Prototyping policy: Visualizing impact for better regulation

Abstract

A stark divide often exists between a policy’s goals and its implementation. This policy “implementation gap,” signals a failure to take into consideration the complexity of a system or issue. Failure often results in policy that is a misfit for the issue of concern and is lacking in the hoped for remedial or preventative impacts. This study explores policy prototyping as a remedy for policy failures in bills aimed at privacy protection. After selecting three privacy-related bills, we created prototypes that represented one of many ways that privacy policy could be translated into features in online platforms. Using the prototypes, we conducted 41 semi-structured interviews to gather feedback and insights on the challenges with the laws. Our findings illustrate how different roles emphasize protections, harms, and word choice when communicating levers of change like civil rights protections in law to privacy design elements. This solidified the opportunities to better bridge policy and practice by outlining common and distinct bill themes.

Keywords

Data law legislation prototype policy privacy qualitative visualization

A stark divide often exists between a policy’s goals and its implementation (Bayrakal, 2006; Lawrence, 2015; Hudson et al., 2019). This policy “implementation gap” signals a failure to consider the complexity of a system or issue (Braithwaite et al., 2018). This failure often results in policy that is a misfit for the issue of concern and that lacks the hoped for remedial or preventative impacts. Examples of the implementation gap are found in the proposed legislation aimed at mitigating harmful design in technology. The Filter Bubble Transparency Act of 2019 (FBTA), for instance, was an attempt by some members of the United States Congress to give consumers more control online by letting them opt out of filter bubbles created by “secret algorithms” in large-scale platforms (Robertson, 2019; Rodrigo, 2019). The FBTA, was meant to force organizations to be more transparent about data visualization and empower people to opt-out of personalization created through algorithms.

Instead, the FBTA was criticized for its vagueness and lack of practical implementability (Robertson, 2019). Essentially all major search, recommendation and social media platforms like Facebook and Twitter are “secret algorithms.” These platforms could not exist without them. It would be near impossible to parse the thousands of filters for a human to manage. Reports also highlighted that FBTA would not require platforms to explain how their algorithms work or prevent manipulative design patterns (Robertson, 2019). Although intended to mitigate manipulation or misinformation through social media personalization, there has been no proof that the bill could actually work as planned.

FBTA is one of many instances of regulatory failures, particularly as it relates to protecting individuals from wanton data collection and usage by tech firms. Concerns about data collection are particularly acute in connection to privacy, as well as the design of data collecting systems. A 2019 Pew Research Center study on American attitudes toward privacy and their personal information reported that 63 percent of survey respondents did not understand current data protection regulations (Pew Research Center, 2019). At the same time, 70 percent of Americans favored more laws aimed at protecting personal data. The request for more regulation has not been ignored. Over the past decade, legislators have proposed a number of bills for protecting privacy, including the California Consumer Privacy Act, Maine’s An Act to Protect the Privacy of Online Consumer Information, and Illinois’ Data Transparency and Privacy Act. These laws require transparency about data practices and aim to empower consumers by giving individuals the right to access and delete personal information and opt out of data sharing.

In spite of these laws, or perhaps because of them, companies continue to fail to be transparent about their data practices, resulting in a number of recent incidents. For these reasons, we embarked on a unique study to bridge the implementation gap visualising media policy design regulations during the policymaking process—which is not a traditional digital method application of data visualization. We focused on draft bills that are aimed at privacy and data protection and involving or related to deceptive design patterns and human interface design, launched between 2018 and 2019. The bills were chosen based on 3 criteria: 1) the bills represented voices from Congressional teams that have been engaged in privacy and data-related legislation, 2) the bills showed a variety of different policy approaches in terms of legal, advocacy and industry driven levers, and 3) the bills were able to be prototyped visually in some way from abstract to concrete elements in the bill.

Using the draft bills, we brought together policymakers and practitioners to explore the impacts of translating legalese into product prototypes which mimic the design features and interfaces that billions of users interact with and are impacted by every day.

Simple design features can stem from the interpretation of policies that may create opportunities for data leaks, over collection of data, or even selling personal user data to third party companies for profit. These privacy violations indicate that legislation may not be achieving the outcomes desired, and/or that the laws allow too much flexibility in compliance and interpretation. Therefore, it is critical to explore the solutions various stakeholders recommend for mitigating these privacy and data governance issues. This study explores policy prototyping as a remedy for policy failures in bills aimed at privacy protection.

Background

The word “privacy” is without universal meaning. In the United States, the understanding of privacy in the United States is shaped by an 1890 Harvard Law Review article in which the distinguished jurists Samuel Warren and Louis Brandeis called for courts to recognize “a right to be let alone” (Warren and Brandeis, 1890). The two men were directing their ire at invasive news gathering techniques bolstered by emerging technology—at that time the instantaneous camera—and the harms of reporting on matters deemed personal. As at the turn of the 20th Century, technological innovations are again shaping our ideas of privacy, though the “data” may have changed allowing organizations to make inferences from aggregated personal details (Eubanks, 2018; O’Neil, 2016).

Privacy regulation and societal needs

In the middle of the last century, Professor of Law & Government Alan Westin described the four states of privacy as “solitude, intimacy, anonymity and reserve,” (Westin, 2015: 5–6) all of which find a grounding in the ideas of individual choice and control much like Warren and Brandeis’ idea of privacy. A more modern approach to understanding privacy is that of Professor Daniel Solove who acknowledges that there are many different ways of understanding privacy, but that a pluralistic conception of privacy is beneficial (Solove, 2009). Instead of one definite construction of privacy, Solove offers a view of privacy as contextual. Professor Helen Nissenbaum further explicates privacy in sociotechnical systems as contextual integrity—requiring an understanding of social context and informational norms (Nissenbaum, 2009). Professor Anita Allen (2016) highlights “how individuals have a moral obligation to respect other people’s privacy but also their own” (Allen, 2016: 72), and explains how information privacy is “rendered utterly implausible by current and likely future Big Data practices” (p. 72). Within the scope of this study, we examine the importance of context—both an individual’s profession or industry, as well as private versus professional life.

