Did you miss the Part 1 ? Check it

Privacy and UX - Part 1

Marison Souza

·

December 14, 2024

How Much Do We Invest in the Frontend?

Read full story

Continuing… but before, subscribe, it took too much time to build.

Even in a country that lacked a comprehensive data protection law until recently, Brazilian users have demonstrated high levels of mistrust regarding how companies handle their personal information. This has pushed businesses to place greater emphasis on user experience, while striving to build and maintain trust through transparency.

Interestingly, while Brazilians are among the most skeptical and concerned about data usage, they also exhibit a striking paradox: once trust is established, Brazilians become the most willing to share personal data without hesitation.

According to Figure 2 from the same GlobalWebIndex, 2019 study, Brazil ranks lowest globally when it comes to the desire to remain anonymous online or avoid personal data collection. This suggests that while mistrust is initially high, it can quickly transform into openness if companies succeed in demonstrating trustworthiness.

For businesses, this represents both a challenge and an opportunity. Establishing trust with Brazilian users requires consistent efforts in transparency, data security, and ethical handling of information. However, once that trust is gained, the reward is a user base more willing to engage and share personal data, enabling deeper personalization and stronger relationships.

The lesson here is clear: building trust isn’t just a legal obligation; it’s a strategic necessity in a market where users value transparency as much as the services they receive.

User Experience, Privacy, and Security: A Complex Relationship

According to a study by Security Magazine, users' expectations and behaviors regarding data security reveal important insights into the intersection of privacy, user experience (UX), and trust. In a free translation of the author:

• 52% of users would pay more for a product or service from a company with better data security.

• 54% of users feel worse about companies that suffer data breaches.

• 78% of users are cautious about a company's ability to keep their data secure.

• 52% of users consider security as an important or primary criterion when choosing a product or service.

• 90% of users expect to be notified within 24 hours of a data breach involving their information.

• 85% of users share their experiences, good or bad, publicly—33% on social media.

• 65% of users lose trust in a company after a data breach, and 80% would cancel services if harmed by such incidents.

User-Centered Design and Emotional Impact

User Experience (UX) and User-Centered Design have become central themes in the design world, as explored by Donald Norman (1986, 2004, 2006). UX extends far beyond graphical interfaces (UI) and considers a user’s emotional connection with a product or service.

Norman (2017) differentiates UI from UX as follows:

• UI pertains to the graphical interface with which a user interacts, where usability is a key attribute.

• UX encompasses a broader perspective, integrating multiple disciplines to deliver a high-quality experience.

According to the International Organisation for Standardization (ISO), usability is defined as the effectiveness, efficiency, and satisfaction with which specific users can achieve tasks in a particular design. This links ease of use to satisfaction, where satisfaction is seen as a technical, rather than sensory, attribute.

Nielsen (2003) expands on usability as a quality attribute, defined by:

• Ease of learning,

• Efficiency,

• Memorability,

• Error prevention, and

• User satisfaction.

However, Jordan (1998) highlights that satisfaction often focuses more on avoiding negative feelings like frustration rather than producing positive emotions like pride or joy.

Privacy and Economic Ethics

The more personalized the user experience, the greater the volume of user-generated data. This raises ethical questions about how companies use personal data for economic gain and the broader implications of storing and sharing such information.

As Doneda (2006) observes:

"Control over information has always been a key element in defining power within society. Technology specifically amplifies the flow of information, its sources, and destinations. What begins as a quantitative shift eventually alters the qualitative balance between power, information, individuals, and control... It is essential to examine how technological development impacts society and, consequently, legal frameworks."

Heuristic Analysis

Measuring the usability of an interface involves evaluating more than just its functionality; it also assesses the ease of use as a tool, with the primary challenge being reducing the time needed to learn the system (Nielsen, 1993).

These complexities highlight the need for a balance between security, privacy, and usability. Businesses must design systems that are not only secure but also intuitive, ensuring a seamless user experience while respecting ethical considerations and data protection standards.

Nielsen’s heuristics, while highly generic, can be tailored for specific domains such as personal data protection. This approach aligns with the article “Análise heurística para LGPD” by Priscilla Brito, which adapts Nielsen’s 10 heuristic principles to the context of data protection under Brazil’s General Data Protection Law (LGPD).

Here is a summary of the adapted heuristics based on Brito’s highlighted content:

1. Visibility of data processing
   Ensure users can easily see and understand how their personal data is being processed. Transparency should be embedded into the system's design, making processing purposes, duration, and recipients clear.

2. Data minimization
   Collect only the data strictly necessary for the intended purpose. Avoid unnecessary fields or excessive data collection in forms and workflows.

3. Security feedback
   Provide users with feedback about the security of their data. For instance, showing encrypted connections or informing users when data has been securely processed.

4. Error prevention in data input
   Minimize user errors by guiding data input (e.g., formatting phone numbers or IDs automatically) and validating information in real-time.

5. Control and freedom
   Allow users to easily edit, delete, or revoke consent for their data. Users should feel empowered to manage their data without complex procedures.

6. Recognition, not recall
   Avoid requiring users to remember detailed information about their data. Present them with clear, accessible summaries or dashboards that display collected data and consent history.

