UX Privacy • Nadine Rinderknecht

UX DESIGN & PRIVACY

Compliance that doesn't feel like legalese.

Turning privacy compliance from a necessary burden into a competitive advantage through genuine user understanding.

Privacy Center

Privacy Notice

Explore my projects

Projects

Privacy Center

Privacy essentials living in the footer of your website.

Play the video

Description

Most people won't read long legal documents, which creates trust problems when important information feels hidden or hard to find. The Privacy Center turns static legal documents into an interactive overview with practical guidance directly in the footer. The complete Privacy Notice is just a click away for those needing more information.

This approach builds trust through transparency, cuts down on support questions by answering common privacy concerns upfront, and shows that privacy compliance can become a competitive differentiator while competitors hide behind legalese.

Key features

Interactive disclosure with clear visual hierarchy, giving users essential information without overwhelming them.

Familiar icons (rather than Swiss privacy icons) with more detailed information for better understanding.

Integration of legal text such as disclaimers into the Privacy Center using humanized language while staying legally sound.

For the check-the-box lovers

Privacy Chameleon Points

Meet the Privacy Chameleon! The higher the points, the more compliance transforms into a core business differentiator. Details in the FAQs below.

Legal innovation process

Every time I visited a website, I'd see those privacy notice links at the bottom and think "Yeah, like anyone's reading that." But people do care about their privacy. They just don't have time to work through pages of legal text to figure out what's happening with their data. So I created the Privacy Center. This is the story behind some of my legal design challenges.

PROBLEM

Traditional privacy notices feel impersonal and abstract. While they do disclose who handles data besides the website owner (like hosting provider or website analysis providers), it reads like a bureaucratic exercise rather than an introduction to actual people or organizations. Plus, it's often scattered across different sections, forcing data subjects to piece together the full picture themselves.

SOLUTION & IMPACT

Highlighting WHO handles data upfront creates a more personal connection than immediately tackling the technical details of WHAT happens. So I listed all key parties at the beginning:

Data subjects feel they're dealing with real people, not abstract data processing, shifting the relationship from corporate-to-user to person-to-person.
Trust increases when information is easily available, reducing information asymmetry.
Support inquiries about "who else sees my data" drop because proactive transparency answers questions before they're asked.

Key entities right at the beginning.

WHAT I LEARNED

This challenge showed me that transparency is both about disclosure and sequence. The same information arranged differently creates different user experiences. Starting with people rather than processes transforms privacy notices from compliance documents into tools for building relationships.

PROBLEM

Putting all key parties upfront (see previous design challenge) created a new problem: how to show multiple parties while reflecting their different levels of importance? This was my first design:

First version with almost no visual hierarchy.

The owner and the hosting provider appeared visually equivalent, which could mislead data subjects about their roles. This visual equality created two risks: data subjects might not know who to contact as the primary point of responsibility and it could suggest joint-controllership where none exists (which would complicate liability and compliance obligations).

SOLUTION & IMPACT

Data subjects aren't interested about legal labels like "controller" and "processor" (those stay in the Privacy Notice). They need to understand who plays the primary role and who to contact. So I focused on the factual importance of the parties using a three-tier approach:

Pink buttons and black border for me, the website owner. The pink @ button provides direct contact to me, making the primary role actionable, not just visual.
Gray button (but no border) for my hosting provider that handles significant data infrastructure and content serving.
Grey text for nameless "others", covering less critical parties like analysis provider and sub-processors.

Visual hierarchy mirrors factual importance.

This approach keeps language legally neutral ("Who handles your data?" and technical roles like "Owner of Blankpage" or "Hosting provider") while avoiding rigid legal classifications that may vary by context. An entity might function as a processor in one situation but serve as a joint-controller in another, so I focused on factual roles rather than legal ones. Data subjects interested in legal roles can still find them in the privacy notices of me and my service providers.

WHAT I LEARNED

Visual hierarchy is more than aesthetics. It's a tool to strengthening your legal position and manage risk. When used correctly, it helps data subjects understand the situation better and reduces misunderstandings. When done poorly, it can weaken your legal position, such as when data subjects mistakenly assume joint-controllership.