The mechanism most often used to mitigate the impacts of voluminous data collection and to provide a measure of transparency as to organizational data practices is regulation. Privacy regulations are often expected to change, keeping up with ways that technology impacts people through instantaneous data capture, production and sharing. One example of how laws have changed as a result of the introduction of a new information-collecting device is demonstrated in the story of the camera. In the 1890s, women’s faces and bodies, more often than men, were “the subject of surreptitious photographs” used for commercial efforts (Igo, 2018). A result of litigation based on unauthorized use of a young woman’s photo was the 1888 Federal Bill to Protect Ladies to remedy unauthorized circulation of these photos (Lake, 2014).

More than a century later, data collection from facial recognition emerges as pervasive surveillance in our cities, compromising our privacy and digital rights. Capturing one’s face for advertising and other purposes is an invasive, exploitative, and one-sided transaction but the digital storage and processing of your likeness can lead to even more nefarious outcomes (Benjamin, 2019; Buolamwini and Gebru, 2018; Raji et al., 2020; Stark, 2019). In response to these impacts of advances in technology like facial recognition, advocates and concerned members of the public have demanded that data privacy-related policies change over time. In this study, we focused on proposed data privacy regulations that involve or relate to “dark patterns” and human interface design, proposed between 2018 and 2019.

Law, design, and policymaking

In response to common, deceptive and surreptitious data collection from organizations, both state and federal legislators have proposed an increasing number of draft bills aimed at protecting privacy. Many of these bills focus on data protection through the lens of design and human rights to privacy. By design, we mean proposed laws that focus in whole or in part on system processes and user experience. By human rights to privacy, we mean the human right to privacy of a natural person’s personal life, personal communications, private affairs, and personal thoughts or inner life. Both design and human rights to privacy are critical lenses in these bills as design features can help amplify or hinder these rights to privacy. For instance, a design feature used by many social media platforms is rating features such as up or down vote or “like” buttons. The visual element of a “like” allows the individual to bookmark information or to send a graphically based response to someone else’s post. At the same time, “likes” and their permutations provide organizations with data allowing for the creation of inferences about an individual’s affinities, including political affiliations (Kristensen et al., 2017), mood and emotions (Bazarova et al., 2015), and possible purchasing behavior (Zhang and Pennacchiotti, 2013), and can identify trusted people who could ultimately influence them. This data, then, has implications for how an individual may experience the site, from the advertisements shown to the kinds of content and posts they encounter—much of it in an attempt to persuade the individual to spend more time on these platforms and, therefore, disclose more data.

Dark patterns—designs aimed at persuading individuals to behave in desired ways counter to what might be beneficial to them (Gray et al., 2018)—–have come under increased scrutiny with the rise of data collecting products and services. Called “dark” because people may not recognize the persuasive qualities of the specific design element, these features allow surreptitious manipulation of people (Bösch et al., 2016; Brignull, 2018). Additionally, the options that people may most desire (like deleting an account or unsubscribing their email) are sometimes obscured or hard to find. The purpose of the manipulation may include to force continuity in email subscriptions, or shame people into compliance, or misdirect people to enable data mining and maximum data collection (Gray et al., 2018; Luguri and Strahilevitz, 2019). These actions, created through design, may conflict with someone’s preferred intentions with data sharing.

Design in general is motivated by a variety of factors from data collection incentives to profit models to desired individual behaviors and goals (Desjardins and Wakkary, 2013; Zhang, 2007). A design element itself is difficult to distill as “dark” or not, as the design often depends on the intent of the designer or institutional culture in which they are embedded (Bösch et al., 2016; Mulligan et al., 2020). However, people have questioned the motivations of organizations that appear to engage in human deception and covert data collection. The Norwegian Consumer Council reported, for instance, “This is particularly problematic given the power imbalances and information asymmetries that already exist between many service providers and their users” (Norwegian Consumer Council, 2018: 7) because the majority of users cannot make accurate assessments of the risks to their privacy. Placing a focus on privacy design reveals that processes of data collection are not created with an emphasis on individual privacy protection.

Human–computer interaction researchers have studied and created privacy design with a focus on improving individual awareness and behaviors (Schaub et al., 2015), by visualizing past personal privacy disclosures (Kolter et al., 2010). These include approaches like nutrition labels (Kelley et al., 2009), privacy icons (Efroni et al., 2019), and nudging (Acquisti et al., 2017) to improve individual choices online. Scholars like Helen Nissenbaum (2009) and others explored measuring and implementing the concept of privacy as contextual integrity (Barth et al., 2006; Kumar, 2018) and showed how it can be both measured and implemented in practice. In 2009, Ann Cavoukian (2009), the former Information and Privacy Commissioner of Ontario, Canadia, created Privacy by Design (PbD)—a framework of 7 principles aimed at calling for privacy to be considered at all points of the systems engineering process. Though criticized as being vague as well as prioritizing the interests of corporations over the interests of consumers in understanding privacy by design (Van Rest et al., 2014), PbD principles have been codified in the European General Data Protection Regulation (GDPR).

There is momentum to explore the space of privacy, design, and policy through work across academia, the public, and private sectors. The context above outlines the creative work happening in this space and the types of impact the findings have on industry, social, and legal norms. We positioned this research to explore more of the impacts and responses on society as draft privacy bills continue to address features such as dark patterns and privacy by design and default. These related works have given us perspectives as well as grounding and jumping-off points to shape the research we are doing today.

