A. PROBLEM Traditional privacy notices feel impersonal and abstract. While they do disclose who handles data besides the website owner (like hosting provider or website analysis providers), it reads like a bureaucratic exercise rather than an introduction to actual people or organizations. Plus, it's often scattered across different sections, forcing data subjects to piece together the full picture themselves. B. SOLUTION & IMPACT Highlighting WHO handles data upfront creates a more personal connection than immediately tackling the technical details of WHAT happens. So I listed all key parties at the beginning: • Data subjects feel they're dealing with real people, not abstract data processing, shifting the relationship from corporate-to-user to person-to-person. • Trust increases when information is easily available while reducing information asymmetry. • Support inquiries about "who else sees my data" drop because proactive transparency answers questions before they're asked. https://static.wixstatic.com/media/005016_a762f3400d4e42e0a7c8c0e353b1be3f~mv2.jpg C. WHAT I LEARNED This challenge showed me that transparency is both about disclosure and sequence. The same information arranged differently creates different user experiences. Starting with people rather than processes transforms privacy notices from compliance documents into tools for building relationships.

A. PROBLEM Putting all key parties upfront (see previous Design Challenge 1) created a new problem: how to show multiple parties while reflecting their different levels of importance? This was my first design: First version with almost no visual hierarchy. https://static.wixstatic.com/media/005016_79ebe4fc11514cab94b942a1fad87a52~mv2.png The website owner (me) and the hosting provider appeared visually equivalent, creating two risks: data subjects might not know who to contact as the primary point of responsibility and it could suggest joint-controllership where none exists. B. SOLUTION & IMPACT Users aren't typically interested about legal labels like "controller" and "processor" (those stay in the Privacy Notice). They need to understand who plays the primary role and who to contact. So I focused on the factual importance of the parties using a three-tier approach: • Pink box and buttons for the website owner (me). The @ button provides direct contact, making the primary role actionable, not just visual. • Gray button (but no border) for my hosting provider that handles significant data infrastructure and content serving. • Grey text for nameless "others", covering less critical parties like website analysis or video provider. Strong visual hierarchy that mirrors factual importance. https://static.wixstatic.com/media/005016_18243d8cce0a4fbea7c0e6cbb90b24dd~mv2.png This approach keeps language legally neutral ("Who handles your data?" and technical roles like "Owner of Blankpage" or "Hosting provider") while avoiding rigid legal classifications that may vary by context. An entity might function as a processor in one situation but serve as a joint-controller in another, so it was better to focus on factual roles rather than legal ones. Data subjects interested in legal roles can still find them in the privacy notices of me and my service providers. C. WHAT I LEARNED Visual hierarchy is more than aesthetics. It's a tool to strengthening your legal position and manage risk. When used correctly, it helps data subjects understand the situation better and reduces misunderstandings. When done poorly, it can weaken your legal position, such as when data subjects mistakenly assume joint-controllership.

A. PROBLEM The Swiss privacy icons (https://privacy-icons.ch/en/)were meant to ensure transparency and become standard, but are hardly ever used. When I tested all the required icons, the result was overwhelming: 7 icons in 4 boxes! And there were other problems: the icons had too many design details and looked very similar, making them too complex for data subjects who have never seen them before. B. SOLUTION & IMPACT I decided to deviate from the Swiss privacy icons and use simple icons that data subjects are already familiar with (download arrow for data sources, upload for sharing/transfer, etc.). I combined them with more granular text like "Data sources: You and website analysis providers" so data subjects could understand immediately. Hovering over the boxes reveals more details (this will be addressed in the next Design Challenge 4). Replacing complex privacy icons with simpler and more intuitive icons accompanied by descriptive text. https://static.wixstatic.com/media/005016_03a8620ab9f64192ad9b75ffcc29b8b1~mv2.jpg C. WHAT I LEARNED Standards are meant to serve users, not the other way around. When a standard fails to achieve its goals, deviation can serve business objectives better than blind adherence. But you must be able to defend your decision and minimize risks: I paired simplified icons with descriptive text to ensure clarity, and the full Privacy Notice remains available for anyone questioning my approach.

