"What did you say is Privacy UX again? 🤔"

"All I want to do is just create beautiful apps with good user experience and be taken care of...😌"

Well, not so fast cowboy! Before you rush off to carry out user research, before you put on your analytical caps to chart your user flows, before you think of designing and prototyping, there's just one little (but important ) consideration your creative juices need to think of..."Am I designing to protect or exploit?"

If you have been around the internet for a while, you’d notice the universal shift towards more consent-centric privacy policies for personal data processing and handling. From Europe to America, more and more regulatory bodies are waking up to the responsibility of protecting the privacy rights of individuals and even corporate bodies in the wake of the Cambridge Analytica scandal.

Nigeria has not been left out on this trend. In 2019, we welcomed the Nigeria Data Protection Regulation (NDPR) from the regulatory body, NITDA (National Information Technology Development Agency). The principal purpose of the regulation is to lay a proper foundation for how personal data in the Nigerian web space can be processed and safeguarded against exploitative big data hunters.

The meat of the NDPR and every other data protection regulation (like the GDPR) is centred around 3 objects;

• How user data is to be collected;

• How user data is to be processed or handled;

• How user data is to be shared with third parties;

With that being said, as a Nigerian User Experience Designer (or UXer as I have made-up in my mind🙃) , you’re probably wondering how you’re going to be able to comply with all these bulky regulations and laws written in fine legalese. If this is your genuine concern, then have no fear for I have broken down practical steps to take in how to design for compliance with privacy regulations.

What then is Privacy UX? Privacy UX in my opinion deals with all deliberate steps taken by designers and developers alike to ensure user consent is transparently obtained in a simple and fluid transfer of data from the user to the service or app or product in the user flow process.

In other words, Privacy UX simply means designing to obtain access to users' data in an unambiguous manner. With key words like, “transparency” and “unambiguous” being used here, it should immediately evoke a thought in you that there are indeed, very shady ways of obtaining and processing personal data.

While that is not the focal point of my conversation with you today, I would love to draw your attention to practical steps in which designers and developers can comply with privacy regulations.

The key considerations for better privacy ux are:

• Transparency: There is nothing quite as shady and distasteful as designers craftily deploying exploitative psychological practices in obtaining consent from users for either lawful or unlawful purposes. The NDPR categorically provides under Regulation 2.3 that consent to personal data being obtained must see that a data subject (user) is not coerced, defrauded or mal-influenced to grant consent to a data controller (paraphrased). Thus, this author strongly advises that designers take on the responsibility of better privacy ux by ensuring that any personal data exchanged during the on- boarding process is given under the best circumstances of consent granted by properly informing the user in clear language, the purpose for which their data is being collected for, how that data is to be used and how it is to be shared.
• Ability to Accept/Decline Cookie Settings: This author believes it is best practices and privacy compliant for designers to ensure that at every step of the way, users can elect to accept or decline in part or as whole, any Cookie settings. Users have the right to not be tracked for marketing purposes or non-marketing purposes. Thus, designers should be at the forefront of championing better privacy ux by shunning the practice of designing unmodifiable cookie settings. Users should have the option to opt-in for their data to be processed or not.
• Revocable Consent: The NDPR is strict on the ability of data subjects to give and revoke their consent at will. Notifications and permission request must be designed with the concept of revocable consent in mind. As a matter of fact, one can say that when it comes to the subject of consent, consent once given does not mean always given. To this end, the author strongly advises that privacy policies and terms and conditions should be distinctively resourced from different screen pages. This will do well to clear any ambiguity as to the interpretation of whether consent can be revoked on an agreed Terms & Conditions page or a separate Privacy Policy page.

While these three considerations are not in anyway exhaustive of the thoughts and processes designers should carefully put in place to comply with NDPR regulations, I hope that it would guide up-coming UX designers in navigating the complexities around understanding and designing for better privacy ux.

PS: This is Part One of a three-part series on Privacy UX and Compliance.