🥳 You have completed all topics in the Handbook. Click here to claim your certificate!

1. Privacy by design

Privacy by Design is a framework that instructs technological design to incorporate privacy practices from the onset rather than as an afterthought.

How many times have you filled an online form, where the checkbox for “Please send me marketing junk” has been checked by default?

How many times have you seen a consent prompt where the request to deny consent is behind multiple clicks, but to allow consent is on the first layer of the user interface?

How many times have you noticed ads following you around the web, without having accepted this practice in the first place?

These are all examples of services that most likely did not incorporate Privacy by Design (or privacy by default) principles when they were being built.

As a technical marketer, you will often be tasked with designing campaigns and services that need to collect data from your visitors and customers. Understanding Privacy by Design principles will help secure the legal and ethical considerations of this work, but you’ll also quickly find that increased transparency and trust can be competitive advantages.

At its core, Privacy by Design means that “privacy” – the user’s right to have their data protected – is incorporated into service and system designs by default. It’s not just about adhering to legal frameworks like GDPR (EU) and CPRA (California), even if these are important aspects of the principle. It’s also about building trust between the service and its audience.

Don’t miss this fact!

Privacy by Design is more than just abiding by legal regulations and ethical guidelines. It’s also about building services that your users are comfortable using, knowing their data is protected and that preventative measures have been taken to ensure this protection.

Privacy by Design principles

The seven foundational principles of Privacy by Design should guide you when designing services and campaigns in your marketing work.

It’s important to understand that privacy can’t be guaranteed solely by compliance with regulations. It needs proactive design work and embedded privacy practices in the organization as well.

Principle #1: Proactive not reactive; preventative not remedial

When you bake privacy into the technological design of your products and services, you are naturally adopting a preventative approach to privacy.

You are equipped to anticipate and prevent privacy-invasive events before they happen, rather than waiting for privacy risks to materialize.

Principle #2: Privacy as the default setting

Users shouldn’t have to jump through hoops to get privacy settings enabled. Privacy should be opt-out rather than opt-in.

When privacy is the default setting, the user’s privacy is set to the strongest level of protection, whether the user interacts with the settings or not. Privacy is protected across all systems, and across IT and business practices.

Principle #3: Privacy embedded into design

Privacy should be an integral part of the system. This doesn’t mean that the efforts put into privacy should diminish functionality.

“Privacy” should be one of the first topics discussed when designing the site, app, or service. It can’t be introduced as an afterthought – this will be very costly and most likely will suffer from lack of retroactive control.

Software designers often use a “definition of done” to determine when a feature is complete. Privacy should be a central part of that definition – no feature should be deemed complete until it has been validated with a privacy-first mindset.

Principle #4: Full functionality – positive-sum, not zero-sum

Following what was discussed above, privacy should be seen as a positive-sum approach, not zero-sum.

The latter implies that any decisions taken to improve privacy detract from security and other development work on the service.

The former claims that integrating privacy into every design element is a net positive for service development. Privacy is considered thus a competitive advantage rather than a detractor that exists just to satisfy regulations.

Principle #5: End-to-end security – full lifecycle protection

Privacy by Design protects the entire lifecycle of data from collection time to the point when it’s set to be destroyed.

This emphasizes the holistic approach to data processing that Privacy by Design brings in its wake. It would be impossible for a single silo in an organization to handle the full breadth of user data protection – thus Privacy by Design, by nature, is an interdisciplinary effort within the organization.

Principle #6: Visibility and transparency

Data operations should remain visible and transparent to both users and providers. Being open with your users about your privacy policies and procedures helps engender trust.

Much of privacy work revolves around documenting and communicating actions clearly and unambiguously.

However, Privacy by Design is more than just a link to a Privacy Policy – it’s about oozing privacy in all decisions the user is faced with when interacting with your service.

Similarly, you need to make it easy for your users and your possible auditors to review your privacy policies as well as the privacy and security of your systems.

Principle #7: Respect for user privacy – keep it user-centric

Ultimately, Privacy by Design is about respecting user privacy. This is easy to forget when you’re working with systems.

It’s common to get preoccupied with the nuts and bolts of a system, trying to figure out should you collect data A or data B to satisfy the business requirements. But Privacy by Design dictates that you need to consider what’s best for the privacy of the user. If this is in conflict with your business design, you will need to pivot the design so that embedding privacy-first principles becomes a net positive rather than a detractor.

Always protect the interests of users by defaulting to strong privacy protections. Make all privacy-related decisions user-friendly and frictionless to implement.

Deep Dive

Privacy by Design checklist

The following list (adapted from the ICO website) includes a range of questions designed to probe you (and your organization) for whether you are following Privacy by Design practices.