PROBLEM

The Swiss privacy icons were meant to ensure transparency and become standard, but are hardly ever used. When I tested all the required icons, the result was overwhelming. 7 icons in 4 boxes! And there were other problems: the icons had too many design details and looked very similar, making them too complex for data subjects who have never seen them before.

SOLUTION & IMPACT

I decided to deviate from the Swiss privacy icons and use simple icons that data subjects are already familiar with (download arrow for data sources, upload for sharing/transfer, etc.). I combined them with more granular text like "Data sources: You and website analysis providers" so data subjects could understand immediately. Hovering over the boxes reveals even more details (this will be addressed in the next Design Challenge 4).

Replacing complex privacy icons with simpler and more intuitive ones.

WHAT I LEARNED

Standards are meant to serve users, not the other way around. When a standard fails to achieve its goals, deviation can serve business objectives better than blind adherence. But you must be able to defend your decision and minimize risks: I paired simplified icons with descriptive text to ensure clarity, and the full Privacy Notice remains available for anyone questioning my approach.

PROBLEM

Legal requirements require comprehensive disclosure, but information overload paradoxically reduces understanding. Data subjects either get overwhelmed or skip everything entirely.

SOLUTION & IMPACT

Different data subjects need different levels of detail, so I added blue "i" circles in the upper right corner and added a hover function:

Key privacy topics in resting state.

Data subjects can self-select their depth of engagement: quick scanners get essentials, detail-oriented data subjects get more comprehensive information when they hover over a box:

Additional details revealed in hover state.

WHAT I LEARNED

This showed me that legal design should anticipate user behavior rather than fighting it. Most people scan. That's just a reality. Instead of trying to force everyone to read everything, I built a system that works with scanning while still providing detailed information to those who want it.

PROBLEM

Privacy notices typically frame companies as entities that data subjects need protection from. On the other hand, too much empowerment might also lead to problems for companies, such as a flood of data subjects exercising their rights.

SOLUTION & IMPACT

The whole idea behind the Privacy Center was to empower data subjects to manage rather than just protect their data:

Manage cookies & similar tech: This box reflects a broader spectrum of possibilities, including benefitting from data processing. Positioning privacy as something data subjects can manage shifts the relationship from adversarial to cooperative. I also used this approach for my Privacy Notice, visit Design Challenge 8.
Know your rights: I tested different formulations for the data protection rights box. Initially, I was so focused on user empowerment that I had "Use your rights". But this might have encouraged performative exercise of rights that would have benefited no one. So I decided on the more neutral formulation "Know your rights". This strikes a better balance between user empowerment and business interests.

Strategic language design to empower data subjects while also protecting business interests.

WHAT I LEARNED

Especially this challenge taught me that effective UX privacy requires balancing three interests: empower users, meet legal requirements, and achieve business goals. UX design typically pushes for maximum engagement, but encouraging everyone to exercise their rights creates operational chaos where legitimate requests get delayed and nobody benefits. Legal requirements demand transparency, but using an empowerment language that's overly aggressive can undermine this. The solution is finding the intersection where all three interests align: informed choice without performative action.

PROBLEM

Legal disclaimers often prioritize liability protection over user understanding. This undermines the transparency they're meant to achieve.

SOLUTION & IMPACT

I wrestled with this for months without even recognizing the issue due to my legal training. Take a look at my previous versions of the Privacy Center at www.uxprivacy.world/project-privacy-center, where I used a formal disclaimer in gray and placed it below the Privacy Center:

Disclaimer below the Privacy Center: "The PRIVACY CENTER provides a summary of key data processing activities and is not exhaustive. For comprehensive information please consult the Privacy Policies of Blankpage and our service providers (e.g., Wix.com). The PRIVACY CENTER does not modify or replace these policies. In case of any discrepancies, the Privacy Policies prevail."

