Should You Design Websites with Privacy in Mind?

Privacy by Design and Foundational Principles

When building websites for clients, you usually have to juggle multiple priorities, from staying within the budget to presenting outstanding designs that your clients will love, to building out all of the features and functionalities that have been requested.

One facet of website design that many designers and clients overlook is the meeting of privacy-related requirements.

In this article, we will discuss why you should keep privacy in mind when designing websites, the concept of privacy by design, examples of best practices, and some tips so that you and your agency can build beautiful websites that also meet privacy requirements.

Disclaimer: The information contained in this article is provided for awareness purposes only, and should not be construed as legal advice. Consult your attorney for legal matters.

Why Should Website Designers Keep Privacy in Mind when Designing Websites?

Data Privacy

If you have been working in the website design industry for more than five years, you may remember a time when privacy and website design did not intersect. In addition, you may wonder why you need to keep privacy by design in mind when building websites when this was previously not a concern.

The truth is that consumers are increasingly becoming interested in their privacy online. Ever since the Cambridge Analytica scandal, where the personal data of Facebook users was scraped and then used for targeting political advertisements, consumers have opened their eyes to the dangers of sharing personal information online.

In fact, consumers are pressuring legislators to pass privacy laws that would protect their privacy. In 2023, there will be six new privacy laws that go into effect, further expanding privacy protections and requirements. As more privacy laws pass, the privacy requirements for websites are increasing.

Second, some privacy laws, such as the General Data Protection Regulation and the United Kingdom Data Protection Act of 2018, require the protection of personal information and privacy by design and by default.

Such requirements include implementing appropriate technical and organizational measures that implement data protection principles such as data minimization and ensuring that only the personal information necessary to achieve specific purposes is collected.

These privacy laws can apply to businesses outside the European Union and the United Kingdom, and non-compliance can lead to heavy fines.

Lastly, having a privacy-conscious website can be a competitive advantage. For example, a recent study by Axios found that 93% of Americans would switch to a company that prioritizes privacy, so having a privacy-forward website can help your clients do better in business, which is a real win-win.

Who is Responsible for Website Privacy?

Responsible for Privacy

If you are building websites for clients, you may be wondering whether you are the one that is responsible for that website’s privacy practices. Considering the fines that can be imposed for violations of privacy laws, this is a very important question.

In an ideal world, your client would know all of the privacy requirements that they need to follow and would provide you with a list of exactly what you need to do to make their website compliant.

In reality, though, most clients do not even know that their website is collecting personal information such as names, emails, phone numbers, and IP addresses or that features such as analytics have been installed onto the website and thus make them subject to multiple privacy laws.

When determining who is responsible for the privacy practices of a website, the best place to look is the contract that you asked your client to sign before working on their project.

If the contract states that you will ensure that the website is compliant with all applicable laws, rules, and regulations, that means that you, as the website designer, will be responsible for privacy law compliance as well.

The best way to ensure that you are not responsible for compliance is to have a contract that says so.

In addition, since you are implementing the features that collect personal information onto the website, you should, at a minimum, let your clients know that such features exist.

As the website designer, you should also inform your clients that they need to take privacy seriously because it not only helps your clients but can help you protect yourself as well.

What is Privacy by Design?

Privacy-by-Design-and-by-Default

Source

Privacy by design is a concept that was codified by Ann Cavoukian, and it essentially ensures that the privacy of users is protected by integrating considerations of privacy issues from the beginning of the project into development.

Privacy by design has seven Foundational Principles:

Foundational Principle 1:

Proactive, not reactive. Preventative, not remedial. Privacy by design anticipates and prevents privacy-invasive events before they happen.

As an example, let’s assume that you are designing a website that allows users to create an account. As people forget their passwords, a feature allowing them to reset their passwords is necessary.

On the reset password page, if the system notifies a user that they have registered with a different email could become a privacy violation as scammers can run multiple emails through this page to determine who has an account on that website and then try to hack that account.

Not showing potential different emails used for registration is a great example of being proactive and using design to prevent privacy violations.

Foundational Principle 2:

Privacy as the default setting. Privacy by design seeks to deliver the maximum degree of privacy by ensuring that personal information is automatically protected without the individual having to take any action to preserve their privacy.

For example, users should not be opted into email marketing lists by default, they should have to affirmatively opt-in if they want to.

Foundational Principle 3:

Privacy is embedded into the design. Privacy should be embedded into the design and architecture of IT systems and business practices and an integral component of the core functionality being delivered.

