Privacy compliance is a major business and societal requirement, deeply embedded in organizational business processes, for legal entities handling Personal Information (PI). Regulations mandate these entities to implement privacy protection mechanisms (privacy solutions) within their business workflows and inform data subjects (DSs) about PI processing. However, DSs often struggle to understand relevant information and efectively use these mechanisms, leaving their privacy vulnerable. This disconnect underscores the social and human aspects, where organizational processes intersect with the cognitive and behavioral capacities of DSs. Consequently, ensuring compliance is not solely a technical or procedural task-it requires designing processes that support human understanding, decision-making, and trust. Privacy heuristics ofer a potential solution by assisting users in making informed decisions. Yet, their design is complex, prone to bias, and, if done irresponsibly, may lead to unethical or manipulative outcomes. This paper addresses these challenges by developing an approach that ofers design principles to guide the design and evaluation of Responsible Privacy Heuristics (RPHs) for usable privacy-aware systems or solutions. These principles aim to guide the creation of privacy-aware systems that empower users, respect autonomy, and enhance informed decision-making. By embedding these principles, organizations can better align privacy mechanisms with human needs. We demonstrate the applicability of our approach through a practical example.
CEUR ceur-ws.org
legal obligations to safeguard data subjects (DS) and their privacy. These laws aim to protect DS and prevent the mismanagement of their PI—including misuse, excessive processing, improper storage, and unauthorized third-party sharing [8].
Although legal entities handling PI are required to provide DSs with privacy protection mechanisms and disclose how their PI will be processed, the responsibility of understanding this information and efectively using these mechanisms still falls on DSs [ 9]. This poses a challenge, as users have varying levels of digital literacy and may struggle with the legal jargon found in privacy policies or cues.
This challenge reflects a broader issue concerning the need to consider social and human aspects when designing and managing processes involving PI. Business processes, traditionally, focus on eficiency and compliance, but when it comes to privacy, they must also account for the psychological and behavioral dimensions of user interaction. Users are not merely endpoints in a process; they are active participants with diverse expectations, preferences, and vulnerabilities. Failing to address these aspects can lead to disengagement, mistrust, or even harm.
A promising solution is the use of heuristics, more specifically, privacy heuristics that can help users make informed decisions and take appropriate actions [10]. However, designing privacy heuristics is complex and prone to bias [11]. More critically, if not designed responsibly, they may influence the DS judgments or decisions in a manner that is considered unethical, immoral, or socially irresponsible.
This paper aims to address and mitigate this burden by developing an approach that ofers design principles to guide the design and evaluation of Responsible Privacy Heuristics (RPHs) for privacy-aware solutions. These principles aim to empower users, uphold their autonomy and self-determination, and facilitate informed decision-making.
The remainder of this paper is structured as follows: Section 2 outlines the research baseline, while Section 3 explores both unethical and ethical design patterns. Section 4 introduces our approach, detailing the methodology used in its development. Section 5 demonstrates its applicability, and Section 6 concludes the paper with a discussion on future work.
Heuristics, often described as “rules of thumb” or “mental shortcuts”, aid faster decision-making [12, 11]. While broadly defined, they are commonly seen as problem-solving methods that do not guarantee optimal solutions [11]. They help with both ill-defined and well-defined problems by reducing cognitive efort [ 10]. Heuristics can be instinctive (automatic) or deliberate, with experience transforming one into the other over time [11].
Heuristics play a key role in online privacy, especially in PI disclosure, where they are termed Privacy Heuristics (PHs). Sundar et al. [13] classify PHs into three decision-making contexts: Personal (self-protection or self-reward in disclosure), Social (influence of group dynamics), and Technological (interface elements shaping behavior). Vincent et al. [14] propose six superordinate PH classes: Prominence (credibility and trust), Network (social influence), Reliability (trust in design and consistency), Accordance (alignment with beliefs), Narrative (impact of storytelling), and Modality (influence of new technologies).
In short, privacy heuristics simplify privacy decisions by enabling quick, eficient choices while ignoring some information. They can be deliberate or automatic, influenced by the environment, experience, and cognitive biases. Table 1 compiles key heuristics from [13, 14, 15], which can influence privacy decisions.
Afect Heuristic. People judge objects or events by associating them with positive or negative feelings.
Anchoring. Under uncertainty, people tend to be biased towards a reference point, or “anchor”. Choice Overload. Too many options make people feel overwhelmed and influence their judgment negatively.
