| UI or UX | UI + UX - Durable privacy-control surface for account, product, device, app-access, activity, visibility, and sharing settings | UI + UX - Dedicated user or app configuration management surface | UI + UX - Persistent hub for communication, consent, topic, privacy, language, and personalization choices | UI + UX - Specific opt-in decision for optional data use, participation, communication, sharing, or training | UI + UX - Contextual operating-system or browser permission request for device resources, powerful browser features, private user data, or local capabilities | UI + UX - User or administrator workflow for selecting, preparing, securing, downloading, transferring, and verifying data export packages |
| UI guidance | Render privacy settings as a returnable control surface with current effective values, privacy categories, data types, app or service access, account/device/product scope, source of truth, managed or unavailable reasons, last updated status, and save or immediate-apply feedback. | Render settings management as a durable configuration surface with a clear Settings or Preferences entry point, grouped categories, current values, setting descriptions, ownership or scope labels, dependencies, save or immediate-apply behavior, status feedback, search or section navigation for larger sets, and reset or restore defaults where appropriate. | Render a preference center as a returnable hub with categories for communications, channels, topics or interests, notification delivery, privacy and data sharing, cookie or tracking consent, personalization, language or locale, required messages, managed values, source-of-truth status, and save feedback. | Render a consent prompt as a focused opt-in decision that names the requester, purpose, data involved, optionality, benefit, consequence of declining, withdrawal route, and consent record before the user chooses. | Render a permission request as a contextual feature gate that names the resource, user action, immediate benefit, system prompt timing, available choices, and fallback before invoking the OS or browser permission prompt. | Render data export as a job-based workflow with export scope, data categories, format, destination, estimated size, preparation status, expiry, security requirements, and download or transfer actions. |
| UX guidance | Use privacy settings when users need to inspect and change ongoing privacy posture for saved activity, profile visibility, app access, device permissions, data sharing, ad personalization, location, connected apps, or product privacy dashboards. | Use settings management when users need to review and change persistent app, account, workspace, notification, privacy, display, integration, or system behavior outside the immediate task flow. | Use a preference center when users need durable control over what they receive, which channels may be used, which topics they want, which consent purposes are active, how personalization uses their data, and which choices cannot be disabled. | Use consent prompt when the product needs the user to knowingly agree to a specific optional data-processing purpose such as marketing, research participation, AI training, personalization, partner sharing, or sensitive-data use. | Use permission request when a feature needs operating-system or browser authorization for resources such as location, camera, microphone, photos, contacts, notifications, Bluetooth, clipboard, motion sensors, or other powerful features. | Use data export when users need a portable copy of personal, account, workspace, product, activity, or organization data for reuse, compliance, migration, backup, or review. |
| Good UI | An account privacy dashboard groups Saved activity, Profile visibility, Ad personalization, Connected apps, Location history, Device permissions, and Data deletion, with current values, scope labels, last updated times, and unavailable reasons. | A notification settings page groups channels, quiet hours, digest frequency, and workspace scope; each row shows current value, effect, dependency, and whether changes save immediately. | A customer account preference center shows Email, SMS, Push, Topics, Cookies, Data sharing, Language, and Required service messages, each with current status, scope, and last saved time. | A research signup screen asks whether the user consents to being contacted for follow-up interviews, names the research team, shows what contact data is used, offers Yes and No thanks buttons, and links to withdrawal. | A field service app asks for location only when the user taps Start route, explains that current location will verify arrival, then opens the system permission prompt and offers manual address entry if declined. | A privacy dashboard lets a user choose activity, profile, files, messages, and billing categories, shows JSON or CSV availability, requires reauthentication, creates archive EXP-2048, then shows download expiry and checksum. |
| Bad UI | A Privacy page links only to a legal policy and has no controls for activity history, public profile fields, personalization, app access, or data sharing. | A page called Settings mixes billing invoices, destructive account deletion, onboarding tips, profile setup, search results, and global navigation with no grouping or save model. | A single Receive updates switch hides whether it controls marketing email, SMS, push, product notices, analytics consent, or service messages. | A modal says By continuing you agree to personalized offers and partner sharing, with a large Continue button and a small privacy policy link. | An app asks for location, contacts, photos, and notifications on first launch before the user knows why any resource is needed. | A button says Export all data but does not say which services, formats, accounts, dates, or unavailable records are included. |
