The Practice Dilemma and Institutional Breakthrough of Privacy Policy: From the Perspective of Privacy by Design

Abstract： With the establishment of the legal and normative system of personal information protection， the formula?tion， implementation， evaluation， and improvement of privacy policies are undergoing an upgrade test from formal com?pliance to substantive protection. Therefore， it would have a positive normative effect to analyze the underlying logic be?tween privacy policies and personal information protection. First of all， analyze the legal nature of privacy policy， fromstatic legal relations to dynamic scene application， to make clear the internal systematicity of legal tools such as con?tract authorization， credit trust， self-discipline rules， and social commitment. Secondly， facing up to the application di?lemma of the privacy policy， analyze its deficiencies in privacy policy practices and the causes. Starting with the logi?cal path of the informed consent mechanism to reveal the value dislocation in compliance with the current privacypolicy， introduce \"privacy by design\" to break the deadlock. Finally， by combining internal and external perspectives，standardizing process design， optimizing manifestations of intention， and implementing compliance supervision， thesystem configuration should be improved to realize the value transformation of the privacy policy.

Keywords： privacy policy; personal information protection; informed consent; privacy by design; privacy policydesign

CLC：D 912 DC：A Article： 2096?9783（2023）02?0116?12

At present， research on privacy policy is mainly concentrated in the fields of law， library and information science，and computer science. The research paradigm in law has shifted from discussions around theories and institutions toempirical analysis based on practice samples. On the whole， it follows a research path of selecting privacy policy sam?ples， designing compliance indicators， conducting content comparisons and analysis， and then putting forward improve?ment suggestions. Library and information science focuses on the content expression and analysis of privacy policy，while computer science explores the design and application of privacy policy. In empirical research， there is a clear in?tegration trend between disciplines. Based on the practical dilemma of the \"text level\" privacy policy in the practice ofinformed consent revealed by the existing research， this paper attempts to sink into the \"logic level\" and find solutionsthrough the transformation of the privacy policy design concept. By analyzing the principles of the privacy policy to im?plement the personal information protection system， it is clear how to effectively implement the notification consentrule. In form， the enterprise should pay attention to the performance of notification and obtain consent， and in sub?stance， the user should be fully informed. In this regard， this paper advocates introducing \"Privacy by Design\" to cor?rect the value proposition of privacy policy， and proposes a user-centered risk-preventive privacy policy design thataims to upgrade post-event passive supervision-driven compliance to proactive risk prevention in advance.

1 Disputes and Determination of the Legal Nature of Privacy Policy

1.1 Disputes over the Legal Nature of Privacy Policy

A privacy policy is a statement in the form of online documents， that discloses the purpose， scope， and method ofnetwork service providers collecting and using users' personal information， and it also publicizes the principles andspecific measures by which network service providers protect users' personal information[1]. About what is the legal na?ture of the privacy policy， there are many arguments since this concept appeared.

The contract theory is to analyze the legal relationship between a network service provider and a network userfrom the perspective of private law and consider that the privacy policy is a contract between the network service pro?vider and the user. The service provider publishes a privacy policy showing the way it collects and utilizes personal in?formation， which can be regarded as an offer. The user's consent is a promise. The service provider's promise to protectthe user's personal information and the user's consent to collect and use his personal information constitute the rightsand obligations of the contract①. Users must effectively agree to the privacy policy in the form of a click consent buttonor other enforceable forms， rather than just reading[2]. That is， the privacy policy does not automatically create a contrac?tual relationship between the parties. The key is whether the user has given explicit consent. The privacy policy agreedupon by the user is recognized as an agreement， which has the dual effect of publicizing the method of collecting andusing the user's personal information and obtaining the user's authorization.

The self-discipline rule theory aims to analyze the power allocation of enterprises and administrative agenciesfrom the perspective of public law and considers that privacy policy is the self-regulation rule of enterprises， corre?sponding to legal rules that respectively reflect the self-regulation of enterprises and the administrative regulation ofthe government. In the United States， under the decentralized legislative model， in addition to formulating separatelaws for special subjects and special fields， enterprises in other fields are self-regulated by formulating their privacypolicies in accordance with the fair information practices principles. This makes the privacy policy play the role of sup?plementing the blank of statutory law and produce binding force similar to law for enterprises. The Federal Trade Com?mission reviews an enterprise's business practices to make sure they comply with privacy policies and regulates \"un?fair\" and \"fraudulent\" transactions[3]. In the European Union， the unified legislative framework fully reflects govern?ment regulation. Administrative supervision drives companies to fulfill their statutory obligations by formulating priva?cy policies and establishing high-quality data protection standards. As an autonomous regulation of the enterprise， theprivacy policy is subject to the legitimacy review of the data protection agency.