Contrast efect. People’s decision is influenced by comparing one instance with another, instead of relying on impartial standards.
Framing. People’s choice frame is set up in a way to manipulate/control the user’s decision. Functional Fixedness. People tend to fixate on a specific use of an object Instant gratification. People prioritize quick rewards at the expense of future gains. Loss Aversion. People prefer avoiding losses rather than acquiring equivalent gains. Optimism bias. People tend to underestimate the chances of experiencing negative events and overestimate positive ones.
Social Norms. People’s behavior is influenced by social norms, that either play a part in guiding or constraining it.
Status Quo/Default Efect. People tend to favor options that maintain the current state over those that introduce change.
Authority. Recognized brand, institution or person that vouches for the security, influences disclosure.
Bandwagon. People are influenced by the decision of many or the majority to disclose information. Reciprocity. People are more likely to share information with someone who has disclosed theirs to them.
In this section, we explore unethical patterns followed by ethical, fair, and responsible ones as decision support mechanisms within the context of privacy.
Unethical patterns. Unethical or descriptive patterns, commonly referred to as “dark patterns”, were first described by Brignull in 2010 [ 16] as ‘‘tricks used in websites and apps that make you do things you didn’t intend to, such as buying or signing up for something”. These patterns are often coercive, manipulative, and exploitative, aiming to guide the user into decisions that primarily benefit the service provider, often at the expense of the user’s best interest [ 17]. Deceptive patterns exploit user biases and heuristics to trigger automatic, fast, and intuitive decision-making. They frequently alter the choice architecture by hiding or obstructing privacypreserving options, instead promoting those that encourage greater PI disclosure [18]. This manipulation prevents users from making informed, conscious choices, potentially leading to harmful decisions regarding their personal data.
Kitkowska [15] has identified unethical patterns in the existing literature, and organized them into taxonomies. Based on her work, Table 2 presents examples of privacy-deceptive patterns (PDPs), the psychological efects (heuristics and biases) they may trigger, and their potential impact on user decisions. Please note that due to space limitations, the table is not meant to provide an exhaustive list of PDPs but to illustrate the concept and lay the groundwork for an ethical approach.
False necessity: Persuades users into privacy-invasive choices by claiming the data is essential for the service.
Just between you and us: Makes false promises of confidentiality to encourage users to disclose more information.
Trick questions: Deceive users into making privacy-invading choices with misleading or ambiguous wording.
Attention diversion: Distracts users from privacy-conscious choices by other aspects of the interface.
Wrong signal: Uses distinguishable icons, symbols, or other elements in the UI to misguide users.
Optimism bias and Framing.
Default efect, framing and anchoring.
Anchoring and Framing Anchoring, Framing, Afect
Users might share more than they usually would due to the false sense of confidentiality.
Users will be confused and most likely misinterpret their choices.
Hinders users from properly reflecting on their privacy-related choices.
Certain UI elements create the illusion of privacy-conscious choices, misleading users into feeling secure.
PDP Confirmshaming: Steer users to make specific choices through guilt/shame.
May use UI elements to induce a certain emotional state.
Last-minute consent: leverages time pressure and context to push users to consent to less optimal privacy options choices or make privacy decisions without the option to delay.
Safety blackmail: Users are pressured into less optimal privacy options by implying that failing to do so could result in safety or security risks.
Afect, contrast and default efects, Framing Loss aversion and Status quo Functional ifxedness and instant gratification.
Users are manipulated to share more data through guilt or social pressure.
Users experience a reduced freedom of choice and might be coerced to comply with privacy-invasive choices to avoid losing progress.
Users end up sharing more PI than they intended to enable their accounts.
While deceptive patterns have been extensively researched and existing work ofers valuable insights into what should be avoided, there is a notable gap in research focusing on what should be done [17]. This paper addresses that gap by proposing a systematic approach for developing RPHs (i.e., ethical decision-support mechanisms) within the privacy context. Ethical patterns. Ethical, fair, or responsible patterns are decision support mechanisms designed to prioritize the user’s interests, enabling them to make informed and unobstructed decisions [18], in contrast to dark patterns, which manipulate users. These patterns aim to
Dark pattern Fair pattern Harmful Default: default settings are Protective Default: defaults prioritize user privacy and against the user’s interest. well-being, aligning with positive societal outcomes. Missing Information: Selective disclo- Adequate Information: Users receive clear, suficient, sure of information. and relevant information without unnecessary overload. Maze: User path to information, prefer- Seamless Path: User path to information, preferences ences, or choices are made unnecessarily or choices are as easy when they are in the user’s interest complex. than when they are in the service provider’s interest. Push & Pressure: Emotional, or time- Pressure: No manipulative nudges unless they serve based triggers pressure user decisions. user or societal benefits.