It took me three (!) versions to recognize that legal content often exists as a separate "legal world" that users can hardly benefit from, estranged from the friendly and simple tone modern companies use everywhere else. I wanted to integrate legal requirements while still achieving their purpose (in this case: limiting liability and directing data subjects to more details). So I decided to move it inside the Privacy Center and use more human language:

Merging the legal with the user world by moving legal clauses inside the main interface.

I kept the precedence clause as a safety measure but tried to "save the situation" with a casual coffee reference at the end (insiders know that's related to the café metaphor in my Privacy Notice).

WHAT I LEARNED

This challenge taught me that my legal training has created blind spots. For months, I didn't question placing the disclaimer outside the Privacy Center because that's where it "belongs". Then I recognized that the separation between the legal and the user world is a self-inflicted problem. There's no legal requirement that disclaimers must be gray, formal, and separate. That's just convention. And placing disclaimers outside the main interface signals "this is the boring legal stuff you can ignore". So UX design forced me to ask: if users skip the disclaimer, does it actually protect legally? Moving it inside the Privacy Center increased the likelihood users would read it (better legal protection) while maintaining an approachable experience to keep users engaged (better business outcome).

GET THE FULL STORY

SEE THE REAL PRIVACY CENTER

Privacy Notice

Empowering users with a privacy notice that doesn't put them to sleep.

Play the video

Description

Traditional privacy notices are legal documents dressed up as user information: dense, technical, and written primarily for compliance rather than comprehension. This Privacy Notice breaks down complex privacy information into a step-by-step guide that users can actually follow and understand.

This approach cuts legal risk by making sure users understand what they're agreeing to, builds trust through transparency, and shows how legal compliance can work with user experience instead of against it.

Key features

User empowerment alongside compliance. Includes conversational tone, step-by-step format, and actionable tips on managing privacy that users can apply to other websites as well.

Two-layer structure where each section opens with café analogies to explain privacy concepts and why they matter, and then describes how data is used.

Familiar café theme makes legal concepts easier to grasp. Includes café explanations and themed icons (trash bin for erasure, takeaway bag for portability, etc.).

Privacy Chameleon Points

Legal innovation process

I used to think privacy notices just needed simpler language. But watching people try to read them, I realized the real problem wasn't the words. It was the format. Dense paragraphs of legal text don't match how people actually process information. This is the story behind turning a legal document into an empowering blog post.

PROBLEM

Companies tend to treat compliance as something separate from business identity rather than integrating it into it. This results in friction and missed opportunities: privacy notices that feel like foreign elements, clash with brand voice, interrupt user flow, etc.

SOLUTION & IMPACT

Design Challenge 6 about the disclaimer outside the Privacy Center has already shown that the legal world is often separate from the user world. I solved this problem by integrating the disclaimer into the Privacy Center and using more human language. But the current Design Challenge 7 will show that integrating the legal world can go much further...

I've a blog called Blankpage that focuses on empowering readers through practical tips in IT law. So I took all the minimum legal requirements and integrated them into my "Blankpage identity". The result was a Privacy Notice that mirrors the rest of my website:

blog post format,
step-by-step structure,
actionable tips,
same URL structure as my other blog posts (www.blankpage.world/post/privacy-notice), and
prominent placement on the homepage alongside all other blog posts (instead of hiding a link in the footer).

A privacy notice that has truly been integrated into my "Blankpage identity".

Privacy compliance became a chameleon. I integrated it into my unique identity rather than following standard legal templates. Instead of sitting outside business processes, it enhanced them by:

reinforcing Blankpage's educational mission,
keeping readers engaged longer on the site,
making maintenance easier (same CMS, same voice, same structure, etc.). No translating between legal and brand language.

From this Design Challenge I later developed the Privacy Chameleon Framework, a tool to assess where clients sit on the UX privacy maturity spectrum and deliver the right solution: from compliance fixes to strategies about competitive differentiation. The FAQs below will tell you all about it.

GOOD TO KNOW

The Privacy Chameleon Framework works beyond privacy notices such as terms of service, cookie banners, consent flows. Potentially all legal work that a company seeks to turn into a competitive advantage using UX design.