The social commitment theory is based on an analysis of the market positions of operators and consumers from theperspective of economic law and considers that the privacy policy is the public statement and commitment of operatorsto the collection and use of consumers' personal information. Consumers' personal information contains a social value.So， privacy policies must be in accordance with the public interest. If consumers have the requirement to be informedwhen operators collect and use their personal information， the privacy policy changes from a simple reading text to afunctional text and becomes an important part of balancing the rights and obligations of both parties and avoiding priva?cy monitoring[4]. In order to eliminate the inequality in the status of both parties， the privacy clause must be endowedwith social attributes. Accordingly， the rules for processing personal information should not be decided by individualsbut by society as a whole. Among them， the obligations list of operators and the rights clauses of users are indicators forevaluating the social image of enterprises and are also the basis for pursuing corporate responsibility.

The credit trust theory aims to improve the protection of users' privacy data by e-commerce platforms from theperspective of property law and advocates that there is an information trust relationship between the platform and usersregarding privacy data protection②. Trust is the core element in forming a fiduciary legal relationship. In order to winusers' trust， the platform shows responsibility by illustrating the privacy policy rules to attract users to disclose informa?tion[5]. By establishing trust between two parties， users as the principal authorize the platform to manage， use， and dis?pose of their private information within a certain range[6]. The platform performs its obligations with fiduciary standardsthat are protective， prudent， honest， and loyal to the information subject[7].

1.2 Determination of the Legal Nature of Privacy Policy

The author believes the nature of privacy policies should be determined in specific application scenarios in combi?nation with situational elements and should not be statically drawn to a unique and constant conclusion. In practice，the basic types of privacy policies are as follows： （1） When starting to use the product or service for the first time， theprivacy policy page will show up dynamically and provide the option of \"agree\" or \"disagree\". The user can log in andcontinue to use the product or service only when he/she selects \"agree\" and provides basic personal information to reg?ister as a \"user\" of this product or service. （2） The privacy policy page shows up on the home page; different from theformer， the user's consent is not necessary. Therefore， he or she can still use the browsing service as a \"visitor\". Thecore business function of this service can be used only when the user agrees to the privacy policy so as to register as a\"user\" and log in to the system. （3） The privacy policy does not show up， and the network service provider believes\"use\" means consent by default. Users are required to actively query the privacy policy on the \"settings\" function page.In fact， the basic idea of process design for these three types of privacy policies is the same： there is a consideration re?lationship between the user's consent or authorization and the provider's service provision. The user's consent to theprivacy policy is a necessary condition for getting enterprise services. So， the instrumental characteristics of the privacypolicy are remarkable. Further， the above four viewpoints are related and clearly distinct.

First of all， at the social level， the corporate self-discipline theory and the social commitment theory can be classi?fied as a \"public privacy policy\" for unspecified subjects， which is a unilateral fulfillment of the legal obligation of theenterprise to \"publish the rules for processing personal information\". Whether users agree with the privacy policy ornot， the policy is subject to administrative review by the public authority of the regulatory agencies. The social commit?ment theory inherently requires enterprises to abide by the public's privacy policy. For the corporate self-disciplinerules， even if they are not made public， they should be a programmatic flexible law of corporate behavior. Therefore，the efficiency of the application of corporate self-discipline rules takes precedence over public social commitments.Secondly， at the individual level， contract theory and credit theory can be jointly classified as \"offer-type privacy poli?cies\" for specific subjects. The privacy policy is a consensual agreement， and personal consent is the basis for estab?lishing the contractual or fiduciary duty of the enterprise. Compared with the special trust relationship required by atrust， the contractual legal relationship is superior. Finally， in a specific situation between an enterprise and a specificuser， with the consent of the user， the privacy policy is a civil contract between the two parties. Without the consent ofthe user， the privacy policy is just a unilateral self-regulatory rule for the enterprise. The former is mainly subject toprivate law， while the latter is supervised by public law. The above assertion is confirmed in the Personal InformationSecurity Specification③， and it fits the philosophy of judicial practice④.