Language is confusing, manipulative, or and jargon-free wording helps users make informed deimpedes user understanding. cisions.
More than intended: Users are led Free action: Users are empowered to understand through a series of steps that force them the consequences of their choices—especially regarding to do or give more than they originally in- spending or data sharing—without unnecessary informatended. tion overload.
Distorted UX: The UI is designed to mis- Fair UX: The UI ensures the clarity, shape, size, and lead or trap users. prominence of buttons and icons. empower users by presenting their choices transparently and clearly, facilitating well-informed decisions. To achieve this, ethical patterns must be succinct, transparent, accessible, and easy to understand. They serve as ethical counterparts to deceptive patterns. In this regard, PotelSaville and Rocha [18] developed a taxonomy (presented in Table 3) that pairs dark patterns (DPs) with their corresponding fair patterns (FPs). The authors also note that some of these patterns align with specific GDPR Articles, providing designers with a framework that ensures both ethical design and regulatory compliance.
The research methodology has been developed following the Design Science Research (DSR) approach [19]. Specifically, our methodology aligns with DSR’s key steps while further refining some into sub-steps, as illustrated in Figure 1, and described as follows: 1. Problem identification: as discussed earlier, there is a need for an approach to guide the design and evaluation of RPH for privacy-aware solutions. 2. Approach design: is composed of four sub-steps; 2.1. Identity knowledge base, 2.2. Elicit Meta-requirements, 2.3. Formulate the RPHs design principles, and 2.4. Develop a methodological process for designing RPHs. The first three sub-steps have been adopted following the method for developing design principles in [20], and the last step ofers a systematic process for using the approach. We describe these steps in the following section. 3. Approach evaluation: aims at evaluating the approach based on how well it supports solutions in the problem space. In particular, we will demonstrate its applicability (e.g., usability and validity) for the design and evaluation of RPH for privacy-aware solutions and its efectiveness in identifying wrong/bad design practices in privacy heuristics. 4. Improve and re-evaluate the approach: this step mainly focuses on identifying limitations or areas of improvement and refining the approach accordingly.
In this paper, we cover the approach design and illustrate its applicability, leaving its evaluation for future work. 4.1. Approach design
The approach aims to guide the design and evaluation of RPH for privacy-aware solutions. At its core, the design principles that guide this process. Design principles are clear statements that are prescriptive in nature, with diferent levels of abstraction depending on the context [21]. According to Möller et al. [20], they are “fundamental propositions that aid designers in achieving successful transfer of requirements to design”, and they should also encapsulate and communicate knowledge that can be reused in similar instances that are subject to similar conditions [20]. Having this in mind, we identified the literature related to ethical and unethical design patterns and principles that apply to privacy heuristics at this step. This enabled us to identify the most relevant design patterns related to this research, which has been presented earlier in the paper.
Based on related literature, we define RPHs as user-empowering, transparent, accessible, and easy-to-understand decision support mechanisms that respect user autonomy and selfdetermination and enable informed privacy decisions. Additionally, they should be based on ethical principles such as: Respect, Beneficence (and Non-maleficence [ 22]), Justice, Integrity, and Social Responsibility [23]. Based on this definition and the ethical principles identified in [23], we elicited five Meta-Requirements (MR), which are listed in Table 4.
The formulation of RPH design principles was grounded in the relevant literature identified in the Identify knowledge base step. Specifically, we examined existing deceptive patterns and related heuristics (see Table 2) and reviewed research on deceptive strategies (e.g., [16, 25, 26, 24]) to better understand how user behaviors are manipulated or exploited concerning their privacy choices. We paid particular attention to Ahuja and Kumar work [24], which identifies 25 dark strategies and seven broad ethical concerns—compulsion, inadequate information, biased evaluation, insuficient deliberation, lack of control, pressure to conform, and restricted options—arising from these deceptive patterns. Their study further anchors these concerns in four theoretical conceptualizations of autonomy: agency, freedom of choice, control, and independence. Building on these insights, we formulated the design principles aimed at mitigating deceptive and unethical strategies while ensuring compliance with the established meta-requirements. The resulting principles are presented in Table 5.
