It’s time for cities to address “privacy fatigue” — they’ll need design help
New research shows the challenge of designing alerts that we can assess quickly without missing key information. As privacy notices move into the physical world, cities need solutions.
It’s a good time to be a design firm in California. An important one, too.
Last month, the state’s new consumer privacy law went into effect, requiring businesses to reveal the types of personal information they collect, and their purpose in doing so. The law is a notable step forward for data transparency and accountability in the U.S. — with a particular impact on cities, because in addition to digital properties like websites, privacy notices must appear in physical locations that collect data as well.
Businesses have a few months to get their act together before enforcement begins, and the initial rollout will likely be bumpy. Tom Simonite of Wired reports on some early peculiarities, which include a retail window notice posted at knee height (perhaps for customers in wheelchairs), and a dining notice nearly as long as a wine list:
This initial wave of new notices will be a great boost to public awareness of data collection happening in urban retail. That’s an important step toward getting a holistic picture of just how much collection occurs in public (and publicly accessible) spaces. It’s also a reminder of the broader issues of data governance, ownership, and access in cities that remain important areas of local policy focus.
But as the novelty wears off, we’ll be left with a lot of new alerts from private companies and data signage posted by public agencies, as well as all the digital pop-ups and notifications brought on by Europe’s recent General Data Protection Regulation (GDPR). In short, it’s a lot of messages, and there’s a real risk here of message fatigue. Instead of raising our privacy awareness, the notices might become white noise.
That’s where good design comes into play. But first, some history.
The problem of privacy fatigue
It’s been clear since the mad men era that the impact of a message diminishes the more you see it. One study of “advertising wearout” from the mid-1970s exposed people to a dozen brands, then asked them to recall the brands at various follow-up times. A month later, people who’d seen the ads twice recalled them even better than those who saw them just once. But people who’d seen them three times did worse than the group who’d seen them twice — as brains lost interest, messages lost impact.
There’s not much at stake in recalling an ad, but research has found that message fatigue sets in for warnings meant to protect our safety or health, too. It’s been documented in ads or messages related to obesity and safe sex, and it’s even been found in professionals whose job it is to heed such warnings. A 2013 study found that health care providers suffered notable “alert fatigue” over the course of a year, with each new weekly public health message reducing the odds of recalling that message by 41 percent.
Related studies reveal some important insights — namely, that boredom isn’t the only enemy here. A 2014 study of anti-smoking ads found that negative attitudes toward smoking increased after several repetitions but actually decreased after too many viewings (in this case, seven). This type of response, known as reactance, means that heavily repeated messages can become so irritating that some people don’t just ignore them, they actively oppose them.
Little surprise that researchers have found a similar pattern when it comes to matters relating to data security or data privacy. A 2018 survey found that “privacy fatigue” can overpower their concerns about the use of personal information. This helps explain the privacy paradox: many people say they value privacy, but when it comes time to consent, they don’t behave that way.
The most powerful demonstration of this effect came from communications scholars Jonathan Obar of York University and Anne Oeldorf-Hirsch of U-Conn, in work widely reported several years ago but only published this year. The researchers created a fictional social network called NameDrop, with a privacy policy and terms of service that should have taken 30 minutes and 15 minutes to read, respectively. The vast majority of study participants (74 percent) didn’t read either one, and instead chose to “quick join.” Those who did read the documents still only spent about a minute on each.
The kicker: 98 percent of study participants missed the fact that consenting to NameDrop meant agreeing to give up rights to their first-born child.
Tired minds, active consent
To be sure, the length and legalese of privacy policies have a lot to do with the privacy paradox. But message fatigue also plays a role. New research, based on GDPR requirements, suggests that a well-designed notification matters — but that even a strong design can get tiresome over time.
For the work, published this month, a group of researchers from Karlstad University, in Sweden, created four different consent screens consistent with GDPR requirements. The screens informed participants of the types of data being collected (e.g. birthday or email address) and its purpose (e.g. site access or updates), along with an affirmative consent button.
A control group encountered a simple screen with a little notice at the bottom for users to click “accept” or “reject.” Three other designs were more active in nature. A checkbox design required actively clicking boxes next to the data types and purposes. A swipe design required swiping to accept this information. A drag-and-drop design was most active of all, requiring participants to pick up the consenting piece of data and drop it elsewhere on the screen.
In all four groups, participants encountered the same consent screen 15 times during the course of the study. During each visitation, the researchers used eye-tracking tools to see where participants focused their attention, and later on they used follow-up surveys to get a sense of what participants remembered about the information on these screens. To make the usage as realistic as possible, the researchers didn’t reveal their focus on consent-related behavior until afterward.
In the initial phase, the drag-and-drop group was significantly more fixated on items related to data collection than participants in the other groups. Participants in this group also did a better job recalling what they’d shared than those in the control group (though not more than those in the other active design groups). Additionally, all three active groups showed significantly more fixation on aspects of data purpose than people in the control group.
So active design clearly boosted initial engagement with some critical information. But it wasn’t a total win: participants in the drag-and-drop group initially failed to notice dubious data usage (i.e. accessing user email to send randomized photos to friends) at similar levels to the control group. And in a subsequent phase, as people saw a dozen more sites, researchers found evidence of message fatigue across the board. The fixation differences, in particular, disappeared for all groups.
The researchers conclude that data policy content “needs to be designed with care, so that attention to substantial policy information is increased and not negatively affected.” They add (original emphasis):
The GDPR, in certain cases, such as for processing sensitive data, requires explicit consent. The explicit consent is achieved if users expressively confirm consent. Our results in Phase 1 showed that even with active engagement with the content, users missed the critical fields and gave their consent, which could have severe consequences on users’ privacy.
Designing for fatigue
If notifications all show the same essential message, quick consenting isn’t necessarily a bad thing — it’s certainly efficient. But message fatigue really matters as information gets more varied or collection more sensitive, and that’s likely to be tougher for physical notices than digital ones. A retailer and a restaurant might have the same website cookie pop-up, but the physical retailer could collect data a restaurant doesn’t, such as item-browsing behavior or shopping paths.
That’s the designer’s privacy paradox: How to convey critical information in a way that’s familiar enough to be quickly assessed, but active enough so as not to be missed.
Fortunately, there are loads of great precedents to work off. In the city space, New York’s health code grades, posted big and bold in every restaurant window, have greatly improved transparency. More broadly within retail, psychologists have explored ways to design nutrition information that’s more (yes) easily digestible. In similar fashion, some user experience designers have started to push for nutrition-style labels for privacy information.
To build on this foundation, Sidewalk Labs launched an initiative last year that aims to bring together design experts from around the world to co-create new types of clear, simple signage to help make data collection in public spaces more transparent and accountable. We recently began a second phase of this collaborative work and will report on its progress soon.
The time is certainly right for designers everywhere to push this effort forward. California is often a policy leader, and it’s not hard to see other local governments across the U.S. — and around the world — following its lead. Given the new law’s aim to protect residents outside California’s own borders, it’s likely that federal policy makers will eventually take up the matter, too. And more and more public agencies that collect data are recognizing their own need for clear messages, too.
So the privacy push is just getting started, and city residents and workers will now have to figure out for themselves what types of data collection they’re comfortable with in public (and publicly accessible) spaces. It’s too early to be tired.
Follow Sidewalk Labs with our weekly newsletter and our podcast, “City of the Future.”
