Designing Privacy Policies

50 Pages Posted: 30 Mar 2016

Date Written: March 29, 2016


To date, most privacy laws and regulations attempt to achieve the goal of providing consumers with adequate notice and choice by regulating the content of privacy policies. But, as the privacy by design movement argues, the platform's underlying design structure is equally, if not more important, than substantive terms. But neither the design denialism of current law nor the design exceptionalism of the privacy by design movement adequately accounts for how design can be both a boon and a harm to users. This paper argues that in addition to focusing on content, privacy regulators must also consider the ways that privacy policy design — the artistic and structural choices that frame and present a company’s privacy terms to the public — can manipulate or coerce users into making risky privacy choices they otherwise would not have made. I present empirical evidence to describe the role played by policy design in manipulating the choices of Internet users and provide a clear way for legislators and privacy regulators to account for designs positive and manipulative power in privacy laws and enforcement actions.

To argue that the design of privacy policies can coerce and deceive Internet users, I show the following: Relying on extensive social science, art, architecture, and urban design scholarship and several illustrative examples, I show that the underlying design of a built environment can be used to manipulate an audience or users of the space. I then present evidence from a review of the designs of 200 privacy policies from diverse websites and show that most privacy policies are designed in ways that make them difficult to read. Finally, I present results of a 2000-person MTurk empirical study showing the effects of different designs on user privacy choices. The survey, which was divided into four parts, asked individuals to choose to trust or do business with one of two websites (users could also choose “neither” or “indifferent”) based on the websites’ privacy policies. The results suggest that both current and supposedly user-friendly designs can manipulate and coerce users into making risky privacy choices: users overwhelmingly chose to trust websites with policies that were designed in graphical or user-friendly ways even when those policies contained invasive data use practices.

The paper concludes with a discussion of the implications of this research. Most notably, user-friendly designs are not always boons to consumers; effective design can manipulate users into making bad choices just as easily as they can enhance transparency. Deception is based on how the website deploys design strategies. Therefore, privacy regulators, including the Federal Trade Commission and state attorneys-general and legislators, must look at how websites design their privacy policies to determine if design is being used in such a way as to coerce users into making choices they would others not have made.

Suggested Citation

Waldman, Ari Ezra, Designing Privacy Policies (March 29, 2016). TPRC 44: The 44th Research Conference on Communication, Information and Internet Policy 2016. Available at SSRN:

Ari Ezra Waldman (Contact Author)

New York Law School ( email )

185 West Broadway
New York, NY 10013
United States
212.431.2864 (Phone)

Register to save articles to
your library


Paper statistics

Abstract Views
PlumX Metrics