Visualization of the lengthy terms we agree to (Credit: Dima Yarovinsky)

A Legal Designer’s Approach To Privacy Policies

Fei Kwok
8 min readSep 28, 2021


Words are perhaps one of the most important weapons in a lawyer’s arsenal. But why is it that us lawyers often draft documents that only we can read? It undermines the very fundamentals of contract and informed consent.

Think about the many non-lawyers and lay-people that our work interacts with. How often have we seen people agree to terms and conditions without reading? Worse still, how much do you think they’d understand even if they tried? Even lawyers are guilty of not reading those fine print.

If legal documents govern the rights and duties of the parties for whom they are written, it only makes sense that these parties can read and understand them.

As a legal designer, I urge all lawyers to rethink how to better communicate the law in more accessible, if not engaging ways. We ought to hold ourselves accountable for the implications of our work — to ensure our audience can understand the information we convey.

Legal design is no longer a nice to have, but a must have

Legal design is the ability to make the law more accessible and more engaging to its intended audience.

In recent years, we’ve seen a growing enthusiasm for design thinking and its application in contexts like business and education. While its adoption in law is relatively nascent, it’s rapidly gaining ground, with thanks to the GDPR.

The General Data Protection Regulation (GDPR) came into force three years ago, and many countries have followed suit in ramping up its data protection measures. While requirements vary across jurisdictions, the common themes have been transparency, security, and accountability.

The GDPR explicitly requires privacy policies to be transparent and clear. They should not be long or full of legal jargon, and must be understood by the average person, not by lawyers only.

The principle of transparency requires that any information and communication relating to the processing of personal data be concise, transparent, easily accessible, using clear and plain language.

— Article 12, GDPR

Worth noting is that the GDPR not only applies to all EU operating companies, but also international companies operating in the EU. Those in breach are at risk of losing up to 4% of its global annual revenue. We’ve seen fines of up to €746 million!

Against this backdrop, I thought it’d be interesting to find out more about people’s experiences with privacy policies, and to share ways on how to improve accessibility and user-centricity.


I started by empathizing with users to better understand challenges through their lens. After speaking with 6 people on their experiences and conducting desk research, two pain points kept recurring: (1) information overload, and (2) the inability to understand legalese.

Privacy Policies — Challenges for Readers (Source: NY Times, The Atlantic, Reddit & Pew Research Center)

Problem #1: Information Overload

Something that came up repeatedly was that people felt overwhelmed by the extremely long and dense text. People simply don’t have the time nor energy to sift through all the words and jargon.

Adopt a layered approach

Layering content reworks an otherwise lengthy policy into shorter and more manageable sections. The first layer is usually the shortest, providing a brief summary or highlights of the policy. Often, it’d include links to a second layer that expands the policy to its fullest. This layered approach works particularly well in a digital context, and is encouraged by the GDPR.

For example, see below where I re-worked HSBC’s Data Privacy Notice. Despite its attempt to a layered approach through the title “more details”, the full content which is already expanded by default defeats the very purpose of layering content. As compared to the example on the right, the short summary covers key information, with links to further details that are hidden until users click to read more. The left side menu also acts as a signpost for users to know which section they’re at as they browse. This also reduces time taken to arrive at a section of interest by clicking on the appropriate title.

Example: Reworking HSBC’s Privacy Policy using a layered approach

Use sections & bullet points

The same can be achieved for physical documents. Here, I had a go at reimagining the Personal Information Collection Statement I received in the mail from HSBC. I broke down the information into sections and used bullet points to make the content easier to digest. In a similar way, users are better able to navigate directly to their desired section at a glance.

Example: Rethinking HSBC’s Personal Information Collection Statement using sections & bullet points

Problem #2: Inability to understand legalese

Another issue was the extensive use of unfamiliar jargon and complicated syntax. No one enjoys reading something they cannot understand.

Write in plain English

It should go without saying, but avoid using technical jargon. Use more familiar terms, simple sentences and consistently use the same words to describe the same thing. It’s not about watering down provisions, but to preserve legal meaning while ensuring the content is understood by its intended audience.

