← All posts
5 min read

Privacy by Design: Building Products That Need Less Personal Data

#technology#security#privacy#product-design
📑 On this page

Privacy is difficult to add after a product has copied personal data into databases, logs, analytics tools, backups, and vendor systems.

The strongest opportunity appears before collection.

Privacy by design makes purpose, minimization, protection, retention, deletion, and user control part of the product architecture from the beginning.

It asks not only how to secure data, but whether the product needs that data at all.

A concrete example: fitness statistics

A fitness app wants to show weekly distance.

One design uploads second-by-second location history and calculates the total on a server. Another calculates distance on the device and uploads only the weekly number if synchronization is enabled.

The second design reduces sensitive collection, breach impact, infrastructure, and deletion complexity while still delivering the feature.

Begin with a specific purpose

For every personal-data field, document:

  • the user-facing purpose,
  • the lawful or policy basis,
  • the owner,
  • who needs access,
  • how long it is needed,
  • and what happens when the purpose ends.

“Future analytics” is not a precise purpose. Vague purposes encourage indefinite collection and reuse that users did not reasonably expect.

Minimize collection

Collect the least detail required.

Ask whether the system needs:

  • an exact birth date or only an age range,
  • precise location or a city,
  • a permanent identifier or a short-lived session,
  • raw audio or an extracted command,
  • every event or a sampled aggregate.

Minimization reduces both privacy risk and ordinary engineering cost.

Minimize movement and copies

Data becomes harder to govern every time it is copied.

Map movement through:

  • client devices,
  • APIs,
  • queues,
  • databases,
  • warehouses,
  • logs,
  • backups,
  • support tools,
  • and third parties.

Prefer local processing, purpose-specific stores, references instead of copies, and aggregated results where they satisfy the need.

Protective defaults

Users should receive a privacy-protective experience without finding obscure settings.

Examples include:

  • sharing disabled until chosen,
  • short retention by default,
  • private profiles,
  • approximate rather than precise location,
  • and no optional advertising use without a valid choice.

The interface should explain consequences at the moment a meaningful decision occurs.

Separate identities and purposes

Do not use one universal identifier across unrelated contexts when narrower identifiers will work.

Purpose-specific or tenant-specific identifiers reduce easy linking between datasets. Separate production, analytics, support, and experimentation access rather than giving every system the same complete profile.

Separation is not perfect anonymity, but it limits unnecessary correlation and blast radius.

Access control

Grant access based on job and task:

  • which records,
  • which fields,
  • which action,
  • which environment,
  • and for how long.

Use strong authentication, short-lived credentials, approval for bulk access, and logs that support investigation. Periodically remove access that no longer matches a role.

Privacy-aware logging

Logs are frequently overlooked copies of personal data.

Avoid recording passwords, tokens, full payment details, raw documents, or sensitive request bodies. Use stable event identifiers, redaction, field allowlists, and restricted diagnostic access.

Set log retention intentionally rather than inheriting an unlimited default.

Retention as architecture

Every stored category needs a retention rule tied to purpose and obligations.

Implement deletion across:

  • primary records,
  • search indexes,
  • analytics tables,
  • caches,
  • file stores,
  • vendor systems,
  • and backups according to documented handling.

Test deletion with seeded records. A policy document does not prove that all copies disappear.

User rights and correction

Products may need to support access, correction, export, objection, consent withdrawal, or deletion depending on context and law.

Design stable identity verification and request workflows early. Avoid collecting new excessive identity evidence merely to fulfil a privacy request.

Tell users what was completed, what must be retained, and why.

A long consent screen cannot make unnecessary or surprising collection good design.

Choices should be informed, specific, freely made where required, and easy to reverse. The product should still minimize data and protect people who choose the ordinary path.

Do not manipulate users with unequal button emphasis or repeated pressure.

Third-party review

Before sending personal data to a vendor, assess:

  • purpose,
  • fields,
  • locations,
  • subprocessors,
  • retention,
  • security,
  • model-training use,
  • deletion support,
  • incident notification,
  • and exit procedures.

Technical contracts should enforce the intended fields and destination, not rely only on legal text.

Privacy threat modeling

Consider harms beyond external hacking:

  • inappropriate internal access,
  • unexpected inference,
  • combining datasets,
  • exposure through shared devices,
  • coercive use,
  • inaccurate profiles,
  • and exclusion from opportunities.

Include affected users and domain experts when assumptions about harm are uncertain.

Measure privacy properties

Track:

  • unnecessary fields collected,
  • retention violations,
  • deletion completion,
  • access anomalies,
  • vendor copies,
  • sensitive-log findings,
  • and time to fulfil requests.

Privacy should have testable system properties and operational owners, just like reliability.

Review product changes for new purposes

A feature can quietly change the meaning of previously collected data. Adding social discovery to a private fitness log, for example, creates new visibility and linking risks even if no database column changes.

Require privacy review when teams introduce a new use, recipient, model, vendor, retention period, or cross-dataset join. Compare the proposal with the original user expectation and purpose record. When the new purpose is not compatible, redesign the feature or obtain an appropriate new choice instead of stretching old language.

Knowledge check

  1. Why is purpose definition an architectural decision?
  2. How can local processing reduce privacy risk?
  3. What makes a default privacy-protective?
  4. Why must deletion cover derived systems?
  5. Why is consent insufficient by itself?

The one idea to remember

Privacy by design starts by needing less personal data, then limits its movement, access, lifetime, and reuse. Protective defaults, tested deletion, narrow identifiers, user control, and accountable vendors turn privacy promises into system behavior.