Check your privacy privilege.


Last year I gave a talk about teaching the legal side of web development to a conference of professional educators, and afterwards, I wrote this:

Other professionals assume web development is an organised profession with a defined career path like theirs. It is very, very difficult for highly intelligent people working in law and academia, for whom their careers meant three or four years at university, a year or two at graduate school, a full-time position in a professionally structured company, and a clear path of career development, to understand that web development has none of that. They assume we learned certain things, in certain places, at certain times. They assume we receive certain things in the workplace. (They assume we have a workplace). They assume we receive refreshers, CPD, or ongoing training. They assume we are fed regular knowledge by a professional body. To professionals like those, the reality of being a web development practicioner, with no training, guidance, or support, is incomprehensible.

In recent weeks I’ve been seeing a lot of this cognitive bias in play. I’m seeing a lot of highly intelligent professionals who seem to think that improving online privacy is a matter of enhancing training and education that developers already have, or nudging them to pull their socks up where their compliance practices have slipped.

I respect all of these professionals and love working with them, so some tough love is called for here. Please don’t take this the wrong way, but when I see these biases being spoken, it makes me want to put my head in my hands and cry. You need to understand what 24 years of coding on the web, and several years of speaking with, writing for, and training development communities taught me about those professionals:

you can work full time on online privacy and still not actually understand it.

As I write in my upcoming book, the amount of developers and web practicioners who told me that my conference talks were the first training and education they had ever received on privacy, at all, anywhere, from anyone, ever, was terrifying. That is representative of the field as a global whole.

The overwhelming majority of web practicioners have no training, education, or guidance in online privacy.

At all.

Full stop.

Not one word.

Not one page.

Not privacy as a theoretical concept, not privacy as a legal concept, and not privacy as an ethical concept.

They don’t receive that training from their development communities. They don’t receive that training in their workplaces. They don’t receive that training in their education, assuming they had one.


Yet the bias I described in last year’s post leads many privacy professionals in law and academia to assume that they do, because that’s how their careers panned out. When online privacy goes horribly wrong, they assume there is a level of formative and professional knowledge which web practicioners have deviated from.

They never had that to begin with, and no one ever gave them the support they needed to get there.

So I’m seeing law professors talking about adding privacy ethics to the computer science curriculum. To which I would respond: why do you assume the people working with code are going through a university computer science course?

For that matter, what curriculum? The developers you need to reach probably came through a 16 week coding academy which taught code and not one word of anything else. Or they’re over 40, like me, and learned everything about code through right-click.

I’m seeing academics wanting to give talks to developers on how they are not meeting legal compliance. To which I would respond: why do you assume that they know what they are meant to be compliant with? Who do you believe they received that education from?

I’m seeing privacy professionals saying we need to rethink how we train technologists. To which I would say: why do you assume that technologists have any training?

I’m seeing data protection professionals wagging their fingers at developers to wise up. To which I would say: Good for you, but you’re pointing fingers, and not offering one hand up of the practical support they need to make you happy.

So let’s talk about what you need to do, as a full time legal or academic professional working in online privacy, if you want to get the message through on the ground, at the grassroots, and where it matters.

Because this is what is standing inbetween you, the makers of the web, and the people we build the web for.

You need to be prepared to commit to online privacy as a completely voluntary, unpaid, unfunded, unreimbursed, unsupported, unwanted, and unappreciated endeavour.

You need to be prepared to accept that you will be doing this work for the benefit of the open web and the people we build it for, and that this work will not benefit your career, your CV, your professional reputation, or your personal standing in the slightest. Just the opposite.

You need to understand that you are entering a world where the schools you went to, the degrees after your name, the institutions which employ you, and the works on your CV mean absolutely nothing to anyone, and f***k you god help you if you think they should.

You need to get your feet under the table with open source privacy teams, in open source projects which aren’t too bothered about online privacy, and spend several years getting dirty in the trenches with them before you purport to give them a single word of academic or legal advice.

You need to be prepared to spend £400-£800 out of pocket on travel and accommodation, several times a year, to give privacy talks at software community conferences which don’t cover speaker expenses, to speak with fewer than 20 people in the Sunday morning hangover slot.

You need to be prepared to put weeks of work into those conference talks, where the only question you will get afterwards is “do we still have to do those cookie popups.”

You need to be prepared to have your work misconstrued, your character torn down, and your credibility attacked by aggressive, angy tech bro developers who associate the word “privacy” with foreign government interference in their personal freedoms, and see you as that government’s emissary.

You need to be prepared to attend a data protection conference so that you can speak with a privacy lawyer about ways he might be able to support your development communities, only for him to zip out as soon as his talk is finished and then patronise you as some silly kid when you try to engage on social media.

You need to be prepared to have to crowdfund to cover your out-of-pocket privacy expenses, and just maybe, the time you spend on privacy teams at a level equivalent to the national minimum wage, only to be accused of just wanting to do it for the money.

Ditto for the months of work you pour into funding and grant applications to support development communities to establish and strengthen privacy teams and initiatives, and when you don’t get the funding, it’s the projects you put in the application to support which accuse you of wanting to do it for the money.

You need to be prepared to have to put aside privacy work for a few months to plow through internal project dramas and soap operas which are preventing the privacy work from being able to go ahead.

You need to be prepared to ask people to give you favours like downloads of academic papers off of university networks, or resources out of paid membership clubs like IAPP, because you can’t afford membership dues much less an academic shibboleth.

You need to be prepared to have everyone hate you – I mean, really, really despise every bit of you, personally – for what you do.

And you need to be prepared to grow another layer of skin and keep on doing it.

So if you care about online privacy and want to make the web a better place, please take that as the tough love as it is. Otherwise, you’re fighting the wrong battle with the wrong weapons. And just maybe, you’re fighting on the wrong side.


Hear Per and James discussing this post on episode 241 of UX Podcast.

The Author

I advocate for an open web built around international standards of human rights, privacy, accessibility, and freedom of expression. This is my personal site, and the opinions on it do not reflect the views of any current or previous employer.


  1. Brilliant post Heather. Engaging, articulate and, for someone relatively new to data protection (last 3 years) thought provoking. I can hear our own developers saying a lot of the above!

Comments are closed.