The privacy should not be bolted as an add-on. For example, when choosing plugins for the website, you should not pick plugins at random without concerns about the privacy impacts of such plugins.

You or your client should first make sure that any technologies that you install onto the website are privacy conscious before installing them.

Foundational Principle 4:

Full functionality – positive-sum, not zero-sum. Privacy by design shows us that it is possible to have privacy and security and create a win-win scenario.

For example, if you enable two-factor authentication for security, you can also preserve privacy by not adding the two-factor authentication information to a marketing list (Facebook recently got into trouble for such practices).

Foundational Principle 5:

End to end security – full lifecycle protection.

The privacy should start before the information is collected and should continue throughout the entire lifecycle of that information, through the collection, use, retention, and destruction of that information.

For example, many companies keep personal information forever, which can put them at risk of data breaches and make such data breaches more costly. You should discuss automatic data deletions with your clients so that personal information can be deleted after a certain period has passed from the date of collection.

Foundational Principle 6:

Visibility and transparency – keep it open.

Privacy features and settings should be visible and easy to find for users. In addition, companies need to have a comprehensive Privacy Policy that users can easily find.

For example, a link to a Privacy Policy in the footer of the website should be easily visible and should not be hidden with a color that is very close to the color of the footer.

Foundational Principle 7:

Respect for user privacy – keep it user-centric.

Privacy by design requires designers to keep the user’s interests uppermost by offering strong privacy defaults, appropriate notice, and empowering user-friendly choices.

You should ensure that the website gets consent for the collection, use, and sharing of personal information, provide accurate and up-to-date privacy information, and comply with all applicable privacy laws.

Implementing Privacy by Design Principles

Implementing privacy by design principles can be complex. However, there are a few privacy by design principles that are the most prevalent in websites:

1. Cookie Consent Banners: If a website has a cookie consent banner, that means that they need to obtain consent for collecting certain cookies under GDPR, UK DPA 2018, PIPEDA, and/or the ePrivacy Directive.

These laws require websites to provide users with an actual choice, meaning that there must be an “accept” and a “decline” button on the cookie consent banner. In addition, the “accept” and “decline” buttons must be visible to the user, and non-essential cookies must not be enabled until the user clicks “accept.”

Thus, if the cookie consent banner that you install on clients’ websites only has an “ok” button or states that “by using this website, we are assuming that you are ok with cookies”, then that banner is not compliant and should be switched to a banner that provides users with an actual choice.

2. Contact Forms: Privacy by design teaches us that private information should be presented to users whenever personal information is collected. In addition, multiple privacy laws can require websites to obtain consent whenever information is collected.

Thus, contact forms (or any other forms where personal information is collected) should have a checkbox to agree to the Privacy Policy. The checkbox should be unchecked by default, and users should be required to check it before clicking “submit.”

3. Links to Privacy Policies: Many websites combine a Privacy Policy and a Terms of Service onto one page and then link to that page within the website’s footer and title it “Legal” or “Privacy and Terms”.

Multiple privacy laws state that a Privacy Policy should stand independently and not be combined with any other information. Thus, you should ensure that a Privacy Policy and a Terms of Service get their pages and links and are not combined under one link.

In addition, the links on the footer should be easily visible and should not blend in with the rest of the footer. You can achieve this by using different fonts and contrasting colors and increasing the font size so that users can easily see and access private information.

Final Tips

Fixing the above issues will help remedy privacy by design issues on many websites. The following is a list of final tips that you should keep in mind when designing websites for your clients:

  1. Make sure that the website is not collecting more personal information than what is needed;
  2. Help your clients choose privacy-focused alternatives to services commonly installed on websites such as analytics;
  3. Make sure that you are ready to help clients in deleting personal information and honoring other privacy rights;
  4. Explain what services the websites will be using that collect personal information;
  5. Provide a way to gather proper consent;
  6. Keep privacy requirements in mind when designing and developing websites.

Leave a Comment




This site uses Akismet to reduce spam. Learn how your comment data is processed.

Looking for something?

Privacy laws apply to businesses that collect personal information. Since no personal information is collected by the MainWP plugins, no privacy laws apply to the MainWP plugins. This includes GDPR, UK DPA 2018, PIPEDA, Australia Privacy Act 1988, LGPD, PIPL, and other privacy laws.
Donata Stroink-Skillrud
Donata Stroink-Skillrud
President of Agency Attorneys