Different legal nature maps different regulatory functions. After sorting out the inherent system of the legal natureof the privacy policy through the dynamic integration perspective of the scene， the effectiveness of the privacy policytools connected with user authorization， public awareness， and regulatory review is clear. For users， businesses， andregulators， the utility of privacy policies is different. One is the notification function. By formulating privacy policies，enterprises inform users of personal information processing rules and users' information control rights. The second isthe restriction function. Enterprises have the obligation to ensure the security of personal information. The privacy poli?cy has a regulatory effect on the improper collection， use， or abuse of personal information and other behaviors thatharm the rights and interests of users. The third is the supervision function. The privacy policy is a self-discipline mea?sure for enterprises to protect personal information， and it has gradually become one of the important qualifications forenterprises to have network services. The privacy policy is subject to supervision and review by society， industry organi?zations， and administrative departments.

2 Practical Dilemmas and Causes of Privacy Policy

2.1 Practical Dilemmas of Privacy Policy

As an enterprise declaration of personal information protection， privacy policy is attracting much attention as thesocial collective consciousness of rights protection begins to awaken. Privacy policy is integrated into products andscenes more and more tightly， showing a trend of industrialization， customization， and personalization. However， it is al?so gradually revealed that privacy policies have alienated the rules and created a crisis of trust in the implementation ofthe informed consent system.

Firstly， in form， the enterprise's declaration of privacy policy has become a way to get rid of its responsibilities.Specifically， （1） it increases the difficulty of a text search because privacy policies appear in a variety of ways， such aslegal statements， service agreements， user instructions， and other generalized expressions[8]. （2） A privacy policy is nev?er formed through negotiation. To improve efficiency and reduce transaction costs， privacy policies always adopt themethod of \"agree or leave\" or \"click means agree\"[9]， and the validity of this method is doubted. （3） Owing to impropersettings， such as those that are deliberately hidden or that are shown in the order of \"download and install\" before un?derstanding the privacy policy， it is not an ideal scene that can achieve the target of \"agreeing after knowing\". There?fore， users' right to prior knowledge and consent have been deprived. （4） The privacy policy is 1ly compliant. Tomeet the legal disclosure requirements and meanwhile prevent users from exercising choose right， the privacy policycontext is either long and complicated so as to be unreadable， or extremely simple and vague which cannot achieve theactual effect of notification， and it leads to that the information processing is always in a \"black box\" state[10].

Secondly， in content， the privacy policy has become an incubator of power. Typical situations are： （1） For the per?sonal information collection， some information is unnecessary and not directly related to the service requirements， andthe scope is ambiguous. （2） Under the pretext of not being able to determine how long that service will take， the enter?prise makes the information retention period uncertain. （3） The information is used on the grounds of \"improving prod?ucts or services\" or \"personalized recommendations\" in a broad manner that exceeds the authorized scope. （4） Therights and obligations for information sharing， transfer， and disclosure are imbalanced. The enterprise emphasizes theright to share information with its affiliates， the right to transfer information during mergers， divisions， and liquidations，and the right to disclose when safeguarding public interests or other people's legitimate interests. However， the corre?sponding obligations and responsibilities are unclear. （5） It is difficult to verify the privacy protection for minors. Thereis a lack of supervision when the guardian gives consent for the minor⑤. （6） Opt-out mechanisms such as the one-clickshutdown of personalized recommendation services and withdrawal of consent are missing.

2.2 The Causes of the Practice Dilemma in Privacy Policy

Since the beginning of the implementation of the personal information protection law， \"informed consent\" has be?come the most important mechanism that is commonly used[11]. Meanwhile， the privacy policy was created to fulfill therequirement of informed consent， which manifests instrumental rationality. The internal logic of the informed con?sent mechanism is： noticing-being informed-choosing-consenting or rejecting. By disclosing its privacy policies，the enterprise clearly states its personal information processing rules and issues an offer. On the premise of being in?formed， the user rationally chooses to agree or refuse to express commitment. After obtaining user consent， the contractis formed， and the rights and obligations of both parties are established. Otherwise， the enterprise abides by self-disci?pline rules and fulfills social commitments. Among them， notification is the embodiment of the principles of opennessand transparency. Adequate information disclosure aims to overcome market failures caused by information asymmetry.Consent is an expression of the principle of autonomy. Users express intentions explicitly or implicitly to achieve per?sonal autonomy.