PROBLEM

Privacy messaging typically focuses on "we protect your privacy". This positions the company as the guardian and data subjects as protégés. This, however, doesn't reflect users' desire for control and informed choice.

SOLUTION & IMPACT

Empowerment instead of protection: First, informational self-determination includes the right to consent to data processing, not just to refuse it. It's much more nuanced than is usually portrayed in privacy notices. Second, my website Blankpage is built around empowering users. So I moved from "we protect your privacy" to "how you can manage your privacy". Empowerment means showing all options: from privacy protection to data sharing (to receive benefits). This is best reflected in Step 8 of the Privacy Notice about managing logs, cookies, and similar technologies (including Tip 6 below) as well as Step 9 about exercising data protection rights.
Empowerment beyond my website: Since my website follows standard practices, my tips can be used on other websites too. I state this explicitly upfront in the introduction so data subjects recognize they're learning transferable privacy management skills (e.g., evaluating privacy notices, managing cookies and similar technologies, and exercising rights). It's not just about understanding one site's notice.

This tip acknowledges that users have different values and lets them find their own balance.

Users who understand their options typically make better decisions. They're more likely to consent when they know why you're asking and what they'll get in return. This means less box-ticking compliance and consent that'll actually hold up if challenged.

WHAT I LEARNED

Empowerment-based privacy should be aligned with brand values. This approach works best when user empowerment or privacy is core to the brand, whether that's teaching how to innovate (like Blankpage), products that give more technical autonomy over data, or services built on user agency. For these brands, privacy is more than just legal protection and users value engagement over quick transactions. For other brands built on convenience or fast-checkout, presenting privacy as a learning opportunity leads to friction rather than empowerment.

PROBLEM

Privacy notices hide behind formal statements, creating a distance between the company and the data subjects. This reduces trust and makes privacy notices feel cold and impersonal.

SOLUTION & IMPACT

I wanted my Privacy Notice to feel like a knowledgeable friend walking a data subject through privacy concepts over coffee, so I:

Used storytelling to create a more relaxed atmosphere. Data subjects could immerse themselves into a cozy café. Plus it made abstract privacy concepts memorable, helping data subjects retain and apply what they learned.
Added concrete and actionable tips to make it more empowering. Example: "Tip 3: Don't get lost in Wix's privacy notice. Pay special attention to the sections about users-of-users (that's you: you're using my site, which uses Wix's services)."
Distanced myself from legal jargon while still being able to become more precise and use legal terms when it mattered. Example: "Since I decide why and how your data is processed, I'm what data protection lawyers call the 'data controller'."
Introduced myself at the beginning ("Hello, nice to meet you! I'm Nadine Rinderknecht, the person behind Blankpage") and added a picture of me. When privacy notices feel like they're written by faceless corporations, data subjects approach them more defensively, looking for problems, assuming the worst. But when someone introduces themselves with a photo and speaks directly to you, you feel like a real person is accountable and you're more inclined to engage with the content. This shifts the dynamic from suspicious to cooperative. Have a look at the image right below.

Putting a face and personality to data processing right at the beginning makes the notice feel approachable rather than defensive.

GOOD TO KNOW

This approach is highly tailored to Blankpage's educational mission. For a fintech startup or e-commerce platform, you'd keep the personalization but swap the café for a metaphor that fits your context (like a financial advisor for fintech, or a trusted shopkeeper for retail). The principle stays the same: make privacy feel human and accountable. But the execution should feel native to the brand, not borrowed from someone else's playbook.

PROBLEM

Privacy laws require disclosing complex concepts like "international data transfers" and "data controller", but these terms are abstract and disconnected from everyday experience. Data subjects struggle to visualize what these concepts mean in practice, which defeats transparency.

