Institute for Software Research
School of Computer Science, Carnegie Mellon University


A Design Space for Effective Privacy Notices

Florian Schaub, Rebecca Balebako*, Adam L. Durity**, Lorrie Faith Cranor

June 2015

To appear in the
Proceedings of the Eleventh Symposium on Usable Privacy and Security
(SOUPS 2015), 22-24 July 2015, Ottawa, Canada
Published by the USENIX Association.


Keywords: Privacy, Notice & Choice, Privacy Notices, Interface Design, Design Space, Usability

Notifying users about a system's data practices is supposed to enable users to make informed privacy decisions. Yet, current notice and choice mechanisms, such as privacy policies, are often ineffective because they are neither usable nor useful, and are therefore ignored by users. Constrained interfaces on mobile devices, wearables, and smart home devices connected in an Internet of Things exacerbate the issue. Much research has studied usability issues of privacy notices and many proposals for more usable privacy notices exist. Yet, there is little guidance for designers and developers on the design aspects that can impact the effectiveness of privacy notices. In this paper, we make multiple contributions to remedy this issue. We survey the existing literature on privacy notices and identify challenges, requirements, and best practices for privacy notice design. Further, we map out the design space for privacy notices by identifying relevant dimensions. This provides a taxonomy and consistent terminology of notice approaches to foster understanding and reasoning about notice options available in the context of specific systems. Our systemization of knowledge and the developed design space can help designers, developers, and researchers identify notice and choice requirements and develop a comprehensive notice concept for their system that addresses the needs of different audiences and considers the system's limitations and opportunities for providing notice.

19 pages

*RAND Corporation, Pittsburgh PA
**Google, Inc, Mountain View, CA

Return to: SCS Technical Report Collection
School of Computer Science

This page maintained by