Methods

Based on the motivations outlined in the previous section, we focus on one overarching research question:

RQ: How did policy and technology expert interviewees articulate the strengths and challenges of the proposed privacy legislation on creating accessible and intelligible regulation, when those bills are prototyped? related bills?

This research was approved by the Institutional Review Boards at two universities in the United States. We recruited a variety of participants from various backgrounds (academia, advocacy, government, for-profit industry, law, nonprofit, policy) and demographics (age, gender, race, expertise both with data privacy or with little to no technology and data-related background or expertise.) Most of our participants (57%) were between 25 and 34 years old, (64%) were women, (52 % ) were white, and ( 69% ) reported a postgraduate or professional degree. Tables 1 -4 provide demographic information of study participants. We selected this group to incorporate diversity of perspectives across research, policymaking, and industry practice with engineering and design. We also specifically curated this group to have highly specialist expert feedback, which is a common method used in media studies. Having expert opinions on these topics are critical in order to ensure there is a baseline of context and understanding of the challenges that industries face when trying to implement bills into technology products and services.

Table 1.

Age of interviewees.

Q1–what is your age?	Count
18–24 years old	6
25–34 years old	23
35–44 years old	8
45–54 years old	2
55–64 years old	2

Table 2.

Race/ethnicity of interviewees.

Q2—what is your race/ethnicity?	Count
American Indian or Alaska Native	1
Asian	9
Asian, middle Eastern	1
Asian, White	1
Black or African American	4
Black or African American, Hispanic	1
Black or African American, White	1
Hispanic	2
Hispanic, White	1
Mixed	1
Native Hawaiian or Other Pacific Islander	0
North African	1
White	19

Table 3.

Gender(s) identity of interviewees.

Q3—which gender(s) do you identify with?	Count
Intersex	0
Transgender	0
Man	15
Woman	24
Woman, Gender non-conforming	1
Woman, Non-binary	1

Table 4.

Highest level of education completed of interviewees.

Q4—What is your highest level of education completed?	Count
High school incomplete	0
High school graduate	0
Two-year associate degree from a college or university	0
Four year college or university degree/Bachelor’s degree	12
Postgraduate or professional degree	29

Beyond their bracketed job areas, we chose these individuals who are “in the weeds” of building and creating policies, laws, technologies, or designs, and may have some familiarity with the challenges of having to implement high level policies at a company or organization. The participants are mainly in fields of technology, media, scientific research, and communications. The policymakers all have interest in passing ‘good’ technology regulation, while the practitioners (engineers, product managers and designers) all have interest in building products and services that are used by their consumers and for those in for-profit businesses, making income and amassing large user bases. For future research, we recognize the opportunity to improve the diversity, perspectives, and voices of the insights gathered.

Figure 1.

Prototype of the SMART Act, shown to participants during interviews.

Figure 2.

Prototype of OPA, shown to participants during interviews.

Figure 3.

Prototype of COPRA, shown to participants during interviews.

To learn more about which bills we should choose, we spoke with several privacy advocacy professionals, staffers in Congress, and privacy researchers about which U.S. federal privacy bills to consider that may be impactful or include a variety of angles of regulation. We independently conducted a review on the latest U.S. Federal public draft bills from 2018–2020, which represent the convenings of the 115th and 116th U.S. Congresses. After selecting three bills to focus on, we created three prototypes that represented one of many ways that privacy policy could be translated into features in online platforms. For this research, we chose to design prototypes that challenged existing design paradigms on large social media platforms. This is because the bills often were geared toward large platforms as shown by some of their thresholds with revenue and consumer data collection which would not apply to smaller companies. Through these prototypes, we present alternative interfaces for these platforms, which challenge popular features like infinite scroll.

We conducted 41 one-on-one, semi-structured interviews to gather feedback, quotes, insights and challenges based on showing our design prototypes. Interviews spanned roughly 3 months between January and March 2020, and averaged 45–60 minutes. The interviews consisted of three main parts: summary of the bill, visual examples of some of the bill concepts, and privacy bill prototypes. Figures 1–3 This research explores perspectives about proposed legislation on people and organizations, and how the provisions of law could be designed for sociotechnical systems. The goal of this investigation is to provide a rich and detailed description of these various perspectives. We analyzed the interview transcripts and coded them using a constant comparative method (Boeije, 2002; Glaser, 1965). We first coded the transcript texts for themes that emerged. Themes were then grouped, with related themes organized into larger categories.

It is important to note that the goals of qualitative research do not include generalizability—the ability to extend the results of an investigation to a larger population of statistical significance (Smith, 2018). Qualitative research does, however, allow researchers to recognize patterns and describe fundamental processes, as well as to understand how an intervention functions in practice and/or what a concept, design, or word might mean to different people. In other words, these in-depth interviews help us uncover the possible reasons people think a certain way and what they may do in the context of a design interface—they will not determine exactly what people will do in every scenario.

We focused on data privacy policies that involve or relate to “dark patterns” and human interface design, launched between 2018 and 2019. From the bills that arose during this time period, we focused on 3 bills that relate to design and data in some capacity. We chose these bills based on the following criteria:

1. Represent voices from Congressional teams that have been engaged in privacy and data-related legislation. We wanted to choose bills that were produced by policymakers who had a strong track record of data privacy-related legislative efforts. This decision was informed by both speaking with people in Congress to get an understanding of who was seen as a leader in the space of strengthening privacy rights and doing landscape research to study the bill options.

2. Show a variety of different policy approaches in terms of legal, advocacy, technical and design perspectives. Legal choices in bill drafts can yield policies that have divergent implementations. We selected bills that included efforts to strengthen enforcement, directly trigger changes in platform design, establish a watchdog specific agency, and highlight no preemption of stronger state laws. We believe that an exploration of many avenues into strengthening privacy measures would be important to better understanding the different levers of change possible.