In this way， the privacy policy is not only the formal means of notification but also the substantive carrier of the no?tification content. It is a transparent personal information processing rule formulated by the enterprise based on the per?formance of legal obligations and in combination with specific business application scenarios. It is necessary to make aclear distinction that notification does not equate to being informed， and being informed does not necessarily imply con?sent. For information subjects to exercise control over personal information， being informed is a prerequisite， reflectingthe interests of human dignity. Consent is a choice that embodies the interests of personal freedom. First， the status ofbeing informed should be ensured by effective noticing， and the core is sufficient information disclosure. This requiresthat the privacy policy truthfully， accurately， and completely inform individuals of the processing of their matters in aprominent manner and in clear and understandable words. Then， effective consent is obtained under the guarantee ofbeing fully informed. The key to effective consent depends on full freedom of choice. The user must be fully informedand should make a specific manifestation of intention voluntarily and clearly. In this logical chain， the crucial point isthe right to be informed （the right to know）. The privacy policy has been alienated into a \"haven\" for corporate compli?ance because the design of the policy focuses on the obligation to inform， which cannot ensure the implementation ofthe right to know.

In civil juristic acts， an enterprise's notifying behavior can be considered a manifestation of intention， and privacypolicy is precisely the content of that manifestation of intention. The user being informed is just the right result of thatmanifestation of intention. \"To make sure that the manifestation of intention is true\"， it requires that the external mani?festation of intention （being behaved as specific terms of the privacy policy） made by the company should be consistentwith its inner real intention （being regarded as the actual processing behavior to user information）. The user has under?stood the content of the enterprise's intention， which could be considered that the user is exactly truly informed， andthis needs to be achieved by interpreting the manifestation of intention[12]. In practice， when privacy policies emphasizethat the notification behavior has happened， which becomes the compliance goal， the function of the personal informa?tion protection system is alienated. First， the formal notification is divorced from the original legislative intention.When the privacy policy reaches the user by way of mandatory acceptance， the formal performance of the obligation ofdisclosure emphasizes the occurrence of the expression of intention and ignores the effect that the expression of inten?tion should achieve. The notification in form gives the company the privilege which can be regarded as the evasion ofregulation[13]. Second， this formal notification does not necessarily point to the user being informed. The realization ofthe right to know and the right to consent is based on the premise that enterprises can effectively fulfill obligations， im?prove the transparency of processing activities， and provide sufficient paths for users to exercise their rights[14]. There?fore， if the privacy policy design is just focused on \"notice\" and \"consent\"， which are both ends of the logical chain，then the link is prone to being disconnected： the enterprise has fulfilled the obligation to inform， but the user's rights toknow his/her interests have not been properly protected. This requires returning to the user's perspective to explain theeffect of the meaning expression， and focusing on the protection of the user's trust interests. It is clear that even if theenterprise fulfills the obligation of informing， it does not mean that the responsibility is completely exempted. In thissituation， the enterprise's decision to take responsibility should be judged by whether the right to know is reasonablyrealized.[15] In addition， the alternative described in the privacy policy-\"one-click consent or force quit directly\"-can?not satisfy the right to free choice. The possibility of individuals participating in privacy preference setting is overrid?den by standard clauses， and information self-determination cannot be protected. It is precise because， in the design ofthe privacy policy， the right to know failed to be realized， and the right to choose is limited， so the privacy policy hasfallen into a deadlock. Privacy policies are more about formal compliance with the law than about the staunchness of en?suring effective user-informed consent. In fact， the privacy policy for building trustworthy scenes should always focus onthe needs and interests of users. Any static， negative compliance is actually antagonistic trust consumption. The key tobreaking through the current predicament of privacy policy lies in the transformation and upgrading of the positioningof its function， which is to say that we should focus on user-centric design and practice privacy policy actively， whichaims to achieve users' rights fully.