| Good UX | A user pauses saved activity, clears search history for a date range, disables ad personalization, hides birthday visibility, revokes a connected app, and sees which values apply immediately versus after sync. | A user turns off weekly digest emails, sees the setting save immediately, keeps urgent security emails enabled, and understands the workspace-level override. | A user turns off promotional email, keeps outage SMS and account security email, changes language to Spanish, withdraws ad personalization, and sees which transactional messages remain required. | A user declines partner sharing and can still complete checkout; the service records no partner-sharing consent and shows how to change the choice later. | A user taps Scan receipt, sees why camera access is needed for scanning, grants access, scans the receipt, and can later revoke camera access from settings without losing account access. | A user requests a machine-readable archive, sees which data categories are eligible for portability, waits for preparation, downloads the package before expiry, and gets a manifest listing omitted records. |
| Bad UX | A user turns off location sharing in account privacy settings, but the device-level location permission remains active and the page never explains the split. | A user changes a privacy setting thinking it affects only one project, but the value applies to the whole account. | A user declines analytics in a cookie banner but later cannot find the preference center needed to withdraw personalization consent after signing in. | A user clicks Next to finish onboarding and unknowingly opts into marketing because the consent copy was bundled into the terms paragraph. | A user denies microphone access and the app loops the same system prompt every time they tap anything in the support screen. | A user downloads a huge ZIP with no manifest, cannot tell whether messages or attachments are missing, and assumes export completed because one file downloaded. |
| Best fit | Users need ongoing control over personal data collection, saved activity, visibility, app access, device permissions, connected services, data sharing, or personalization. | Users need to inspect and change persistent app, account, workspace, privacy, notification, display, integration, device, or system behavior. | Users need to revisit and change communication, consent, topic, personalization, privacy, channel, language, or data-sharing choices. | The product needs a user's active agreement for optional data use, marketing, research participation, personalization, partner sharing, AI training, or sensitive-data processing. | A feature needs operating-system, browser, or device authorization to access location, camera, microphone, photos, contacts, notifications, Bluetooth, clipboard, motion sensors, storage access, or another powerful feature. | Users need to download or transfer a copy of account, workspace, personal, product, activity, or organization data. |
| Avoid when | The task is a first-time opt-in to one optional purpose; use consent prompt. | The task is a one-time transaction, submission, setup wizard, or onboarding flow. | The product only needs a small app setting unrelated to communications, consent, or personalization. | The choice is only about non-essential cookies or device storage; use cookie banner. | The decision is consent to optional data use rather than access to a device or browser resource. | The user is importing records into the product; use bulk import. |
| Required state | Privacy settings overview with categories and current effective values. | Settings overview with categories and current values | Overview with preference categories and current effective status | Pre-consent state with optional processing off and the core task still understandable. | Contextual request state tied to the user action that needs the resource. | Eligible data categories and unavailable categories state. |
| Accessibility burden | Use clear headings, labels, descriptions, and status text for each privacy category and control. | Use headings, section labels, fieldsets, and persistent labels so settings groups and controls have clear programmatic names. | Group categories with headings, fieldsets, legends, and persistent labels that name the affected channel, purpose, topic, source, and scope. | Use a labelled region or dialog title that names the consent purpose, not a vague privacy heading. | Use a labelled region or dialog title that names the resource and feature, such as Allow location for route check-in. | Use persistent status text for queued, preparing, ready, partial, failed, expired, and downloaded states rather than relying on a spinner or toast alone. |
| Common misuse | Replacing privacy settings with a privacy policy link or legal notice. | Using settings as a dumping ground for unrelated navigation, billing, help, profile setup, onboarding, or destructive account actions. | Using one master preference switch for communication, privacy, cookies, topics, and required messages. | Treating continued use, scrolling, closing, or inactivity as consent. | Asking for multiple resources at launch before the user has attempted the relevant feature. | Using one Export all button with no scope, format, account, destination, date range, or size estimate. |