3. Able to be prototyped visually in some way from abstract to concrete elements specifically mentioned in the bill. We recognize that this criterion is obscure to measure. Since there are endless bill options, we wanted to focus our efforts on the ability to prototype some visual way that the bill provisions could look through a generic social media platform. We specifically chose to prototype the impact of the bills on an individual’s experience with a social media platform, as opposed to a prototype using a website browser, with privacy policies specifically (this scope would be too narrow) or data collecting subject specific app (used for dating, healthcare management, fertility apps, etc.). Additionally, the language in many of the bills seemed to target large data collecting platforms like Facebook, Google, and Instagram. In the future, bills could be prototyped with other types of online data collecting platforms.

The bills we chose to analyze and interview participants about include a variety of perspectives about data collection and user experience with a technology.

1. The Social Media Addiction Reduction Act (SMART Act) introduced on July 30, 2019 by Senator Josh Hawley (R-MO). This Act bans infinite scroll, autoplay, and other addictive features on social media. This bill directly relates to design and human–computer interaction as it bans the use of user interface design elements that are built into products such as the “autoplay” button and infinite scroll on newsfeeds. Hawley’s team implies that these features directly impact users’ time via addicting elements that nudge users to continue using the platform more to share more data and create other mechanisms to monetize the service. The bill also requires clear choice to consent and strengthens the powers of the U.S. Federal Trade Commission and the U.S. Health and Human Services to ban similar practices. The goal of this bill is to give people more power to monitor and control their use time on social media. Note: While this bill incorporated less of a “privacy” related framing and more on platform “addiction” and improving the quality time spent on platforms perspective, we included it because it provided a different legislative approach focused on particular features (autoplay, badges, etc.) with online platforms.

2. The Online Privacy Act (OPA) was introduced November 5, 2019 by Congresswoman Anna G. Eshoo (CA-18) and Zoe Lofgren (CA-19). This Act focuses on creating individual rights (right to access, correct, or delete data), places clear obligations on companies, establishes a Digital Privacy Agency and strengthens enforcement through state attorneys general.

3. The Consumer Online Privacy Rights Act (COPRA) introduced on November 18, 2019 by U.S. Senate Commerce Committee Ranking Member Maria Cantwell (D-WA) and fellow senior committee members Senators Brian Schatz (D-HI), Amy Klobuchar (D-MN), and Ed Markey (D-MA). This Act focuses on three major categories of efforts. First, it establishes foundational privacy rights to empower consumers. Second, it improves data security, protects sensitive personal data and supports civil rights in the digital economy. Third, the Act focuses on “real enforcement and accountability measures.”

After selecting these three bills to focus on, we created visual prototypes through an iterative process. We sketched prototypes based on some of the key tenets outlined in the bill summaries and transformed physical sketches into a slide deck. We gathered preliminary feedback to ensure that the prototype is understandable and decipherable. This irons out key comprehension issues such as readability and misunderstanding features. These quick feedback sessions improve prototype sketches by building on constant feedback from people, generating new prototypes, combining ideas, etc. In the end, we captured five versions that we iterated through and presented the final versions to participants.

We asked all participants questions to understand what their perceptions were of the bill summaries and the prototypes. As we showed them the bill proposal summaries and visual concept definitions, we asked interviewees,

1. “Please speak aloud and narrate any thoughts, questions, or immediate reactions that come to mind. You might see a word, phrase or image that might provoke a thought or something related to your lived experiences. You are welcome to talk about that as well.”

2. As we showed them the prototype interface, we asked, “As you are viewing this, please speak aloud and narrate what is happening. How does the interface and the features you see here work in practice? Feel free to mention if certain features are confusing to you or stand out.”

3. From [YOUR INDUSTRY] standpoint, what is the feasibility of executing this policy? Feel free to comment on what stands out, what is frustrating, what works, what seems weird.

4. What are the strengths of this design?

5. What are the challenges of this design?

6. Does anything here remind you of what you’ve seen before?

Findings

In this section, we present perspectives of interviewees on the text and prototypes of the three bills. From the responses emerged themes about the bills’ similarities, uniqueness, as well the visualizations of the design concepts.

Commonalities

Interviewees noted that the bills balance power through a variety of mechanisms. Policymakers have different perspectives through different pieces of legislation. One bill would not be a comprehensive solution to ensure privacy protections. “What we really need in privacy is an immune system,” (personal communication, February 7, 2020) said a data governance expert in healthcare. “The assumption is that everything gets through at least one part of the immune system—what you really want is enough interconnected layers so that it’s really hard to get through all of them.” Another participant who is a Public Interest Technology Fellow offered a similar insight. “I would take a multi-pronged and interdisciplinary approach, requiring the education of the public, oversight from elected officials and stronger legal protections for individuals,” (personal communication, January 21, 2020) she said. “What we need is to create new forms of power through an interwoven structure of laws that work symbiotically rather than competitively with one another.”

The policies provoke questions about how to improve existing privacy policy consent mechanisms. Many of these bills we examined from the period of 2018–2019 mention some attribute of making terms of service and data policies more readable. “Privacy [involves] implicit areas of consent. People are choosing to share what is in their comfort range [but] if data is sent elsewhere, does it align with them?” (personal communication, February 6, 2020) said one design expert participant regarding the idea of consent. The question turned to whether people will be informed about ways in which their expected understanding of the platform data use is different than the actual platform data use. The design practitioners interviewed noted a few methods: just-in-time features to notify individuals of changes, improving “general settings” modifications and focusing on “plain-language” with straightforward wording so people understand what they are agreeing to. One non-profit designer suggested a “global design pattern for accept and decline consent features” (personal communication, February 6, 2020) in order to create more shared language. In the context of data collecting vehicles and smart cars, a data governance expert highlighted an ongoing threat to consumers, “Cities and states around the country are trying to figure out how they can get access to the data and I think consumers have been left out of that conversation,” (personal communication, 30 January 2020) he said. Beyond improving consent on a design level, consumers must be incorporated into the decisions of data-collectors who are using their information for potentially nefarious purposes.