3 A Solution to the Dilemma of Privacy Policy Practice： Introducing \"Privacy byDesign\"

3.1 The Basic Principles and Value Connotation of \"Privacy by Design\"

The theory of \"Privacy by Design\" was first proposed by Ann Cavoukian in the 1990s. The essence of this theoryis the combination of value-oriented design theory and code law theory， and it emphasizes realizing the value embod?ied in the principles and rules of personal information protection legal norms through the physical designing， technicalsetting， and code architecture application of devices， systems， technologies， or services[16]. Each principle of Privacy byDesign proposes different content requirements for information protection. Specifically， （1） be proactive rather than re?active; be preventative rather than remedial. It emphasizes how to prevent and avoid violations from the outset， whichmeans that the prevention is before the actual occurrence of the damage. （2） Privacy as the default setting. It means en?suring that users' information is protected by default in information systems or business practices. Even though the us?er does not take any action， his personal information will not be violated. （3） Privacy is embedded into the design. Thisrequires embedding the requirements of personal information protection into the design of information systems andbusiness practices to make it a basic element of their core functions and an indispensable part of the system， mean?while， without impairing the realization of other functions. （4） Complete Functionality： Positive-Sum rather than Zero-Sum. It means protecting information in a positive-sum manner to achieve a win-win situation. Reject the valueconfrontation between personal information protection and function， efficiency， security， and commercial interests.（5） End-to-End security： full lifecycle protection. This means that the requirement for personal information protectionis embedded in the initial design before the information is collected for the first time， and also that this protection runsthrough the entire information processing. Then it could realize security management for the entire lifecycle. （6） Visibil?ity and Transparency： Keep It Open Business practices or information systems should operate in accordance with pub?lished commitments and purposes， and they should be subject to independent verification. The specific content and im?plementation of the personal information protection design should remain publicly visible. （7） Respect for user privacy：keep it user-centric. The design of personal information protection should unfold around the users' needs and inter?ests. When protection measures are embedded in information systems and business practices， provide functions suchas default protection settings， appropriate explicit prompts， and user-friendly options to ensure that all systems placethe user at the center and make the user's interests come first⑥.

3.2 The Necessity and Feasibility of Introducing \"Privacy by Design\"

\"Privacy by Design （PbD）\" protects personal information throughout its lifecycle in a proactive and preventivemanner through the combination of law and technology. Some scholars believe that the concept of information self-de?termination is collapsing because of the expanding scale of big data analytics. The efficacy of the user-led single priva?cy control model is failing[17]. In the field of personal information protection， the privacy design concept is gradually be?ing accepted by more and more people[18]. Fair information practice principles establish the basic legal framework forpersonal information protection. \"Privacy by Design\" is actually supported by privacy enhancement[19]， so as to ensurethe implementation of fair information practice principles through comprehensive and flexible approaches⑦. It lookslike the distinction between fair information practices principles and privacy by design can be understood as the dis?tinction between the \"basic version\" and the \"upgraded version\" of personal information protection. Next， comparingits contents with the basic principles involved in the Personal Information Protection Law of the People's Republic ofChina， see Table 1 we can see that \"Privacy Embedded into Design\" and \"End-to-End Security： Full Lifecycle\" arestill absent in China's laws and regulations， and the value concept of \"Respect for User Privacy\" is not outstandingenough. This leads to the conclusion that privacy policies lack the proper value standard when practicing personalinformation protection and fall into the dilemma of decoupling from user protection.

Privacy by design is essentially an expansion and enhancement of the traditional basic principles of personal infor?mation protection. Because it can be fully applied to information systems， physical design， and business practices invarious information technology environments， including cloud computing， the internet of things， smart terminals， mo?bile Internet， and big data， and effectively respond to personal information protection in diverse scenes， it is considereda key initiative for a new generation of personal information protection. Pioneer institutions represented by Europe andthe United States Legislatures are exploring it in legislation practices⑧. In the United States， the Consumer Privacy Billof Rights （Draft） explicitly introduces the principle of \"Privacy by Design\"， which means privacy and data protectionshould be considered during system design and practice. In the European Union， the General Data Protection Regula?tion confirmed the theory of privacy by design in legislation. Subsequently， the European Data Protection Supervisor is?sued the Preliminary Opinion on Privacy Protection by Design， which provides recommendations for institutions of theEuropean Union to implement the protection of privacy by design. The European Data Protection Board issued Guide?lines 4/2019 on Article 25： Data Protection by Design and by Default， explaining the connotations of \"data protectionby design\" and \"data protection by default\". Specifically， \"Data Protection by Design\" requires that data controllers havean obligation to implement appropriate technical and organizational measures and necessary safeguards in the process?ing; it is designed to implement the data protection principles in an effective manner and protect data subjects' rightsand freedoms; the elements to take into account include the state of the art， the cost of implementation， the nature，scope， context， and purpose of the processing， and risks of varying likelihood and severity for the rights and freedoms ofnatural persons affected by the processing; the time aspect is that it starts from the decision and extends to the wholeprocess of collecting data. \"Data protection by default\" requires： By default， only personal data which are necessary foreach specific purpose of the processing are processed; Dimensions of the data minimization obligation cover theamount of personal data collected， the extent of their processing， the period of their storage， and their accessibility.Among the above， there are nine key design and default elements that can reflect the principle of \"Transparency\" in?cluding clarity， semantics， accessibility， context， relevance， universal design， comprehensibility， multi-channeling，and layering. In addition， international standards synchronously implement the idea of privacy by design into prac?tice⑨. All these are also reflected to varying degrees in China's normative documents in the category of informationtechnology， but due to their scattered content and limited effectiveness， they have not been widely applied. It is a pitythat the Personal Information Protection Law of the People's Republic of China has not incorporated privacy by designinto its legal system， but this happens to be a free space for enterprises to practice.