7. Flexibility and efficiency
   Design flexible systems that adapt to different user needs. For instance, allowing quick actions for experienced users while providing step-by-step guidance for new users.

8. Aesthetic and transparent design
   Ensure the interface not only looks clean and professional but also communicates data practices transparently. Simplify terms and avoid legal jargon.

9. Help users recognize, diagnose, and recover from breaches
   Provide users with clear, actionable steps if their data is exposed or compromised, such as offering breach notifications and mitigation options.

10. Help and documentation
    Make resources about data protection readily available within the interface, such as FAQs, tutorials, or easy-to-understand privacy policies.

By adapting Nielsen's principles to the domain of data protection, this heuristic framework can guide the development of user-centric systems that align with legal requirements while fostering trust and transparency. This approach not only enhances usability but also strengthens the relationship between users and organizations in the digital age.

GDPR and UX: Practical Guidelines for Data Protection

In her article "What GDPR Means for UX," UX and UI designer Claire Barrett outlines a clear set of guidelines her design agency follows regarding personal data protection. Below is a literal translation of her recommendations:

1. Users must manually and explicitly activate the collection and use of their data.

2. Users must consent to each type of data processing activity. (Author’s note: This applies if consent is chosen as the legal basis.)

3. Users must be able to easily withdraw consent at any time.

4. Users must have the ability to verify all companies, suppliers, and partners handling their data.

5. Consent is not the same as agreeing to terms and conditions; therefore, they should not be bundled together but presented separately with distinct interfaces.

6. While it’s good to ask for consent at the right moments, it’s even better to clearly explain how giving consent will benefit the user experience.

Barrett’s approach aligns with usability principles, further supported by Nogueira (2013), who defines six key criteria for evaluating usability:

• Ease of use,

• Ease of learning,

• User satisfaction,

• Productivity,

• Flexibility, and

• Memorability.

Applying Usability to Data Protection

These six criteria can also be applied to evaluating usability in the context of personal data protection. It’s important to note that this analysis extends beyond digital portals and systems to encompass the entire relationship between the individual and the organization temporarily managing their personal data.

By viewing the user as a partner in the success of the business, rather than merely a product, companies can foster a sense of trust and collaboration. Feedback plays a crucial role here—users must experience the impact of their actions, making informed and confident choices with fewer opportunities for error.

As Norman (2006) aptly notes, "This interaction is governed by our biology, psychology, society, and culture" (p. 16). These factors shape the way users engage with systems and how they perceive their control over data.

The Importance of Feedback and Trust

By integrating usability principles with data protection guidelines, businesses can reduce the perceived gap between themselves and their users. Empowering users through transparency, clear communication, and intuitive systems not only ensures compliance with regulations like GDPR but also strengthens user trust—an essential element for long-term success in today’s privacy-conscious world.

Personal Data Collection: Purpose and Compliance Under LGPD

One of the key changes introduced by the need to protect personal data is the treatment of data collection, as outlined in Article 3, Clause III, §1 of the LGPD. In the context of digital interfaces, data collection refers to any action performed by a website or system to capture an individual’s personal data, whether through forms, registration screens in applications, or the processing of electronic identifiers such as cookies and IP addresses.

The Principle of Purpose

The most evident shift concerns the purpose of processing (LGPD, Article 6, Clause I). Personal data collected by a website must serve a clear and explicit purpose that is easily understandable to users. This information must be conveyed in straightforward language, free of hidden terms or complex phrasing, so users can fully understand how their data will be used. The collection of data cannot be for vague, generic purposes or merely stored for potential future use.

Defining Personal Data

It is essential to distinguish personal data from other data processed by a system, as only personal data falls within the scope of data protection laws such as LGPD. According to Article 5, Clause I, personal data is defined as:

"Any information related to an identified or identifiable natural person, either directly or indirectly, by reference to a name, identification number, or one or more specific elements of their physical, physiological, psychological, economic, cultural, or social identity."

Examples of personal data include:

• Name

• Address

• Email

• Identification numbers (e.g., CPF or passport)

• Location data (e.g., GPS tracking)

• IP addresses

• Cookies

Personal data is not limited to directly identifiable information but also includes data that, when combined, can potentially identify an individual. Conversely, anonymous or anonymized data is excluded from this scope, provided it cannot be re-identified using reasonable technical means. If anonymized data can be reversed, it is then considered personal data.

Non-Compliance Example: Purposeful Collection

The example depicted in Figure 3 illustrates a seemingly simple and common form that fails to meet the purpose principle described in Article 6 of the LGPD:

"The processing of personal data must be carried out for legitimate, specific, explicit, and informed purposes, without the possibility of subsequent processing incompatible with these purposes." (LGPD, 2018, Article 6).

This principle underscores the need for good faith in data processing activities. Organizations must ensure that their data collection methods and forms are not only transparent but also compliant with the explicit purpose outlined to data subjects. Failure to adhere to these guidelines not only violates legal standards but also risks eroding user trust in the organization.

In conclusion, clarity and compliance with the purpose principle are fundamental to building trustworthy and legally sound systems for data collection in the digital age.

Do you want more of it ? Subscribe and wait for the final part in 2025.