DP1. Neutral: A RPH should present information about privacy choices in a neutral, balanced, and clear manner, avoiding framing that could lead to biased or skewed decisions. DP2. Honesty and clarity: A RPH should ensure that all information presented to users is truthful, clear, and easy to understand.
DP3. Navigable and actionable information: A RPH should help users easily identify, understand, and act upon privacy-related information.
DP4. Unpacking complexity: A RPH should empower users to reflect and comprehend privacy information that can afect their data disclosure.
DP5. Pressure-free: A RPH should not impose time constraints, emotional manipulation, or other coercive tactics that pressure users into making privacy decisions. Instead, it should allow users to deliberate freely, ensuring informed and voluntary choices.
DP6. Benefit-Risk Balance: A RPH should prioritize user benefits while proactively minimizing potential privacy risks.
DP7. Consequences awareness: A RPH should not obscure the consequences of a privacy choice. DP8. Empowering: A RPH should support users to select privacy choices that align with their privacy requirements.
DP9. Context-aware: A RPH should help users assess privacy decisions in context, considering factors such as data sensitivity, purpose of collection and use, recipient trustworthiness, and potential risks.
DP10. Situation-aware A RPH should adapt to diferent situations to provide relevant, meaningful, and actionable guidance.
DP11. Accessible and inclusive: A RPH should ensure that users—regardless of their abilities, or technical expertise—can understand and act upon privacy-related information.
DP12. Regulatory compliant: A RPH must not encourage or lead to violating privacy legislation (e.g., purpose limitation, data minimization).
In this section, we outline the methodology to be followed for designing RPHs. The process, illustrated in Fig. 2, consists of three key steps: 1. Identify core privacy heuristics for usability: Takes the privacy solution (system) as input and derives Privacy Heuristics (PH) that enhance its usability. Gharib [10] formulated ten Usable Privacy Heuristics (UPHs) that can be applied at this stage to guide the design process. The goal is to ensure that privacy-related interactions are intuitive, clear, and user-friendly, making it easier for users to understand and manage their privacy settings efectively. 2. Refine PHs into RPHs: Takes the identified PHs and the responsible design principles as input. The PHs are then refined using these principles to develop RPHs. 3. Validate the RPHs: Evaluates whether the RPHs achieve the purpose of their development, which can be conducted through one or a combination of commonly used methods, such as end-user testing, expert reviews, or other assessment techniques.
We demonstrate the applicability of the approach with an example from the online social network (OSN) domain. Privacy settings are arguably the primary mechanism through which a DS can exercise control over their PI in OSN, as such settings can be used to manage how their PI is shared and processed. To better understand the types of actions and information that OSN privacy settings typically provide, we reviewed the settings of a few widely used platforms, including Facebook and Instagram (via Meta’s Privacy Center), LinkedIn, and Reddit. Given that these platforms serve varying purposes and user contexts, we synthesized their settings into five broad key categories. We then derived related core functionalities and organized them in Table 6.
Due to space limitations, we focus only on Profile Visibility - that is managed via a profile visibility interface - as our solution of concern (Step 1). The profile visibility interface (see Figure 3) allows the DS to manage the visibility of various profile elements, including personal details, activity such as posts, comments, and reactions on others’ posts, and content which the DS has been tagged.
To enhance the usability, several UPHs can be applied such as a minimalist and consistent layout that ofer the DS with relevant information related to their privacy actions following UPH6. Minimalist design: the system should ofer DSs relevant information relating to their
Key setting Related settings functionality Account & Security: controls - Change password; - Enable/disable two-factor authentication; over account details and ac- Account deletion or temporary deactivation; - Manage devices count deletion and active sessions; Profile Visibility: controls - Profile visibility control (i.e., who can see user’s profile, and how DS profile and activity are what profile details); - Activity visibility control (i.e., who can see presented to others user’s posts, interactions, status and other related activities); Interaction Preferences: con- - Profile interaction control (i.e., who can tag the DS or comment trols how others can interact on their posts, and who can message them); - Activity interaction with DS’s profile and activity control (i.e., who can interact with users’ posts); - Blocking other profiles; Ad preferences: ads cus- - Inform on who uses and what data they use on advertisement tomization and experience man- customization; - Ad customization information management (i.e., agement manage what information the advertiser can access and process for ads experience enhancement; Permissions and Policies: - Permissions controls (OSN and third parties) - Inform on which control over data access and services has access and uses DS data, what data and how they processing, and privacy policies process this data; - Enable DS to export their data; - Enable user access to privacy and cookie policy; privacy actions. At the top of the interface (see Figure 3), the DS is met with a brief description of what these settings enable. They are also informed that tapping on the setting will lead them to more information about it, inspired by UPH1. Visibility: the system should keep DSs informed about their privacy choices. This approach guides the DS while allowing them to make changes freely, as instructed by UPH4. Expressiveness: the system should guide DSs on privacy while still giving them freedom of expression. Moving down, the privacy choices were organized into sections with relevant naming and phrased in a simple and precise manner (avoiding technical terms). This decision was made so the DS can easily understand what each setting can do, and caters to DSs with diferent levels of digital literacy as instructed by UPH9. User suitability: the system should provide options for DSs with diverse levels of skill and experience in security.