As a powerful means of privacy and data protection， the overall development of PbD is at the initial stage， but theenterprise practice shows a significant polarization trend. Some Internet giants are far ahead in privacy technology anddesign concepts. For example， Apple Inc has publicly stated that it uses privacy protection technology measures to pre?vent users from unknowingly disclosing personal information when using Safari， maps， photos， messages， health， andother functions. Google has proposed to open source its differential privacy library to conduct data analysis while pro?tecting user data. WeChat， developed by Tencent， reflects user-centered independent control of personal informationthrough permission management in \"privacy settings\" and implements openness and transparency in the form of person?al information and permissions， personal information collection lists， and third-party information sharing lists. Basedon recognized privacy protection principles and the requirements of laws and regulations in many countries， HuaweiCloud considers privacy design rules at all stages of personal information processing and provides full lifecycle protec?tion. First of all， in the stage of personal information collection， ensure the minimization of information collection， ac?tively notify the information subject， and let the information subject choose and agree independently. Secondly， interms of the safe use and storage of personal information， strict control of personal information is achieved through ac?cess control and authority management; the use of encryption technology to ensure the confidentiality of personal infor?mation transmission and storage， retaining personal information within the period required to achieve the purpose， pro?viding personal information externally through legal and compliance means; cross-border transfer of personal informa?tion after signing an agreement or obtaining the explicit consent of the information subject; and conducting regular logretrospective audits to check the rationality and necessity of processing. Finally， response to the subject's rightsclaims， timely disclosure， and response to personal information leaks and security incidents are necessary in order toprotect the rights of information subjects to the greatest extent. In short， the PbD concept has been integrated into theproduct design process to varying degrees in leading enterprises. They have systematically planned security measuresfor their major business functions， such as browsers， account management， cloud services， software stores， device sys?tem security， and sensitive information protection. Based on realistic needs， as a realistic and visual \"dialogue\" mecha?nism， the privacy policy is a bridge to realize the cross-border between legal value and technology architecture， andnaturally becomes the best business scene for producing and developing privacy by design.

4 Implications of \"Privacy by Design\" for the Privacy Policy Design

Designing is powerful because it determines user behavior through coding. In cyberspace， the enterprise as theprivacy designer is not only the subject who has powers， but also the obligation subject to protect personal information.Law is the cordon on the exercise of power. \"Privacy by Design\" and \"Privacy Policy Design\" can be compared to therelationship between \"thought\" and \"expression\" of personal information protection. The privacy policy is the imple?mentation and presentation of the privacy policy design. The privacy policy design should be refined from the perspec?tive of multiple parties.

4.1 Enterprise Perspective： Standardizing the Implementation Process of Privacy Policy Design

Usually， the implementation of privacy by design is highly related to the business model of the enterprise， and it isdifficult to achieve a unified standard process. However， seeing from the compliance perspective， privacy design basi?cally follows six steps： defining legal requirements， analyzing system functions， determining data， analyzing privacyrisks， analyzing multilateral requirements， and implementing and testing solutions[20]. Eight strategies can be adoptedin the practice of privacy design， which can be divided into two categories. One is data-oriented， including minimiza?tion， hiding， separation， and aggregation. The other is process-oriented， including notification， control， enforcement，and presentation. Firstly， in order to ensure that the system complies with the legal norms of personal information pro?tection， privacy designing should start with sorting out the relevant laws and regulations[21] and summarizing the require?ments of compliance. Secondly， define the system function accurately， and then determine the minimum data categorythat satisfies the system function under the principle of limitation according to the functional purpose. Thirdly， analyzeprivacy risks and design information security measures synchronously， analyze multilateral needs， and ensure the coex?istence of multiple value objectives. Finally， implement the design plan， embed the requirements of personal informa?tion protection into the designing and developing of the system， and continuously check and debug to ensure that thesystem implements personal information protection by default on the premise of complete functions. The eight designstrategies keep running through the entire process of information processing， with different emphases at different stag?es， but the implementation and presentation of the privacy policy are consistent⑩. For defining legal requirements， theenterprise needs to formulate a compliance framework based on the legislative norms of the state where the establish?ment is located and the business operates. The main contents include the legal basis of personal information process?ing， the storage and deletion， sharing， and transfer of personal information， the scope and guarantee of the rights of theinformation subject， the technical and organizational measures for personal information protection， and the emergencyresponse to information security incidents. It should be noted that the national standard for Information Security Tech?nology Internet platform and Product Service Privacy Agreement Requirements have begun to be compiled， and theywill provide information on the preparation procedure， specific content， and release form of the privacy agreement，which intends to increase the readability and transparency of the privacy policy.