Participants noted a common attribute of all of the bills was the need for further clarification and definition of key terms. Many of the people we spoke with highlighted some confusion about terms and how they would play out in practice. It is important to note that in some bills, the regulatory agency is given rulemaking powers to implement and interpret the law. This means that anything that is unclear under the language of the statue can be interpreted and defined through a regulatory rulemaking process by that agency. Laws would ideally be accessible and understandable. We want to avoid laws that are overly vague and only understood by people who are not necessarily legal, academic or technical experts. The SMART Act, for instance bans the use of “addictive” features like autoplay and infinite scroll on social media, while at the same time failing to adequately define “addiction.” “...It seems odd to ban very specific interaction behavior,” (personal communication, 12 February 2020) one data security engineering expert told us. “I think this is hard to define and there are just so many corner cases including ways to work around these types of constraints, so specifically banning what currently are perceived to be the addictive aspects of social media would not be easily enforceable.” Interviewees also noted a lack of adequate definitions for the OPA and COPRA as well, particularly with the “duty of loyalty.”

Unique aspects of each bill

The Social Media Addiction Reduction Act (SMART Act)

This bill incorporates less of a “privacy” specific related framing and more on platform “addiction” and improving the quality time spent on platforms. The SMART Act highlighted a number of design and feature specific recommendations.

Notice & Control

“Transparency with time limits makes sense to me,” (personal communication, 17 January 2020) reflects a technology product management expert after reading more details about the SMART Act. Depending on the design, “it may come off as more heavy handed than just transparency […] especially if they come off as forcing functions [or] reduce the quality of the app experience.” “People don’t like being told what to do, even if they’ve imposed their own caps.” (personal communication, 12 February 2020) a Director of security and privacy at an organization explains. “People just generally have a bad reaction to technology that tries to force a change in their behavior.” Additionally, limits to screen time may invoke a sense of “protestant work ethic”—based in a desire to have people working instead of using social media. There are tensions for industry practitioners to balance the best interests of the individual with coming off as paternalistic and controlling.

Specificity

Some of the sentiments related to notice and control also stem from another strong theme: specificity. For example, the bill suggests that platforms “[display] a conspicuous pop-up to a person not less than once every 30 minutes.” Many of the interviewees asked about the significance of 30 minutes. What research provoked that particular number? Who in power gets to decide these potential time limits? The bill also distinguished specific features to be banned including infinite scroll, auto refill, autoplay and badges and other awards linked to engagement with the platform. Policymakers and lawyers highlighted that specificity may help to more easily define terms, identify issues and regulate against harms. However, practitioners and researchers we interviewed made the point that there can be both positive and negative aspects of those features.

The Online Privacy Act (OPA):

Individual rights vs. Enforcement

The OPA highlights a list of individual rights to access, correct, port or delete their data. It also creates new rights such as data impermanence. Many of the interviewees responded positively to these rights and some reflected on how they have seen these provisions in the GDPR or even in their own online experiences. On the other hand, people questioned how these rights would be enforced or what would happen to marginalized populations that are often left out in some way. A law school professor and scholar noted that “the bill grants every American the right to access, correct or delete […] but impermanence is a tricky concept because we should be thinking about status when we think about impermanence.” (personal communication, February 6, 2020)

New ways to advocate for rights

This bill placed a strong emphasis on avoiding burden on the individual to navigate privacy protections on their own. Most notably, the Digital Privacy Agency would enforce rights and could “issue regulations to implement this bill and issue fines for violations.” Interviewees had mixed reviews on this approach. Some supported the effort saying that we need institutionalized regulatory power in order to incentivize industry to change and better protect consumer data. Several other bill approaches, along with a few participants suggest that the FTC could just expand their capabilities instead of starting up an entire agency from scratch.

The Consumer Online Privacy Rights Act (COPRA)

Privacy as a fundamental human right

This bill “set up a sort of privacy bill of rights for Americans while providing some stronger mechanisms of enforcement” (Laslo, 2019). A security expert and engineer mentioned that if privacy were a right, “it should be socially unacceptable to charge more for basic privacy or security functionality.” (personal communication, 23 January 2020). Access to tools and resources should not be attainable through cost barriers. This would require an industry shift in culture and norms around privacy and security. A Director of security and privacy at an organization mentioned, “These rights are so broadly defined, it’s not clear what I should be expecting from a browser, platform, or device level to actually see and expect.” (personal communication, 23 January 2020) This comment brought up questions about how the bill might impact what people see versus what they expect is happening behind the scenes.

Duty of loyalty

Many interviewees were confused by the term “Duty of Loyalty,” a concept that derived from Jack Balkin (2015) in the responsibility of information fiduciaries, and wondered if a phrase like this would be actionable. A technology product management expert interpreted the term as the “duty to look out for the users’ perspective of their data” but caveated that “in some organizations that culture of conservatism is baked in while in others, not so much.” (personal communication, 17 January 2020) This bill sparked questions around how to define and maintain culture change to uphold values created through policy proposals. A design expert mentioned, for example, that “user research is necessary to understand what a term like duty of loyalty means in relation to individuals’ expectations” (personal communication, 23 January 2020) of some of the bill tenets. This bill lacked key definitions to help understand actual rights of individuals and responsibilities of organizations.

