Data Privacy at Capital One
With the California Consumer Privacy Act going into effect in 2020, Capital One needed a way to meet legal requirements while doing right by consumers. I redesigned the consumer-facing Privacy page and created an effective data request tool for all.
-
Project Role: Visual/UX Designer
Year(s): 2019-2020
-
With the California Consumer Privacy Act going into effect in 2020, Capital One needed a way to meet legal requirements while doing right by consumers
-
Designing and implementing Capital One's first consumer-facing data management tool, allowing consumers to request to download or delete their Capital One data
Context
Before taking on this government-mandated work, Capital One’s public-facing privacy portal was… lackluster. It started (and ended) with the privacy landing page, which didn't offer much to our customers in providing control over their privacy. It was oft-visited and used legacy design standards that were long gone elsewhere on the site. We sought to refresh this page and provide more emphasis on data practices and managing privacy options.
Creating a new privacy center
Generative and evaluative research were integral to designing this experience. After joining the Privacy team and learning about Capital One's design systems, I took part in a design sprint with my team to begin thinking about the ideal customer journey and identify the screens that would get us there.
With an extremely rapid timeline approaching (by this point, our tech teams were scheduled to begin development in a month), we began rapidly developing prototypes and A/B testing them with live users. This gave us the opportunity to make changes quickly and conduct further user testing to gauge performance.
In our first stage of implementation, we used cards to carry over information in the redesign. We tested different approaches to content to provide insight into what the tools provided. However, in A/B testing we saw that users weren't reading most of the descriptions. We also noted that most users visiting the page were looking for the privacy policy but struggled to find it without proper hierarchy. (Click to enlarge)
For the final design, we mapped out the hierarchy of elements with our product partners and worked on highlighting the types of information that users were most interested in. In subsequent user testing, this new page garnered customer trust and catered to users' expectations more effectively. (Click to enlarge)
A first-of-its-kind data management tool
In response to the California Consumer Privacy Act, we worked to balance regulatory compliance by creating a new data request portal driven by control and trust. To do this, we worked closely with our product and legal teams to embed the customer experience in conversations. We were able to break the mold that other companies chose to adhere to, developing a sense of choice when requesting, downloading, and deleting data.
For customers requesting their data from Capital One, they're able to request account-specific data for any of their accounts, including credit cards, bank accounts, and auto loans. They could also request to see the non-account data we collected about them, such as marketing inferences and data acquired from third-parties. (Click to enlarge)
Under the Gramm Leach Bliley Act, there are many types of data that Capital One must retain by law. Because of this, we worked to set the expectation to users requesting to delete their data that we could only delete data that isn't essential to maintaining their account functions or data that isn't federally protected under GLBA. (Click to enlarge)
When we return someone's request for their data, we provide them with insight into what was in the request, what the data might look like, and what next steps they could take. This sets the stage for a future-state where we can provide users with a variety of privacy options and choices. (Click to enlarge)
Towards the end of 2019, we worked closely with senior and executive-level product and legal partners to deliver the final CCPA experience ahead of the January 1, 2020 effective date. In addition to fully-authored design specs for over 80 screens, I worked on a user guide for downloads, call center procedures, and design strategies post-launch.
A new problem to solve
After the portal launch, I discovered a critical gap in the Privacy organization. Teams had independently developed data request processes with limited shared understanding or documentation. This disconnect threatened future process improvements. I partnered with product managers and team leads to address this. I conducted workshops with various Privacy teams, including data processors and call centers, mapping their processes, actors, actions, triggers, and common scenarios. I then documented these processes, identifying tools, software, and individual team sentiments. Finally, I met with stakeholders to refine my understanding and begin mapping the entire data journey at Capital One.
Formalizing a system map
Following workshops, partner teams requested a large-format, single source of truth document. I created a hybrid service blueprint/system map, combining the infrastructure of a service map with the information density of a system map. I documented the process steps, including actions, actors, and tools, supplementing with screenshots. I then mapped partner-identified flows and connected them to create the final map.
And thus, the final map was born! Click on the image to dive in.
In addition to the large (approximately 8 feet long) map, I understood that our partners would also likely need something more digestible for decks, handouts, and quick looks. Taking inspiration from postmodern subway maps, I applied that abstraction to the map to create a "subway map" version of ours.
This mapping effort was extremely influential in building the Privacy organization's roadmap. Having identified their connections, teams were able to come together to identify opportunities to simplify their processes together. The leadership team was able to rally around the need for more focus on their backend processes, including increased headcount and funding. Finally, the "subway map" was included in a pre-read that was shared with the C-suite to tell the story of privacy at Capital One.