4.2 The User's Perspective： Optimizing the Manifestation of Intention for Privacy Policy

It is known from the aforementioned dilemma that the functional crisis of privacy policy is due to the lack of a fullright to know and the limitation of free choice. So， the solution is to seek a plan to ensure true informed consent， includ?ing how to standardize the performance of notifications and make sure that the users can fully understand the meaningof notifications and make decisions independently. On the one hand， the notification should refine the privacy policygranularity to increase user readability. First， innovate in an informed way and enhance the prominence and generalityof the privacy policy.\"Accurate and complete\" requires the notification text to be sufficiently detailed， \"clear and easyto understand\" requires the notification content to be concise， and the balance of the two points means that we need ajump link between the \"full version\" and the \"simplified version\". Highlight the interpretation of core concepts， de?scriptions of key clauses， and examples of key regulations. In addition to using special fonts， font sizes， and colors todisplay key clauses， comprehensively use vivid expressions such as \"video， text， and graphics\". In detail， safety warn?ing signs can improve the user's \"instinctive attention\"， safety notice videos can display the notification content intui?tively， and the dynamic \"pop-up\" design can realize instant notification while collecting sensitive information. Second?ly， classify the content of the notification. In the Personal Information Protection Law， general personal information andsensitive personal information are distinguished， and different processing rules are applied separately. Correspondingly，the notifications from enterprises should also distinguish between general information utilization and sensitive information protection.

On the other hand， optimize the process of consent. Firstly， it should provide a way to personalize autonomous con?trol， to allow users to adjust privacy preferences settings， such as system access rights， personal information use， sharedlists， user profile data tags， cookies tracking， personalized recommendations， etc. Secondly， it should allow a \"onestop\"withdrawal of consent authorization. Finally， by distinguishing the basic business functions from the expandedbusiness functions， user layered consent is guaranteed. In this regard， the enterprise should set up convenient interac?tive pages to provide functions or options so as to respect users' independent choices. The functional design shouldmatch the four requirements of consent： （1） fully informed： clearly inform the user about the rights and channels thatcan be exercised in the form of a pop-up window. Users can learn more about each feature and other terms by clickingthe \"Learn more\" jump link. （2） voluntarily： the user can freely choose to turn on/off. When a feature is turned off， itdoes not affect another feature's performance. （3） specific： each switch option corresponds to a single function， and thenecessary information is attached to the function. （4） explicitly： the user actively clicks the consent method to indicatethat he agrees to enable specific functions.

4.3 Supervise Perspective from the Third-Party： Implement Compliance with the Privacy Policy.

Based on the social attributes of privacy policies， changing the bilateral relationship between enterprises and us?ers， Let's introduce an independency third-party to evaluate and certify the privacy policy. With the privacy impact as?sessment， companies can identify potential systemic risks in advance and design better privacy policies. Privacy certifi?cation requires that privacy certification licensed companies should strictly abide by personal information collectionand use rules， and obey various supervision and management[22]. These self-regulatory mechanisms help users monitorprivacy policies in time to ensure that companies operate to comply with privacy policy requirements. In addition， con?sidering the particularity of industry operations， the industry associations can lead the development of standard tem?plates for privacy policies under the guidance of management authorities. In addition to the standard template， if an en?terprise sets additional user obligations or expands the scope of authorization outside the standard template， it shouldobtain the user's separate consent. In practice， the unilateral nature of the privacy policy makes it more familiar withformal terms. This makes it difficult to gain general recognition or form a joint force for personal information protection.So， public participation and public comments are emphasized in policy formulation. In this way， it not only reduces thecost of formulating privacy policies for enterprises but also makes each privacy policy easier to pass evaluation and cer?tification.

