required to keep you secure? Compare

our free to our pro offerings



Q 04 Informed consentDoes your organisation require users to give their informed consent?


Choice(control)


ChoiceACCESS DURATION

People forget to ‘revoke’ things. Supply limited time access options:

WeChat: location discoverable for 10 minutes (default)

LinkedIn: access duration settings (weeks -> months -> years)


ChoiceOFFER ALTERNATIVES: NO BINARY YES/NO TO ALL SERVICES

In your designs and flows, take into account both having and not having the data.

Design personalized experiences for when you have data.

Design good alternatives for not having the data.

Today will be sunny

Weather for Olen, Belgium where we know you live.

Check out the weather!

Antwerpen


ChoiceMAKE IT EASY TO LEAVEBUT CONVINCE THEM TO STAY

Think about WHY people are leaving, and offer alternatives.

“snooze” servicesless-email-optionreset profile/account..

(and remember data portability!)


Do you want to knowif your friends are (action/mood/..) ?

Do you want your friends to know if you are (action/mood/..) ?

Don’t allowOK

Choice: keep peer-to-peer privacy in mindAsk the right question: not do you want to see, but are you willing for others to see..



Q 05 ChoiceDoes your organisation provide users with options towards the collection, use, sharing, storage of their data?


Empower(control – agency matters!)


Empower

Easy access overview of privacy settings

CLEAR & CONSISTENT, SO PEOPLE CAN TRUST YOU TO POINT OUT PRIVACY RELATED FEATURES & SETTINGS.


REWARD SECURE BEHAVIOUR

Users that enable two-step security on their accounts will now receive a 10% discount off their monthly bill Mailchimp bill.

Empower

Offer the tools& reward usage


Empower

Tools to make secure habits easyBURNER ACCOUNTS

Kinja introduced these for anonymous commenting. They made private keys understandable through metaphor.

“…if you lose the burner key initially issued we will not be able to retrieve this information for you or reset the account. Save your key.”


Because…EXPLAIN YOUR MAGIC – WHY DO YOU NEED THE DATA?

When users know of the existence of a certain algorithm, their satisfaction with the product increases over time , probably as they start to understand its workings better. Yet when they discovered an algorithm they were previously unaware of, users felt betrayed.


WORST CASE SCENARIO

“In the extreme case, it may be that whenever a software developer in Menlo Park adjusts a parameter, someone somewhere wrongly starts to believe themselves to be unloved. ”

– Eslami et all.


Because allows people to correct you when you are wrongShow people their data selfs

If we are going to allow algorithms and expert rules to steer our behaviour, we must know they understand that correctly. Training is essential!

Allow for: - Correction- Reset



Q 06 EmpowerDoes your organisation provides tools that allow your user to be in control of their data? (beyond emailing privacy @ organisation.com ;))


Value Exchange(control)


Reflect all data collected in functionality


Accelerometer

Gyroscope

Microphone

Camera

In-App Usage

GPS

Expectedvalue

Useracceptance

Wi-Fi

Browsing History

The more permissions are required, more added value is expected from the mobile app.

Calendar

SMS

Light

GSR

Privacy as a trading function: quality


Beware locationSpecial data which under the GDPR will require extra safety measures

avoid when possible

coarse location



Q 07 Value ExchangeDo you feel your organisation offers fair value for the consumer data it collects?


“As a species we have had roughly 100,000 years to develop our behavioral norms in the physical world; but we have had barely 100 years to develop such norms in the digital world.


We are influencing what is acceptable.


“We are

building the future.

Let’s do so responsibly,

together!

Build consumer trustStop hiding behind your privacy policy

Ann Wuyts (@vintfalken)Visual & UX Designer at Collibra


Credits & further reading materialsCheck these out!

On the Paradox of the Simple Privacy Policy by Jedidiah Bracy, CIPP/E, CIPP/UShttps://iapp.org/news/a/on-‐the-‐paradox-‐of-‐the-‐simple-‐privacy-‐policy/

The IoT Manifetohttp://iotmanifesto.org/

Consumer Perceptions of Privacy in the Internet of Things (Altimeter)http://www.altimetergroup.com/pdf/reports/Consumer-Perceptions-Privacy-IoT-Altimeter-Group.pdf

Few Feel that the Government or Advertisers can be Trusted -‐ Pew Research Privacy Panel Survey, January 2014http://www.pewinternet.org/2014/11/12/few-‐feel-‐that-‐the-‐government-‐or-‐advertisers-‐can-‐be-‐trusted/

Views from Around the Globe -‐ 2nd Annual Poll on How Personal Technology is Changing our Lives, January 2015, Microsoft http://mscorp.blob.core.windows.net/mscorpmedia/2015/01/2015DavosPollFINAL.pdf

Gartner Says by 2017 Your Smartphone Will Be Smarter Than You (Gartner)http://www.gartner.com/newsroom/id/2621915

The Obvious Data Usage Principlehttp://www.keek.be/2015/the-obvious-data-usage-principle/

Transparency about algorithms leads to increased product satisfactionhttp://www.keek.be/2015/transparency-about-algorithms-leads-to-increased-product-satisfaction/

A list of 41 questions worth asking to better understand the ethical implications of the technologies we create and use:http://thefrailestthing.com/2014/11/29/do-artifacts-have-ethics/

.. and a little thought exercise:

Do artefacts have ethics?

Stop hiding behind your privacy policy: build consumer trust (ADM.be, 2015)

Technology

Transcript of Stop hiding behind your privacy policy: build consumer trust (ADM.be, 2015)