SOLUTION & IMPACT

Since everyone understands how cafés work, I used that experience to explain unfamiliar legal concepts. When "international data transfer" become "overseas coffee suppliers following the same safety standards", data subjects immediately grasp both the concept and why it matters. So I added:

The sections "Coffee break: Why care about this step?" in each step to reduce cognitive load and give data subjects insight through storytelling before they tackle more complex legal texts.
Café metaphors integrated into the legal text to clarify important concepts. Example: "While no system is 100% secure (just like our café), these measures can significantly reduce privacy risks."
Café-themed icons (trash bin for erasure, takeaway bag for portability, etc.) make data protection rights in Step 9 of the Privacy Notice easier to understand and more memorable. You can see them in the image below.

Café-themed icons like open doors for access, trash bins for erasure, and takeaway bags for portability increase user understanding.

WHAT I LEARNED

This challenge taught me that choosing the right metaphor is a strategic legal decision, not a creative one. I could've used any familiar framework: a post office, a library, a bank. But cafés signal warmth, accessibility, and everyday trust. Banks signal security but also distance and formality. The metaphor shapes how data subjects perceive the entire relationship with their data and their data controller. And this influences whether they approach it cooperatively or defensively.

PROBLEM

Privacy laws require comprehensive disclosure, but they don't require

that this information is presented in an actionable manner. So traditional privacy notices often bury guidance within legal text and data subjects struggle to understand what they should actually do with this.

SOLUTION & IMPACT

Data subjects need actionable guidance, not just descriptions, so I moved tips front and center and used:

1. Visual hierarchy through numbered formatting with key insights in bold to make tips visually stand out from the rest of the text. This signals higher importance and makes them easier to find. For example:

2. Actionable framing of standard information, turning passive descriptions into actions users can take. For example:

3. Explicit formulation to manage expectations without undermining trust. At first, I focused so much on communicating more clearly to better manage expectations that I risked losing users' trust. My first draft:

But this formulation undermined the empowerment I'd built throughout the entire notice. Users invest time learning about their rights and then hear those rights might not work. So I started with a neutral legal context instead of rejection and added a café metaphor to make restrictions more relatable. My solution:

WHAT I LEARNED

This challenge taught me that the gap between legal compliance and user comprehension is mostly a design problem, not a legal one. Privacy laws set the floor (what must be disclosed), but there's no ceiling on how useful that disclosure can be. Adding visual hierarchy and actionable language doesn't require changing what's disclosed. It just requires thinking about disclosure as communication, not documentation.

SEE THE REAL PRIVACY NOTICE

Curriculum Vitae

Discover what else I've done besides this website.

About me

Most privacy design treats legal compliance as a fixed constraint to make prettier. That misses the opportunity. Turning privacy into a business differentiator requires rethinking what the law permits, not just what it requires, and implementing that with UX design. You need both: privacy law and UX design.

That's exactly what I do. I studied law at the University of Zurich with a focus on IT law, then specialized further with an LL.M. in Technology, Media and Telecommunications Law at Queen Mary University of London. Now I'm applying UX design skills. I'm what you might call an

"IT-shaped lawyer": someone who uses interdisciplinary thinking to turn legal requirements into experiences people want to use.

I've also put these UX principles into action with my CV. Have a look!

Key features of the CV

Blue clickable boxes highlight key credentials for faster scanning and let users jump straight to the websites.

Card design for projects and blog posts uses visual hierarchy to spotlight the most important work, while keeping everything else in simple text.

Call-to-action at the bottom turns the CV into a website landing page. Interested users can explore my websites, blog posts, and projects that reveal my personality and thinking style beyond credentials.

Click to see my full CV

FAQ

Frequently asked questions

Why is UX design so important in legal practice?

UX design transforms legal services into clear, efficient experiences that benefit law firms, their clients, and end users.

Legal practice often assumes complexity equals thoroughness, but this mindset costs firms clients, efficiency, and competitive edge. When legal services use UX principles, they create value for the whole legal ecosystem.

The law firm stands out in competitive markets

UX-designed legal services make the firm differentiate itself by offering modern experiences rather than outdated, confusing ones. This attracts clients who value innovation along with expertise. This also reduces liability when clients actually understand what they're signing, preventing disputes and malpractice claims.

