Privacy policy
Minimising privacy risks through human-centred design practice.
Collaborating with Hive Legal to raise transparency, support people to understand crucial policies, and deep dive into data privacy.
Thanks to several high-profile data breaches around the world, data privacy is crucially important for most people. It’s equally important for businesses and private enterprise, too. Research shows the way you articulate your policies and approach to data privacy can seriously impact your bottom line.
According to statistics from the Office of the Australian Information Commissioner, 70% of Australians place a high level of importance on their privacy when choosing a product or service. At the same time, Australians are reportedly more likely to trust a website or service if they have read the privacy policy. So, your policy plays a crucial role in prospective customers’ ability to validate your credibility and build trust in your organisation.
However, only 20% of people are able to read policies and feel confident they fully understand them. Why’s that? Research from the Consumer Policy Research Centre suggests that we don’t have enough time (one study suggests it would take the average person 244 hours per year to read all privacy policies that apply to them), we can’t understand them, or because they’re binary propositions; we either consent in full or refrain from using the service entirely.
As a result, according to surveys conducted by the OAIC, we want privacy policies that are easier to understand, and feature standard simple language (as requested by 87% of survey respondents), a plain English summary (86%), and the use of supporting visuals as prompts (73%).
So, what makes for more effective policies?
Using principles of human-centred design, teams can make things easier to understand, far more engaging, and drastically reduce risk. Here’s how:
How to apply human-centred design in policies
Human-centred design is based on four principles that can be applied in different ways depending on context.
Here’s how each principle can be applied in designing privacy policies or regulatory content:
The Principle
What it means
How it can be applied in human-centred policy design
1.
Understand and address core problems.
What it means
Assess every potential challenge that your audiences experience.
How it can be applied in human-centred policy design
People don't engage with policies because of issues associated with access, comprehension, and perceived relevance. This creates risk for your organisation, in relation to both practicality (outdated policies can conflict with legislation, or even break the law) and perception (policies may misrepresent the way you operate and harm your reputation).
2.
Be people centred.
What it means
Create and structure policy content in a way that resonates with the people who need to understand it.
How it can be applied in human-centred policy design
Write in easy English: that way, lawyers can understand the content, but so can laypeople. Create and publish two distinct versions of your policy: one for lawyers, and one for people who do not have a legal background. Use characters, colours, or other distinctive markers to help people distinguish and comprehend different sections of content.
3.
Use an activity-centred systems approach.
What it means
Approach design with an appreciation of the context of wider systems and processes.
How it can be applied in human-centred policy design
Explicitly inform people as to how information will be used, by which systems or processes, and in what scenarios. Provide hypothetical examples so that people can ground theoretical content in something tangible.
4.
Use rapid prototyping and testing.
What it means
Test any assumptions by building quickly, testing with users, and refining your approach.
How it can be applied in human-centred policy design
Design in conjunction with feedback from the people who will likely read the policy, and people who will maintain the policy. Use their feedback and insights to guide your approach and make decisions based on evidence.
There are two published versions of the August privacy policy: one 'standard' legal version (on the left) and one based on human-centred design principles (right).
Understanding the impact of this approach
Human-centred design intends to encourage a deeper level of engagement with privacy or regulatory content.
We have published two versions of the August privacy policy: one ‘standard’ legal version and one using human-centred design principles. The human-centred approach, with a greater emphasis on engaging visuals, storytelling, and accessible design, features in the top 10 most visited pages on the August website. For a content-rich site with hundreds of pages of in depth, high quality content, this is a huge achievement. It is exceedingly rare for a privacy policy to feature as one of the site’s most visited pages in any context, and highlights the positive engagement that can be achieved using a human-centred design approach.
Further, the human-centred privacy policy has an engagement rate—as defined by Google Analytics 4—that is much higher than average. Again, this is exceptionally rare in comparison to standard privacy policies. It also has a high level of domain authority, meaning a high number of other sites contain links that point directly to the content. This suggests other organisations are actively promoting the page on their own site: another exceptionally rare feat for policy content.
Resources and references
The following articles and resources have helped to inform our approach to human-centred policy design.
We hope you find them useful too:
- Centre for Legal Innovation: The rise of legal design and what’s next.
- Does fun promote learning? The relationship between fun in the workplace and informal learning.
- Understanding the aesthetic-usability effect.
- Diverse teams feel less comfortable—and that’s why they perform better.
- Why diverse teams are smarter.
Create policies that drive value
Privacy is critical. So is most regulatory content. If you want to create material that people actually read—to support your customers and protect your organisation—we’re ready to rock.
With the right approach, regulatory content can be compelling, impactful, and empowering. You don’t have to jump in the deep end, either. One single policy can test the way your audiences think and engage with content, to establish whether you can create something that delivers far more value: both for you and for them.