A new study from researchers at Carnegie Mellon University intends to improve the privacy regulations that often determine who has access to what data and how.

Privacy regulations like the General Data Protection Regulation and the California Consumer Privacy Act have created a path toward empowering people to control their privacy, but more work must be done, the researchers found.

"In many real-world systems today, privacy choices are difficult to find, overly simplified and even manipulative," said Yuanyuan Feng, a postdoctoral researcher in the Institute for Software Research (ISR). "Part of the reason for this is that regulations offer very little guidance on how to actually implement privacy requirements."

In a study presented at this week's Association for Computing Machinery (ACM) Computer-Human Interaction (CHI) conference, Feng and her colleagues introduce the notion of "meaningful privacy control." For privacy choices to be meaningful — to be desirable to users and in compliance with regulations — they need five attributes: they should not only be (1) effective and (2) efficient by traditional usability standards, but should also (3) support user awareness, (4) accommodate a comprehensive set of privacy rights, and (5) be presented to users in a neutral, nonmanipulative manner.

Because little concrete guidance for designing privacy controls exists, the team developed a privacy control "design space" — a map of all dimensions one should consider when designing privacy controls — based on a comprehensive review of internet, mobile and internet of things technologies; the privacy choices they offer; and how users interact with those choices.

"We hope this framework and taxonomy will help guide practitioners to design and implement more meaningful privacy controls, empowering consumers to actually take advantage of those choices mandated by privacy regulations," said CyLab's Norman Sadeh, a computer science professor in the ISR and the principal investigator of the Personalized Privacy Assistant Project.

Read more about the team's suggestions for better privacy regulations and how they demonstrated them using an app designed to detect devices that may be collecting data.