How to build products with a privacy by design mindset

This article is part of the CX School series, where UX leaders share the most valuable lessons they’ve learned about building and delivering exceptional customer experiences.

Consumer privacy and security are among the most important issues facing financial institutions today. Of course, this is nothing new. These issues have always been top of mind for banks and credit unions. In contrast, the era of personalized, digital, and on-demand consumer services has been a comparatively recent pursuit for financial institutions, and a game of high stakes at that.

On one hand, financial institutions are under pressure to deliver today’s experiential de facto standard of personalization (set by big tech); at the same time, they hold consumer trust with high regard, and are adamant to avoid stepping into the pitfalls that some of these very same trailblazers have fallen into; that is, by approaching immediacy, relevance and convenience as a compromise to consumer privacy and trust, and in most extreme cases, wellbeing.

It’s no coincidence that we’ve recently seen the larger regulatory landscape shift toward greater consumer protection with the implementation of the EU’s General Data and Protection Regulation (GDPR) in 2016, California Consumer Privacy Act (CCPA) in 2018, and Brazil’s Lei Geral de Proteção de Dados (or LGPD) in 2020. This trend is only increasing thanks to the widespread adoption of digital.

Consumers should have full control over their data—without exception. As they engage with brands online, they should be protected at all times.

Financial institutions have built a solid reputation on their ability to do this. It’s why they already maintain such high levels of consumer trust. However, that isn’t always true of the fintechs they work with. Further, it begs the million dollar question—how can financial institutions uphold the consumer trust they’ve earned, while keeping up with the fast-paced demand for anticipatory, adaptive, and contextually relevant digital experiences?

This paradoxical question is why I want to talk about Privacy by Design (or PbD, for short), and how it informs the products we’re designing and building here at Flybits.

Hopefully our approach can provide some insight into creating products that are engaging, valuable for both businesses and consumers, all while demonstrating empathetic and ethical design and privacy protection every step of the way.

Okay, so what is Privacy by Design?

To answer this question, let’s turn to the thought leader who created PbD: Ann Cavoukian, the former Information and Privacy Commissioner of Ontario, a province in Canada.

Privacy cannot be assured solely by compliance with regulatory frameworks; rather, privacy assurance must ideally become an organization’s default mode of operation.

The PbD framework governs privacy, security, and ethics across IT systems, business practices, and design.

On the consumer side, it gives individuals control over their personal information, including how it is collected and used. On the business side, it ensures organizations are always privacy compliant. It also provides a sustainable competitive advantage, enabling organizations to build and cultivate trust with their customers.

To further clarify the PbD approach, Dr. Cavoukian created seven foundational principles that guide her framework. These are the tenants of PbD and they govern how all privacy-first organizations should operate.

The seven foundational principles of Privacy by Design

1) Proactive, not reactive; preventative, not remedial

The PbD approach addresses privacy infractions before the fact, not after. In that sense, it enables organizations to stay proactive about consumer privacy and security.

2) Privacy is the default setting

All personal data should be automatically protected. In other words, the user shouldn’t have to do anything to ensure that their privacy needs are met.

3) Privacy embedded into design

Privacy should be central to everything you do, and it should never come at the expense of functionality. This is important. As mentioned, the regulatory landscape today is constantly in flux. If privacy is simply an afterthought or an add-on, then your products aren’t likely to stay compliant. So, privacy needs to be considered first. It is foundational.

4) Full functionality—positive sum, not zero sum

No tradeoffs should be made to ensure your consumers’ privacy needs are met. That privacy should come at the expense of something else, like security, is a false dichotomy.

5) End-to-end security—full lifecycle protection

PbD ensures the secure lifecycle of information, from cradle to grave.

6) Visibility and transparency—keep it open

All operations should remain transparent to users. Additionally, providers must operate according to stated objectives.

7) Respect for user privacy—keep it user centric

Finally, PbD should always put the user first by offering comprehensive privacy default settings, notice, and enabling options that put the user first.

Putting PbD into practice

Now that I’ve explained what Privacy by Design is all about and why it’s so important, I’d like to share just one example of the work we’ve been doing to bake privacy into our products here at Flybits.

The problem

As you’ve probably already noticed, your mobile operating system delivers a notification opt-in prompt whenever you launch a new app for the first time. It does the same thing for apps that use your location services.

They look a little something like this 👇

Generic opt-in prompt - Image

Again, this opt-in prompt comes from your mobile operating system, not the actual app.

Whenever a user launches a new app, they get that same grey opt-in prompt. And they get it only once, so if they choose not to receive push notifications from you, that’s it, you’re out of luck.

Unless they reconfigure their settings, which rarely happens, since it adds user experience friction in orders of magnitude. (Think about it, when was the last time you navigated to your mobile settings to change an app’s permissions?)

At first glance, opt-in prompts might seem like an insignificant aspect of the overall user experience. However, they form a critical first impression and set the tone for how consumers will engage with your app.

First off, they give users control over what data they’re willing to share with you—a central tenet of Privacy by Design.

Additionally, these prompts are generic and lack transparency. They do not inform the user of any clear value or benefits they’ll receive in return for granting access to their data (in the case of requesting access to location) and/or allowing recurring nudges for their attention (in the case of push notifications).

For consumers to fully take advantage of your app’s capabilities, you need them to opt-in. If they don’t, your app engagement can decrease. This can lead to higher churn in the long run.

It also interrupts the user flow. It’s like the feature equivalent of the Kool-Aid man…

Kool-aid man, oh yeah!

And nobody wants that.

With all of these factors combined, can you blame your users for not opting-in?

Finally, by providing UX guided opt-ins in your app, you can demonstrate that privacy comes first.

I’ll show you what I mean below.

The solution

Customized opt-in prompts - Graphic

Our UX team created configuration files that client-side developers can easily integrate into their banking apps with Flybits.

Among other things, they include a UX guided opt-in. Not only does it demonstrate the benefits users will receive when they opt-in—it also includes more context about how their data will be used.

This is one of the first places in your app’s UX where you can demonstrate Privacy by Design in action. Beyond being fundamental to a PbD approach, it’s also an opportunity to build trust and credibility with your users.

Subscribe to our blog

Stay up to date on the latest CX news, resources, and service tips.