Discussion

Based on insights from interviews and from our own process of engaging various stakeholders in policy feedback, prototyping may be one relevant way to test draft data privacy-related policies before they are piloted and implemented for a broad audience. From the insights above, we offer the following recommendations while recognizing that these recommendations may not be as easily applicable for every policy, especially given the endless complexities and edge cases that may exist. However, prototyping is an especially relevant method when the draft policy impacts the design and development of products and services. What we describe in this section is a high level process that may help clarify ambiguities, mitigate risk of unintended consequences for individuals by bringing challenges that may occur earlier in the implementation process. We also reflect on some of the strategies we employed and the learnings we gathered from this research experience.

Themes from Data Visualizations

One key theme that emerged from the process of questioning interviewees about the bill prototype was the need to incorporate the perspectives of various stakeholders with experience with the harm potential of data, collection, and usage. This would mean gathering insights directly from individuals and/or data stewards who understand and have some level of lived-experience of marginalized communities who may be most adversely impacted by these policies. Policymakers and industry practitioners could also “create easy channels for advocacy and [human] rights groups to provide feedback and publicly respond to such feedback,” explained one participant.

Interviewees also advocated for direct collaboration with individuals and privacy minded experts in advocacy organizations, industry, academia, and government through an iterative policy process. This would ensure that technical standards, policies, and processes are clear and actionable for people to manage and protect personal privacy. One policymaker interviewee, for example, mentioned their team regularly reached out to tech industry contacts such as designers and engineers at the large technology organizations. These industry practitioners were able to respond to and share case studies and research with policymakers while bills were being drafted.

Another major theme from the interviews highlights a strong desire to link policy action to research and evidence; participants recognized the need for precision and evidence in the creation of legislation. First, policymakers need to articulate the specific problems and associated harms they are trying to solve. Second, it should be clear from both the bill language and public discussion that policymakers have consulted with the research investigating the outcomes of certain restrictions or modifications to ensure that the regulations that they are attempting to create are viable. The bill language does not always cite the problem, but when it does, say in a “Findings” section, it has almost no legal impact. Speeches, press releases, and, more importantly, committee hearings can be better tools to highlight the research to help create the case for more viable policy recommendations. In this case, it will be advantageous to consult with the research from various sectors to create laws that are well directed.

Recommendations

Solicit help from industry practitioners and community advocates (or similar) to design and test policies with low fidelity versions of prototypes—when relevant and possible. These prototypes can be of generic, bare bones websites, mobile applications, social media applications, and other related formats that specifically apply to key attributes of the bill text. Showing key stakeholders draft bill text for comprehension is one helpful aspect, but being able to present a visual that highlights certain bill features may invoke different insights that may be helpful to reflect when drafting policy. Direct feedback about what may and may not work may produce better bill related text. We acknowledge there are a number of programs, initiatives, and government teams that exist to work on tech policy and implementation. We suggest that policymakers integrate these resources into the legislative drafting process or embed this process and approach appropriately onto their teams. These programs, while in existence, are not all comprehensive for any policymaking body and may not be as widespread as they should be. Targeting audiences while legislation is drafted should be a critical factor in soliciting comments while drafting legislation or regulations. Policymakers should consider: who are the people who may be left out of this legislation? Whose perspectives might we not have that would be important to understand for this topic? In terms of threats and risks—how will this legislation be abused? How will various actors take advantage of it? Before launching policies publicly, policymakers may want to “test” the policies in small, low-risk, time-boxed environments that relate to the bill’s intended audience in a way that best fits the existing structures of the team. These efforts require more, but may mitigate risks by understanding in a time sensitive, low budget way.

We also recommend that policy teams make efforts to provide definitions and/or use industry recognizable language when drafting bills. These details impact how courts will translate violations into law. Noted one participant who was a lawyer and legal writer:

“In drafting legislation and regulations, the crux of the matter is that language needs to be as specific as necessary but at the same time, as broad as needed. Litigation is so often about the meaning of an ambiguous law. Courts have to address what does the plain language of the text state or mean; if not easily apparent, then what is the legislative history, or what other sources can inform how the court should decide what the law means? Legislation that is not carefully but comprehensively drawn can lead to drawn-out litigation and years of confusion.”

This includes striking a balance of granularity in policy language. When policymakers use general language such as “Duty of Loyalty” or the “Right to Impermanence,” they include examples in the legislative history and common use cases of what this may mean or look like in practice when possible. This is helpful to better understand more obscure topics without anchoring policymakers to information that is too specific. Based on the interviews we conducted with individuals both with and without privacy and/or legal expertise, the language in the three bills was vague and confusing or read as an overpromise, which may cause individuals to become immediately skeptical of whether the law will do as it promises.

At the same time, policymakers should avoid being overly specific. The level of specificity in bill language, if too granular, can be seen as arbitrary. For example, the SMART Act suggested that platforms “[display] a conspicuous pop-up to an individual not less than once every 30 minutes.” Respondents asked about power (“Who made the decision?“), about the rationale (“Why 30 minutes?“), and about the origin of the 30 minutes (“Where did the research from this come from?“). Policymakers should also “future-proof” language. Definitions of key terms are incredibly helpful, but some terms, if defined, may quickly become outdated due to evolving technologies. One policymaker we spoke with commented favorably on a term like “sensitive data,” which is difficult to define. A decade ago, people may not have considered geolocation data sensitive because it was not as pervasive and easily aggregated with other data points from platforms as it is now. This issue is further exacerbated in that many of the bills focus on one, major, aspect of data collection and privacy, usually the social, and neglect environmental data collection. It is important, then, for policymakers to use terms that may evolve with different data-related concerns.

