User Privacy and Design: Things You Can Do for a Safer Web

Online privacy is a hot topic.

There’s a delicate balance between providing personalized user experiences and asking for (or gleaning) too much information. It can be hard to strike just the right chord.

Then there are regulations to think about, depending on where you and your users may live.

What best practices can designers put in place to ensure that they are designing for a safer web?

The Ultimate Designer Toolkit: 2 Million+ Assets

Envato Elements gives you unlimited access to 2 million+ pro design resources, themes, templates, photos, graphics and more. Everything you'll ever need in your design resource toolkit.

Explore Digital Assets

Invest in Security

Let’s start with a no-brainer: Every website you launch should have a valid SSL certificate and use HTTPS.

Users have come to expect these measures – and I immediately bounce from a website that doesn’t have them. Browsers will warn you as well.

Here’s what it means for users: A security certificate is a data file that authenticates the identity of the website owner to help keep your data and information safer online. It’s a tool to help you know that the company or website you are sharing information with is who it claims to be.

Understand Privacy By Design

One of the most important concepts in website privacy comes from systems engineering. Privacy by Design is a framework designed by Ann Cavoukian in 1995 with teams in Canada, the Dutch Data Protection Authority, and the Netherlands. Published in 2009 and adopted a year later by the International Assembly of Privacy Commissioners and Data Protection Authorities, calls for human values and privacy to be taken into account during the complete engineering process.

The seven principles are:

  • Proactive not reactive/preventative not remedial: Data privacy starts at the beginning of the planning process.
  • Privacy as the default: It should be at the forefront of what you do (restrict sharing, deletion policies, and opt-outs).
  • Privacy embedded into design: Use encryption, authentication and test vulnerabilities.
  • Full functionality: You don’t have to have less function for privacy.
  • End-to-end security: Privacy should follow data through to the deletion process.
  • Visibility and transparency: Share your privacy policy and information with users.
  • Respect for user privacy: Policies should be user-centric and evolving.

Create an Actual Privacy Policy

Do you have a privacy policy for your website or app?

When is the last time you looked at it?

When you dig deep here, you might find that the answer shocks you. Most website owners don’t even think about this policy or it is an afterthought.

As you connect new integrations, change marketing tactics, or even build a new design, the policy should come into play. (And you might need something more than just the default policy that comes with a new WordPress installation.)

Not sure where to get started? There’s a nifty generator here.

Put Someone in Charge of Web Data

Now take that privacy policy to the next level. Who in your organization is actually in charge of data and information collected from users? What do they do with it and how is it handled?

It’s a good idea to have a person charged with this task.

Provide an extra level of accountability by publishing the contact details of your company/website data protection official on your website.

Avoid Dark Patterns

Dark patterns are one of the sneaky privacy busters on the internet. Stay away from them.

If you aren’t quite sure about what constitutes a dark pattern you can get everything you need to know in our guide.

Dark patterns are website interfaces that cause users to interact with a website in a way that isn’t what they intended. They cause users to click through to a page, or even add an extra item to a shopping cart, without intending to.

Think about that ad you click on between turns in a game you play on your phone. The tiny “x” is so small, you can’t avoid tapping on the ad. That’s a dark pattern in action.

Only Collect Information You Need

A common flaw in website forms is collecting too much information and then storing it in your website. If you have a hack or data leak, all of that personal information just became public.

Create a policy that outlines what you collect, how you store that information, and for how long.

One of the best solutions is to start by collecting only the information you really need. When someone is signing up for your email newsletter, do you really need their postal code or birthday? (If not, don’t ask.)

Then take data collection a step further. Where do you store it?

If you really do need that birthday, are you keeping this information in a safe location? How often do you download the database from your website to an offline location and purge the online version?

Create a policy that outlines what you collect, how you store that information, and for how long. A few simple processes can simplify how you think about data and make your website or app a safer location online for visitors.

Allow Users to Control Their Data

Users should be able to control their data and how it is used.

Seems straightforward, but it is a very tricky issue. According to the Harvard Business Review:

“81% of consumers say they have become more concerned about how their data is used online. But most users continue to hand over their data online and tick consent boxes impatiently, giving rise to a ‘privacy paradox,’ where users’ concerns aren’t reflected in their behaviors.”

All you can do here is provide information and transparency about data collection and usage. For online accounts that users log into for access, you can provide a way to edit, adjust, or delete information.

If users, don’t have access, note in a public-facing policy how users can ask for what data you have collected on them and how to have it deleted. (This is often part of many privacy policies.)

Regardless of how you do it, there is value in allowing users to control their information.

Follow the Toughest Guidelines

When in doubt about how to negotiate privacy online, follow the toughest guidelines you can find.

While GDPR, is one of the most publicized sets of rules, there are others. These rules often apply not just to where you are located but also the location of users, making it necessary to follow the strictest set of guidelines available if you have a wide audience.

It can be a little more work up front, but users aren’t going to complain if you protect their privacy more than you have to. That’s a good problem to have.


Your investment into a safer web comes back in terms of good karma. The more of us that take these best practices to heart contribute to a safer internet playground for all.

It’s important to think about privacy, data collection and use, and how to create safer places online during the design process. Some of these best practices are technical while others are actually part of how to create and lay out content.

They all contribute to making you a better designer and online citizen.