Clients turn problems into profits

Clients understand their options without endless meetings, make decisions faster, and feel like active participants instead of passive recipients. They're more engaged and give better input when they understand what's being asked.

Client's users get practical tools

When firms design for end users – customers reading terms, employees implementing policies, teams using contracts – these users get legal frameworks that work in practice. They understand and follow policies, implement requirements without constant questions, and use legal documents as practical tools rather than obstacles.

What's the Privacy Chameleon?

A framework that adapts privacy compliance to privacy maturity.

Today's privacy compliance feels like it comes from another world. While everything else in digital business uses modern design, legal text still uses outdated language, minimal visual design, and a structure that hasn't changed in decades. Users have privacy experiences that feel different from the smooth interfaces they expect everywhere else.

This disconnect isn't just bad for users. It's bad for business. When privacy compliance ignores UX principles, it creates friction, confusion, and missed opportunities. Companies end up with privacy compliance that feels like a legal artifact rather than part of how they actually operate.

The Privacy Chameleon Framework solves this by bringing UX design into privacy compliance ("UX privacy"). Instead of treating privacy as a tedious check-the-box exercise, it integrates privacy into user experience across three levels: Privacy Clarity, Privacy Usability, and Privacy Differentiation.

The Privacy Chameleon Framework reduces legal risks. But it also creates competitive advantage by turning privacy from a necessity into a strategic business asset that helps users understand, reduces friction, and positions the organization as a leader in privacy.

Deep dive: What's the Privacy Chameleon Framework?

Privacy clarity

1 point

Privacy compliance as legal protection with clear language and design that users can understand.

Target group

Clients who want legal protection while keeping UX design efforts to a minimum. The goal is to meet legal requirements, avoid fines, and focus resources on core business.

Strategy

Identification of current UX patterns that create legal risks or don't meet requirements. Transformation of compliance into clean, easy-to-scan formats that meet requirements without confusing users.

Examples

Privacy notices with clear language and short paragraphs.
Cookie notices with icons for different cookie types.
Training materials with visual hierarchy and critical compliance points highlighted in color.

Privacy usability

2-3 points

Privacy compliance as functional user experiences that users find intuitive and engaging.

Target group

Clients frustrated with privacy processes that hurt conversions, create support tickets, and start disputes. The goal is to build privacy that works smoothly and reduces friction.

Strategy

User journey optimization and privacy touchpoints that feel empowering rather than intrusive. This includes progressive disclosure, interactive elements, and making value clear.

Examples

Interactive employee trainings with progress tracking.
FAQs answering common privacy questions.
Visual data mapping tools for compliance teams.

Privacy differentiation

4-5 points

Privacy compliance as a core business differentiator that users see as integral to the privacy brand.

Target group

Market leaders that see privacy as a competitive advantage and want to set new standards for privacy experience in their industry. Attract privacy-conscious users, build trust, and drive the business forward.

Strategy

Integration of privacy compliance into purpose, positioning, and presentation of the company. This makes privacy experiences feel native to business identity rather than an add-on.

Examples

Privacy center in the footer that turns static legal documents into engaging transparency tools.
Privacy notice transformed into a blog post and placed on the homepage with all the other blog posts.
Onboarding transparency about privacy that feels like a regular product feature.

Can I travel to your other website?

Yes, just use the wormhole!

I also created www.blankpage.world, a blog with tips about legal innovation. Learn how to build your unique practice style and intellectual capital in IT law. Time to become a legal innovator.

Contact

Your next step? Write to me

Questions about this website?

Interested in exchanging ideas?

Suggestions for a blog post?

1. Adding a more personal touch

2. Creating visual hierarchy to avoid joint controllership

3. Deviating from Swiss privacy icons

4. Building the layered-interactive approach

5. Balancing empowerment with business interests

6. Integrating the legal into the user world

7. Turning compliance into a chameleon

8. Shifting from privacy protection to privacy management

9. Becoming a helpful friend

10. Using the framing of a well-known café

11. Putting tips front and center

Your next step? Write to me

Questions about this website?

Interested in exchanging ideas?

Suggestions for a blog post?

.