Gimme some privacy

I’ve been designing digital products for a long time. Everything from marketing sites to enterprise platforms. And for most of my career, questions about legal risk or liability were easy to deflect. We used our best judgment, made thoughtful decisions, and trusted legal to step in if anything looked risky.

Designers designed. Legal did legal things.

But recently, I became aware of how important it is for designers to understand new compliance regulations. I was asked by a client in a heavily regulated space about UX best practices that support their compliance. I muttered something about attorneys. Then, something about it being a platform issue. And I walked away knowing I needed to understand this better.

Laws like the CCPA and CPRA are starting to crack down on shady patterns, hard-to-find settings, and vague cookie banners. Which means the interface, the part we design, is now part of the legal story.

This isn’t just theory. Sephora was fined $1.2 million in California for failing to honor user opt-outs. Their cookie banners didn’t give users a real choice. That’s a problem.

No pressure, right?

But here’s the good news: this is actually a design opportunity. Good privacy UX builds trust, clarifies things, and differentiates your product in the right ways.

Privacy laws show up differently depending on the situation:

Marketing Websites
Collect lead data and track user behavior for analytics and advertising

E-Commerce Platforms
Store and process personal and financial information tied to purchases

SaaS Products (Client-Facing)
Often handle business-critical user data, with varying roles and permissions

Internal Tools (Employee-Facing)
Manage sensitive employee data such as performance, health, or payroll

What good privacy design looks like

Here are five quick principles I use when reviewing designs for privacy:

1. Clarity over complexity

   Users shouldn’t need a legal degree to understand what they’re agreeing to. Both GDPR and CPRA emphasize that information about data use must be clear, accessible, and written in plain language.

2. Respect for user control

   Under both GDPR and CPRA, users have the right to decide how their data is collected, shared, or used. They must be able to say “no” just as easily as “yes.”

3. Visibility and transparency

   Data collection must be disclosed at the point of interaction, not just buried in a privacy policy. Transparency builds trust and prevents confusion.

4. Minimize data collection

   Both GDPR and CPRA include a “data minimization” requirement—only collect the data you truly need for the purpose at hand.

5. Make privacy controls persistent and easy to find

   It’s not enough to give users a one-time choice. They need ongoing control over their data, especially if consent changes or regulations require action.

Want to go deeper?

I put together a white paper that breaks all of this down, including checklists and examples for each kind of site. It’s written in plain English, no legalese. Just reply to this email and I’ll send you a copy.

ps.
If you’re working in healthcare, financial services, or anywhere that compliance matters and you want your UX to be part of the solution, not the risk, let’s talk.