A. PROBLEM Legal requirements require comprehensive disclosure, but information overload paradoxically reduces understanding. Data subjects either get overwhelmed or skip it. B. SOLUTION & IMPACT Different data subjects need different levels of detail, so I added blue "i" circles in the right corner and added a hover function: Key privacy topics in resting state. https://static.wixstatic.com/media/005016_02d03d6ad4f74bfe802d84a43f4ca8a3~mv2.png Data subjects can self-select their depth of engagement: quick scanners get essentials, detail-oriented data subjects get more comprehensive information when they hover over a box: Additional details revealed in hover state. https://static.wixstatic.com/media/005016_6fe275a137cc41859a165e8db612594b~mv2.png C. WHAT I LEARNED This showed me that legal design should anticipate user behavior rather than fighting it. Most people scan. That's just a reality. Instead of trying to force everyone to read everything, I built a system that works with scanning while still providing detailed information to those who want it.

A. PROBLEM Privacy notices typically frame companies as entities that data subjects need protection from. On the other hand, too much empowerment might create problems for companies, such as a flood of data subjects exercising their rights. B. SOLUTION & IMPACT The whole idea behind the Privacy Center was to empower data subjects to manage rather than just protect their data. • Manage cookies & similar tech: This box reflects a broader spectrum of possibilities, including benefitting from data processing. Positioning privacy as something data subjects can manage shifts the relationship from adversarial to cooperative. I also used this approach for my Privacy Notice (more information at Design Challenge 8). • Know your rights: I tested different formulations for the data protection rights box. Initially, I was so focused on user empowerment that I had "Use your rights". But this might have encouraged performative exercise of rights that would have benefited no one. So I decided on the more neutral formulation "Know your rights". This strikes a better balance between user empowerment and business interests. Strategic language design to empower data subjects while also protecting business interests. https://static.wixstatic.com/media/005016_aa43739e11a848bf9bdc1f32f7db33e3~mv2.png C. WHAT I LEARNED Especially this challenge taught me that effective UX privacy requires balancing three interests: empower users, meet legal requirements, and achieve business goals. UX design typically pushes for maximum engagement, but encouraging everyone to exercise their rights creates operational chaos where legitimate requests get delayed and nobody benefits. Legal requirements demand transparency, but using an empowerment language that's overly aggressive can undermine this. The solution is finding the intersection where all three interests align: informed choice without performative action.

A. PROBLEM Legal disclaimers often prioritize liability protection over user understanding. But this undermines the transparency they're meant to achieve. B. SOLUTION & IMPACT I wrestled with this for months without even recognizing the issue due to my legal training. Take a look at my previous versions of the Privacy Center at www.uxprivacy.world/project-privacy-center, where I used a formal disclaimer in gray and placed it below the Privacy Center: Disclaimer below the Privacy Center: "The PRIVACY CENTER provides a summary of key data processing activities and is not exhaustive. For comprehensive information please consult the Privacy Policies of Blankpage and our service providers (e.g., Wix.com). The PRIVACY CENTER does not modify or replace these policies. In case of any discrepancies, the Privacy Policies prevail." https://static.wixstatic.com/media/005016_e3402efa61fc40929f10ed9a18ee5bb4~mv2.png It took me three (!) versions to recognize that legal content often exists as a separate "legal world" that users can hardly benefit from, different from the friendly and simple tone modern companies use everywhere else. I wanted to integrate legal requirements while still achieving their purpose (in this case: limiting liability and directing data subjects to more details). So I decided to move it inside the Privacy Center and use more human language: Merging the legal with the user world by moving legal clauses inside the main interface. https://static.wixstatic.com/media/005016_4eab835a9a634f7a97c7eb4482ee1ac6~mv2.png I kept the precedence clause as a safety measure but tried to "save the situation" with a casual coffee reference at the end (insiders know that's also related to the café metaphor in my Privacy Notice). C. WHAT I LEARNED This challenge taught me that my legal training has created blind spots. For months, I didn't question placing the disclaimer outside the Privacy Center because that's where it "belongs". Then I recognized that the separation between the legal and the user world is a self-inflicted problem. There's no legal requirement that disclaimers must be gray, formal, and separate. That's just convention. And placing disclaimers outside the main interface signals "this is the boring legal stuff you can ignore". But if users skip the disclaimer, does it actually protect legally? Moving it inside the Privacy Center increased the likelihood users would read it (better legal protection) while maintaining an approachable experience to keep users engaged (better business outcome).