Conclusion

Our findings illustrate how different roles emphasize protections, harms, and word choice when communicating levers of change like civil rights protections in law to privacy design elements. We analyzed how participants responded to the strengths and challenges of each of these bills and prototypes. This solidified the opportunities to better bridge policy and practice by outlining common and distinct bill themes. Above all, this research contributes to solving the ‘implementation gap’ issue by taking real, published draft bills and creating sample prototypes to unveil the types of questions, challenges, and opportunities that arise from written legalese to product features. For example, a policy that aims to enforce “clear and conspicuous” consent mechanisms may yield thousands of outcomes that land on a spectrum from user friendly and understandable to indecipherable to a variety of audiences. We took draft bills from policymakers and worked directly with practitioners like designers and engineers to talk through how they would translate these principles into practice. Translating the theoretical policy rules into development and user experience design is critical to addressing the implementation gap.

The findings of this project are subject to limitations.

As members of academic institutions, our immediate networks reflected our immediate circles, although we attempted to reach beyond these networks. Specifically, it would be helpful to recruit individuals with no degrees (or less than advanced college degrees), more people of color, and more people who self-reported little to no technical or data-related expertise. In addition, some of the insights would be strengthened from direct observation and/or participant observation, especially with hardware devices. Some of the prototypes could be administered as items people can use and touch to “test” some of the policy theories into a physical product or service.

Lastly, the bills we selected were a subset of many that we could have chosen affiliated with data collection in some capacity. During the two-year period between 2018 and 2019, members of Congress proposed several privacy and/or data protection bills. Any of these bills could have been fodder for privacy research. Future research, then, could examine the similarities and differences in foci of the many bills to understand the major privacy-related concerns of legislators during this period.

Footnotes

Acknowledgements

We thank Anna Chung and Pardis Emami Naeni.

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) received no financial support for the research, authorship, and/or publication of this article.

ORCID iD

Jasmine McNealy

References

Acquisti

Adjerid

Balebako

, et al. (2018) Nudges for privacy and security. ACM Computing Surveys 50(3): 441–4441. DOI: 10.1145/3054926.

Allen

(2016) Protecting one’s own privacy in a big data economy. Harvard Law Review Forum 130: 71–78.

Balkin

(2015) Information Fiduciaries and the First Amendment Lecture. U.C. Davis Law Review 49(4): 1183–1234.

Barth

Datta

Mitchell

, et al. (2006) Privacy and contextual integrity: framework and applications. In: IEEE symposium on security and privacy. S P’06), p. 15198. DOI: 10.1109/SP.2006.32.

Bayrakal

(2006) The U.S. Pollution prevention act: A policy implementation analysis. The Social Science Journal 43(1): 127–145. DOI: 10.1016/j.soscij.2005.12.012

Bazarova

Choi

Schwanda Sosik

, et al. (2015) Social sharing of emotions on facebook. In: Proceedings of the 18th ACM conference on computer supported cooperative work & social computing, New York, NY, USA, February 2015, CSCW ’15. Association for Computing Machinery, pp. 154–164. DOI: 10.1145/2675133.2675297.

Benjamin

(2019) Race After Technology: Abolitionist Tools for the New Jim Code. Wiley.

Boeije

(2002) A purposeful approach to the constant comparative method in the analysis of qualitative interviews. Quality and Quantity 36(4): 391–409. DOI: 10.1023/A:1020909529486

Bösch

Erb

Kargl

, et al. (2016) Tales from the dark side: Privacy dark strategies and privacy dark patterns. Proceedings on Privacy Enhancing TechnologiesSciendo 2016(4): 237–254. DOI: 10.1515/popets-2016-0038

10.

Braithwaite

Churruca

Long

, et al. (2018) When complexity science meets implementation science: a theoretical and empirical analysis of systems change. BMC Medicine 16(1): 63. DOI: 10.1186/s12916-018-1057-z.

11.

Brignull

(2018) Dark patterns. Available at: https://darkpatterns.org/(accessed 4 December 2020).

12.

Buolamwini

Gebru

(2018) Gender shades: Intersectional accuracy disparities in commercial gender classification. In: Conference on fairness, accountability and transparency, New York University, NYC, 21 January 2018. pp. 77–91. Available at: http://proceedings.mlr.press/v81/buolamwini18a.html (17 July 2019).

13.

Cavoukian

(2009). Privacy by design...take the challenge. Information and privacy commissioner of Ontario, Canada. Available at: https://www.ipc.on.ca/wp-content/uploads/Resources/pbd-implement-7found-principles.pdf.

14.

Desjardins

Wakkary

(2013) Manifestations of everyday design. In: Proceedings of the 9th ACM conference on creativity & cognition, New York, NY, USA, Sydney, Australia, C& C ’13. Association for Computing Machinery, pp. 253–262. DOI: 10.1145/2466627.2466643.

15.

Efroni

Metzger

Mischau

, et al. (2019) Privacy icons. European Data Protection Law Review 5: 352–366.

16.

Eubanks

(2018) Automating Inequality: How High-Tech Tools Profile, Police, and Punish the Poor. St: Martin’s Press.

17.

Glaser

(1965) The constant comparative method of qualitative analysis. Social Problems 12(4): 436–445. DOI: 10.2307/798843.

18.

Gray

Kou

Battles

, et al. (2018) The dark (Patterns) side of UX design. Proceedings of the Association for Computing Machinery 2018 CHI conference on human factors in computing systems, New York, NY, USA, April 2018, pp. 1–14. CHI ’18. DOI: 10.1145/3173574.3174108.

19.

Hudson

Hunter

Peckham

(2019) Policy failure and the policy-implementation gap: can policy support programs help? Pediatric and Developmental Pathology: the Official Journal of the Society for Pediatric Pathology and the Paediatric Pathology Society 2(1): 1–14. DOI: 10.1080/25741292.2018.1540378. Routledge: 1–14

20.

Igo

(2018) The Known Citizen: A History of Privacy in Modern America. Harvard University Press.

21.

