Introduction

On 18 April 2024, Meta conducted a collaborative workshop at the Fundação Getulio Vargas (FGV) Data Governance School in Rio de Janeiro, Brazil. Hosted by FGV’s law department, the school aimed to gather a cohort of expert stakeholders to exchange ideas and best practices regarding digital privacy and the governance of personal data in Latin America.

Expert stakeholders at Meta’s collaborative workshop explored ways to design people-centric privacy and data control experiences while balancing values, tensions and trade-offs. The stakeholders brought a wealth of expertise and diverse insights as public servants from Latin American Data Protection Authorities, governmental and intergovernmental officials, data governance practitioners, start-up and business representatives, civil society activists, and researchers.

We synthesized workshop outputs into general insights to help organizations develop people-centric and effective privacy control experiences. These insights are not specific to any organization’s controls or privacy practices, and where applicable we have included some examples of Meta's user experience (UX) research and some actions we’ve taken.

Insights for people-centric privacy control experiences

  1. Consider people’s awareness of and the findability of privacy controls, taking a proactive stance to promote these controls in digital products.
    • For additional insights about the findability of privacy controls on social technology, see “How to make privacy settings easier to find using better names and organization”, where Meta’s Privacy Research team identified two important strategies that help make privacy settings easier to find: (1) present privacy settings in short lists that are grouped based on users’ mental models for privacy topics; and (2) use descriptive names for privacy settings that avoid the generic word “privacy”.
  2. To unlock the full potential of privacy and data settings for a wide range of people, it is important to develop user-friendly and intuitive interfaces that make it easy for people find, understand, review and change their settings.
    • For additional insights about providing people with information about privacy controls on social technology, see “Evidence that education can build users’ confidence about their privacy on Messenger”, where Meta learned that people exposed to privacy education about Messenger felt more confident in their ability to control their privacy on Messenger and also felt more confident in the effectiveness of Messenger’s privacy controls.
  3. Controls should be personalized, when possible, such that they are tailored to individual needs and preferences. Default privacy settings could be an important feature for people-centered privacy control experiences.
    • For example, social media products might give people the ability to create and control different types of profiles, like personal and creator profiles
  4. Inclusive design is important and controls should account for a wide range of digital literacy, language competence, learning styles and individual preferences.
    • For example, making privacy controls more accessible should be considered - centralization as well as guided experiences might help people with lower digital literacy manage their settings more effectively. It can also be important to have accessible transparency and education about privacy controls, such as diverse, non-textual communication formats (such as videos) and accessibility features.
    • For additional insights about digital literacy, see “Digital literacy insights can help improve privacy experiences”, where Meta’s Privacy Research Team describes two strategies it has been using to address this: (1) Conducting privacy research with people who have low digital literacy, and (2) Applying research-backed digital literacy design guidelines to privacy features.
  5. Tensions may exist when designing privacy control experiences. When balancing what the law requires with a design that is clear and valuable to people, it is important to consider the following three factors: (i) level of transparency or amount of information about privacy controls, (ii) granularity of privacy controls, and (iii) when/where to surface privacy and data controls for people.
    • For example, while an organization’s privacy policy might be the place to explain data practices in detail, that level of detail may be overwhelming on a consent screen. Therefore, comprehensiveness of transparency and granularity of controls should be context-specific.
    • For example, when designing a single location or product surface to manage important privacy settings across different social media products, the following types of privacy controls should be considered: (i) audience settings and account discoverability, (ii) safety and security, (iii) data use for ads, and (iv) cross-app interoperability management (if needed).

Conclusion

It is through collaborative workshops in addition to other forms of consistent consultation with expert stakeholders that Meta can gain and share valuable insights as well as actions.

For instance, Meta recently launched privacy features that aim to provide people with enhanced privacy control experiences. In February and April 2024, we launched a bundled settings experience for adults globally who do not have Locked Profile enabled. This experience makes it easier for people to review and modify the most frequently updated audience settings so they can better reach their intended audience on Facebook. Additionally, in January 2024, we made changes to two Facebook settings which describe who Facebook can suggest your Profile to based on your phone number or email. These measures provide enhanced transparency through changes to the settings descriptions and options, and Help Center guidance on what the settings do, reflecting how this audience option works in practice.

We hope that our insights and actions will in turn help organizations learn how to build effective privacy control experiences. As expectations around privacy evolve, it’s critical for organizations to continue investing in guardrails and processes to meet people’s privacy needs and expectations.