5 Conclusion

In a social environment where personal information protection has become a traffic topic and the level of protec?tion has built trade barriers， privacy policy， as a guideline for enterprises to practice personal information protection， isfacing increasingly strict supervision. The practice of privacy policies is in jeopardy due to an incorrect value choice-Formalistic Compliance. In fact， law-abiding is the bottom line of requirements for behavior; it is difficult for the law topredict the diversity of social needs and synchronize with technological changes， but the public's rational cognition willreveal the problem and cause public controversy. This requires enterprises to be conscious and innovative enough totake the initiative to implement the protection. The \"Privacy by Design Policy\" advocates going beyond the privacy pol?icy's text， truly paying attention to the trust expectations of users， embedding the default protection mechanism into thedesign， and making the concept of risk prevention go throughout the whole process. By combining technology and law，all parties can participate in personal information protection openly， transparently， freely， and independently， formingan ecosystem of a virtuous circle of personal information protection and utilization.

References：

[1] WANG Y G. Legal regulation of internet privacy policy and protection of personal information： the American prac?tice and its implication[J]. Global Law Review， 2020， 42（2）： 149-161.

[2] TARR M. Accountability is the best （privacy） policy： improving remedies for data breach victims through recogni?tion of privacy policies as enforceable agreements[J]. Georgetown Law Technology Review， 2018， 3（1）： 162-202.

[3] REIDENBERG J R， RUSSELL N， CALLEN A J， QASIR S， NORTON T B. Privacy harms and the effectiveness ofthe notice and choice framework[J]. Journal of Law and Policy for the Information Society， 2015， 11（2）： 485-524.

[4] LI Y S. The compliance review and improvement of China's mobile app privacy policy： a text review on 49 cases ofprivacy policy[J]. Studies in Law and Business， 2019， 36（5）： 26-39.

[5] LIU B L， WAN L L， LI Y H. Review of privacy protection research based on privacy policy in the network environ?ment[J]. Information Studies： Theory and Application， 2016， 39（9）： 134-139.

[6] RICHARDS N， HARTZOG W. Taking trust seriously in privacy law[J]. Stanford Technology Law Review， 2016， 19（3）： 431-472.

[7] RICHARDS N， HARTZOG W. Trusting big data research[J]. DePaul Law Review， 2017， 66（2）： 579-590.

[8] SHEN Q. Research on China's website privacy protection policy： based on content analysis of 49 websites[J]. Jour?nalism Bimonthly， 2015（4）： 43-50.

[9] LI X. The way forward for the protection of personal information in privacy agreements in the era of big data： takinginternet stratification as a perspective[J]. Journal of Soochow University （Philosophy and Social Science Edition），2020， 41（3）： 77-87.

[10] FENG Y. Protection of personal information by websites from the perspective of privacy disclosure policy-basedon the top 500 Chinese website by visitors[J]. Contemporary Law Review， 2019， 33（6）： 64-74.

[11] SOLOVE D J. Introduction： privacy self-management and the consent dilemma[J]. Harvard Law Review， 2013，126（7）： 1880-1903.

[12] FAN H C， GU L P. Searching for a balanced approach： practical dilemmas and revisions of the principle of in?formed consent in privacy protection[J]. Journalism and Communication， 2021， 28（2）： 70-85.

[13] ZHANG X B. Collection of personal information： restricting the application of the principle of informed consent[J].Journal of Comparative Law， 2019（6）： 1-20.

[14] NING Y. Insisting on and revision of the informed consent rule in personal information protection[J]. Journal of Ji?angxi University of Finance and Economics， 2020（2）： 13.

[15] WAN F. The legal application of the operator's duty of disclosure in China's consumer rights protection law[J]. Po?litical Science and Law， 2017（5）： 151-160.

[16] KLITOU D. Privacy by design and privacy-invading technologies： safeguarding privacy， liberty and security in the21st century[J]. Legisprudence， 2011， 5（3）： 297-330.

[17] AUSTIN L M. Reviewing pipeda： control， privacy and the limits of fair information practices[J]. Canadian BusinessLaw Journal， 2006， 44（1）： 21-53.

[18] RUBINSTEIN I S. Regulating privacy by design[J]. Berkeley Technology Law Journal， 2011， 26（3）： 1409-1456.

[19] HUA J. Privacy by design： from legal practice， technical support and commercial application[J]. Journal of Intelli?gence， 2019， 38（02）： 116-122.

[20] ZHENG Z F. Personal information protection by design[J]. ECUPL Journal， 2018， 21（06）： 51-66.

[21] SCHARTUM D. Making privacy by design operative[J]. International Journal of Law and Information Technology，2016， 24（2）： 151-175.

[22] ZHANG J H. Reseach on designed personal information protection mechanism[J]. Science of Law （Journal ofNorthwest University of Political Science and Law）， 2022， 40（3）： 31-43.