Moving to Step 2 of the process, we refine the identified UPHs into RPH. In particular, we analyze the identified UPHs one-by-one and apply the design principles we see fit. In what follows, we first present the original UPH, then highlight its refinement with underlining as each principle is applied.
UPH1 – Visibility – “A DS should be informed about their privacy choices.“ RPH1.1 - DP10. Situation-aware provided with meaningful and actionable guidance when choices, allowing them to adapt to diferent situations. .“ - “A informed
DS about
should their
be privacy RPH1.2 - DP9. Context-aware - “A DS should be provided with meaningful contextually relevant and actionable guidance when informed about their privacy choices, allowing them to adapt to diferent situations and recognize potential privacy risks. ” UPH4 – Expressiveness – “ A DS should be guided on privacy while still being able to have freedom of expression.” RPH4.1 - DP8. Empowering - “A DS should be supported with intuitive privacy mechanisms while still being able to have freedom of expression , enabling decisions that align with their beliefs.” UPH5 – Minimalist design – “A DS should be ofered relevant information relating to their privacy actions.” RPH5.1 – DP3. Navigable and ofered relevant , easy to learn information , making sure it is easily recognizable and usable.” actionable relating privacy to
– their “A
DS privacy should be actions UPH9 – User suitability – “DSs should be provided with options considering their diverse levels of skill and experience in security.” RPH9.1 - DP11. Accessible and inclusive - “DSs should be provided with inclusive options considering their diverse levels of skill and accessibility needs.”
Now that the UPHs have been refined into RPHs, we revisit the initial profile visibility interface accordingly. We follow the same structure as before, beginning with the Profile Visibility settings (Figure 4). In which the original setting description has been slightly rephrased into a question, followed by two concise bullet points and a warning. This format is intended to help the DS easily identify the privacy actions they can take (RPH5.1), make them aware of potential risks related to the visibility of their information, and make sure they know that they can change them whenever they want (RPH1.1, RPH1.2, RPH4.1). This enables the DS to quickly understand their existing choices at a glance, without needing to click into each setting individually (RPH1.1, RHP9.1).
(a) (b)
Finally, Step 3 validates the efectiveness of the produced RPHs. The most efective approach for our example combines expert evaluation and A/B testing with potential end-users. First, experts assess the RPHs. Then, two versions of the privacy settings interface are tested: a baseline version using PHs and an improved version using RPHs. Participants are assigned to one interface, and their interactions and decisions are compared to evaluate the impact of RPHs.
We aimed to tackle the problem of designing Responsible Privacy Heuristics (RPHs) by proposing an approach that ofers design principles to guide the design and evaluation of RPHs for usable privacy-aware solutions. Recognizing privacy compliance as a human-centered challenge, our approach aims to empower users, enhance informed decision-making, and foster trust. We detailed the methodology used for the approach development and illustrated its applicability with an example.
For future work, we will assess the completeness of the proposed principles, define acceptance criteria for their application, and validate the approach through expert evaluations. We also plan to apply it in real-world case studies to refine and strengthen its practical relevance.
This work was supported by the Estonian Research Council grant “Developing human-centric digital solutions” (TEM-TA120), and was performed within the framework of COST Action CA22104 (Behavioral Next Generation in Wireless Networks for Cyber Security), supported by COST (European Cooperation in Science and Technology; www.cost.eu).
The authors have not employed any Generative AI tools.
[19] Alan R. Hevner, Salvatore T. March, Jinsoo Park, and Sudha Ram. Design science in
information systems research. MIS Quarterly: Management Information Systems, 28(