Kelley

Bresee

Cranor

, et al. (2009) A "nutrition label" for privacy. In: Proceedings of the 5th symposium on usable privacy and security - SOUPS '09, New York, NY, USA, July 2009, SOUPS ’09. Association for Computing Machinery, pp. 1–12. DOI: 10.1145/1572532.1572538.

22.

Kolter

Netter

Pernul

(2010) Visualizing past personal data disclosures. 2010 international conference on availability, reliability and security, Krakow, Poland, February 2010. Reliability and Security 131–139. doi: 10.1109/ARES.2010.51.

23.

Kristensen

Albrechtsen

Dahl-Nielsen

, et al. (2017) Parsimonious data: How a single Facebook like predicts voting behavior in multiparty systems. Plos One 12(9): e0184562. DOI: 10.1371/journal.pone.0184562

24.

Kumar

(2018) Contextual Integrity as a Conceptual, Analytical, and Educational Tool for Research, p. 5.

25.

Lake

(2014) Privacy, property or propriety: The case of “pretty portraits” in

26.

Laslo

(2019) Hey congress, how’s that privacy bill coming along? Wired, 29 November. Available at: https://www.wired.com/story/congress-privacy-bill-copra/(accessed 15 January 2021).

27.

Lawrence

(2015) Mind the gap: bridging the divide between knowledge, policy and practice. In: Barton

Thompson

Burgess

, et al. (eds), The Routledge Handbook of Planning for Health and Well-Being: Shaping a Sustainable and Healthy Future. Routledge, pp. 108–118.

28.

Luguri

Strahilevitz

(2019) Shining a Light on Dark Patterns. ID 3431205, SSRN Scholarly Paper, 1 August. Rochester, NY: Social Science Research Network. DOI: 10.2139/ssrn.3431205.

29.

Mulligan

Regan

King

(2020) The fertile dark matter of privacy takes on the dark patterns of surveillance. Journal of Consumer Psychology 30(4): 767–773. DOI: 10.1002/jcpy.1190

30.

Nissenbaum

(2009) Privacy in Context: Technology, Policy, and the Integrity of Social Life. Stanford University Press.

31.

Norwegian Consumer Council (2018) Deceived by Design: How Tech Companies Use Dark Patterns to Discourage Us from Exercising Our Rights to Privacy. 27 June. Norway. Norwegian Consumer Council.

32.

O’Neil

(2016) Weapons of Math Destruction: How Big Data Increases Inequality and Threatens Democracy. Crown.

33.

Pew Research Center (2019) Americans and Privacy: Concerned, Confused And Feeling Lack of Control over Their Personal Information. 15. November. Washington, DC. Available at: https://www.pewresearch.org/internet/2019/11/15/americans-and-privacy-concerned-confused-and-feeling-lack-of-control-over-their-personal-information/(accessed 26 December 2020).

34.

Raji

Gebru

Mitchell

, et al. (2020) Saving face. In: Proceedings of the AAAI/ACM Conference on AI, Ethics, and Society, New York, NY, USA, February 2020, Association for Computing Machinery, pp. 145–151. AIES ’20. DOI: 10.1145/3375627.3375820.

35.

Robertson

(2019) The senate’s secret algorithms bill doesn’t actually fight secret algorithms. The Verge, 5 November. Available at: https://www.theverge.com/2019/11/5/20943634/senate-filter-bubble-transparency-act-algorithm-personalization-targeting-bill (accessed 26 December 2020).

36.

Rodrigo

(2019) Senate bill takes aim at ‘secret’ online algorithms. TheHill, 31 October. Available at: https://thehill.com/policy/technology/468385-bipartisan-senators-release-online-platform-algorithm-transparency-bill (accessed 26 December 2020).

37.

Schaub

Balebako

Durity

, et al. (2015) A design space for effective privacy notices. In: Eleventh symposium on useable privacy and security ({SOUPS} 2015), Ottawa, Canada, July 2015, pp. 1–17. Available at: https://www.usenix.org/conference/soups2015/proceedings/presentation/schaub (accessed 30 December 2020).

38.

Smith

(2018) Generalizability in qualitative research: misunderstandings, opportunities and recommendations for the sport and exercise sciences. Qualitative Research in Sport, Exercise and Health 10(1): 137–149. DOI: 10.1080/2159676X.2017.1393221.

39.

Solove

(2009) Understanding Privacy. Harvard University Press.

40.

Stark

(2019) Facial recognition is the plutonium of AI. XRDS: Crossroads, The ACM Magazine for Students 25(3): 50–55. DOI: 10.1145/3313129.

41.

van Rest

Boonstra

Everts

, et al. (2014) Designing privacy-by-design. In: Preneel

Ikonomou

(eds), Privacy Technologies and Policy–72. Lecture Notes in Computer Science. Berlin, Heidelberg: Springer, pp. 55–72. DOI: 10.1007/978-3-642-54069-1_4.

42.

Warren

Brandeis

(1890) The Right to Privacy. The Harvard Law Review Association, 4(5): 193–220. DOI: 10.2307/1321160.

43.

Westin

(2015) Privacy and Freedom. Ig Publishing.

44.

Zhang

(2007) Toward a positive design theory: Principles for designing motivating information and communication technology. In: Avital

Boland R

Cooperrider

(eds), Designing Information and Organizations with a Positive Lens. Advances in Appreciative Inquiry. Emerald Group Publishing Limited, pp. 45–74. DOI: 10.1016/S1475-9152(07)00204-9.

45.

Zhang

Pennacchiotti

(2013) Predicting purchase behaviors from social media. Proceedings of the 22nd international conference on world wide web - WWW '13, New York, NY, USA, May 2013, pp. 1521–1532. WWW ’13. Association for Computing Machinery. DOI: 10.1145/2488388.2488521.