Design configures our relationship with a space, whether offline or online. In particular, the design of built online environments can constrain our ability to understand and respond to websites’ data use practices or it can enhance agency by giving us control over information. This Article is the first comprehensive theoretical and empirical approach to the design of privacy policies.

Privacy policies today do not convey information in a way understandable to most internet users. This is because they are created without the needs of real people in mind. They are written by lawyers and for lawyers, and they ignore the way most of us make disclosure decisions online. They also ignore the effects of design, aesthetics, and presentation on our decision-making. This Article argues that in addition to focusing on content, privacy regulators must also con- sider the ways that privacy policy design—the artistic and structural choices that frame and present a company’s privacy terms to the public—can manipulate or coerce users into making risky privacy choices. I present empirical evidence of the designs currently employed by privacy policies and the effect of different designs on user choices. This research shows that supposedly “user- friendly” designs are not always boons to consumers; design strategies can manipulate users into making bad choices just as easily as they can enhance transparency. This suggests that recommending “user-friendly” design is not enough. Rather, privacy regulators, including the Federal Trade Commission and state attorneys general and legislators, must ensure that privacy policies, and the websites that display them, are designed in ways that enhance transparency.