It’s not meant to be an exhaustive list, nor is it something that all organizations can follow. However, it should give you an idea of what a privacy-first organization would actively consider when working with service and technology design.

  • Are data protection issues part of the design and implementation of systems, services, products, and business practices?
  • Is data protection an essential component of the core functionality of your processing systems and services?
  • Do you anticipate risks and privacy-invasive events before they occur?
  • Do you process only the data that you need for your purposes?
  • Do you ensure that data is automatically protected (by default) in any IT system, service, product, and business practice?
  • Are you transparent about those responsible for owning data protection processes within your organization?
  • Do you strive for a plain language policy in documentation, so that individuals can easily understand what you are doing with their data?
  • Do you proactively offer users tools they can use to determine how you are using their data and whether privacy policies are correctly enforced?
  • Do you offer strong privacy defaults, user-friendly options and controls, and do you respect the user’s preferences?
  • Do you only utilize data processors (such as third-party vendors) that provide sufficient guarantees that they, too, subscribe to Privacy by Design principles?

Ready for a quick break?

The Technical Marketing Handbook also follows the “Relaxing by Design” principle, which requires you to take a break of 5 minutes right now.

Privacy by Design in digital marketing

In digital marketing, you’re often working with third-party tools and services.

If these tools and services don’t embed strong privacy protections by default, it will be difficult for you to adopt a Privacy by Design approach in your work as a result.

However, there are certain approaches you can adopt even when working with uncooperative third-party tools.

  • Data minimization means that you only collect the data you need. You never collect data just for the sake of collection or just because you can. Every single datum that passes your collection system needs to be collected with a purpose. This not only reduces the risk of data breaches but also builds consumer trust.
  • Transparency in data use means that you clearly communicate to your customers how their data will be used.
  • Purpose limitation means that you will not use the collected data for any other purpose than to which you have a legitimate basis.
  • Retention policy sets an expiration date for the data, so that you won’t hold onto it after it’s no longer needed for the purposes your users have agreed with.
  • Restricted sharing means that you will not share the data with other parties unless required to satisfy the purposes your users have agreed with.
  • Privacy as a user experience (UX) element means that UX design should incorporate privacy considerations, so that users can have agency over their own decisions regarding privacy protections and related settings.
  • Ongoing compliance and education means that Privacy by Design is a process that should be constantly evaluated and reworked within your organization. Laws and technologies evolve, and so should your practices.

Following these approaches means that you might ultimately need to switch third-party service providers in case their offering conflicts with Privacy by Design principles.

Luckily, these days almost all data-related practices have a host of vendors to choose from. It’s also possible that communicating your privacy concerns clearly to vendors whose services lack the required features might be just enough to prioritize privacy design in future iterations of these services.

As a technical marketer, treat Privacy by Design more than just a compliance checklist.

It’s a philosophy that governs all of your actions when working with users and their data. It’s not just about laws and regulations – it’s also about a shift to a more ethical and user-centric approach to marketing in general.

Privacy by Design can be more than just a regulatory necessity. It can be a strategic asset. Your brand can use Privacy by Design to differentiate as one that values and protects its customers’ privacy.

This is one of the strongest messages you can push in this era of data overuse and misuse.

Key takeaway #1: Privacy by default

Privacy by Design is predicated on the notion that privacy should be incorporated in system and service design from the very beginning. It’s just as vital part of design as any other part of the development process. It also encompasses the idea of “privacy by default”. When designing a feature, it should be designed so that privacy is ensured by default. Privacy needs to be opt-out rather than opt-in.

Key takeaway #2: Seven principles guiding Privacy by Design

Privacy design should be preventative, not remedial. Privacy should be “on” by default, and it should be embedded into the design process. Privacy should not compromise functionality – it should add to it. Privacy design should cover the full lifecycle of data; data operations should be visible and transparent; and user’s interests and rights should always be protected.

Key takeaway #3: When working with data, ask yourself these

Did you collect the right amount (data minimization principle)? Are you retaining it the right amount of time? Are you using it solely for agreed purposes? Are you communicating its use transparently? If you research these questions before taking on any new data-related endeavor, you can support Privacy by Design in your organization’s data systems.

Quiz: Privacy By Design

Ready to test what you've learned? Dive into the quiz below!

1. Which of the following are foundational principles of Privacy by Design?

2. What does data minimization mean?

3. How is Privacy by Design a potential competitive advantage?

Your score is


What did you think about this topic?

Thanks for your feedback!
Next up

Unlock Premium Content

Simmer specializes in self-paced online courses for technical marketers. Take a look at our offering and enroll in one or more of our courses!