Here’s an example:

We intend to use your personal data in direct marketing of MPF products and/or MPF services, and we require your consent (which includes an indication of no objection) for that purpose.

If I were to make this simpler, it’d look like this:

We will not use your data for direct marketing of our MPF products and services without your consent.

Don’t feel boxed in by precedents

Lawyers love using precedents. Redrafting a document takes time, and the tried and tested nature gives lawyers a sense of certainty. While precedents are good guides, don’t be afraid to go beyond — always question standard drafting and find ways to improve and make it intelligible to your audience.

Make use of visuals & icons

Privacy policies can be used in conjunction with icons to enhance communication and help readers understand faster. To ensure these icons serve its purpose of conveying meaning effectively, try narrowing down a few icons to test with users and see which best represents its intended meaning.

Dot voting to determine which icon best represents marketing purposes

Privacy journey map

Juro, a logistics software company, designed the below diagram mapping out when and how data is being collected from its customers. A great visual tool to boost understanding of the data collection process and what it means for users.

Privacy Journey Map from Juro’s Privacy Policy

Measuring the value of these changes

Flesch Reading Ease Index, Flesh-Kincaid — Readability

One way would be to measure readability, which could be through tests like the Flesch Reading Ease Index and Flesh-Kincaid that look at the (i) average number of syllables per word, and (ii) sentence length. The more readable the content, the faster the user can read, and with less effort.

This said, readability tests may only give a limited idea of users’ understanding. Fewer syllables or shorter sentences do not always mean users are able to understand the text. Content is only comprehensible if users can derive meaning and purpose behind those words.

Cloze test — Understanding

User testing can also be conducted to probe users’ understanding. A common assessment for reading comprehension is the Cloze test. This involves replacing every 6th* word with blanks, which you’ll then have users try fill in. A result of over 60% accuracy would mean a reasonably comprehensible text. * Note: 6 is a typical number used. The test can be made easier by using a higher value.

Here’s an example, using a paragraph from HSBC’s privacy policy:

This is when we use [______] data to send you details [______] financial, insurance or related products, [______] and offers provided by us [______] our co-branding, rewards or loyalty [______] partners or charities.

We may [______] data such as your demographics, [______] products and services that you’re [______] in, transaction behaviour, portfolio information, [______] data, social media data, analytics [______] information from third parties when [______] market to you.

User feedback & data analysis

There are also other ways to measure value, such as looking into data. For example, the rise or fall of queries or follow-ups associated with privacy policies. Regular check-ins can also be scheduled with customer service teams who handle complaints and feedback on data privacy to better understand the effect of new changes and identify areas of improvement.

All this said, we should be weary of measuring value in ways that focuses too much on numbers rather than the purpose behind it. In the words of James Clear from Atomic Habits, “measurement is only useful when it guides you and adds context to a larger picture, not when it consumes you”.

“In a way, whether something reads should be guided by a common sense approach. Just read it yourself and see if you can finish and understand what you wrote (without getting annoyed!).”

A win-win

Ultimately, the GDPR is not asking for us to sacrifice precision for clarity. It’ll take skill and care to switch from using precedents and legalese to user-centric ways of delivery and presentation, but it’s a win-win for all! Especially for in-house lawyers who’ve long been viewed as a cost center and impediment to business, increased adoption of legal design enhances communication, thereby saving costs and time to access otherwise untapped opportunities.

The need for legal design is clear. It’s time we take the collective step to practice legal design, both within and beyond data privacy, before it becomes an inevitable part of the industry’s competition.

If you enjoy reading about the intersection of design and law, check out the resources at Stanford’s Legal Design Lab, and work by the people at Amurabi, Dot. And do ping me if you’re interested in chatting more about legal design! I’d love to hear your thoughts and experience.

Special thanks to Ivan Chik for his critique and support that led to this final edit.



Fei Kwok

Lawyer turned Interaction & Service Designer | Design, death, mental health & humane tech.