Privacy settings that users cannot find or understand are functionally absent. GDPR Art. 7(3) requires withdrawal of consent to be straightforward — a single flat list of 40 settings with technical labels like 'behavioral_targeting_v2' does not meet that standard. Poorly organized settings also increase support burden and erode trust: users who cannot find a control assume the platform is hiding it. GDPR Art. 25 (privacy by design) requires that controls be accessible and meaningful, not merely present.
Low because disorganized settings don't expose data directly, but they systematically prevent users from exercising rights they are legally entitled to exercise, compounding every other privacy control gap.
Group privacy settings into functional sections — Profile Visibility, Communication, Data & Analytics — and write plain-language descriptions for each toggle. Avoid technical labels in the UI. In src/app/settings/privacy/page.tsx:
<section aria-labelledby="profile-visibility-heading">
<h2 id="profile-visibility-heading">Profile Visibility</h2>
<p>Control who can see your profile and posts.</p>
<SettingToggle
id="profileVisibility"
label="Profile visible to"
options={['Everyone', 'Followers only', 'Only me']}
description="Who can view your profile page and basic information."
/>
</section>
<section aria-labelledby="data-heading">
<h2 id="data-heading">Data & Analytics</h2>
<p>Control how your usage data is collected and used.</p>
<SettingToggle
id="analyticsOptIn"
label="Send anonymous usage analytics"
description="Helps us improve the platform. No personal data is shared."
/>
</section>
Test the settings page with actual users unfamiliar with the platform — if they cannot find a specific control within 30 seconds, the organization needs revision.
ID: community-privacy-controls.account-control.settings-organization
Severity: low
What to look for: Enumerate every relevant item. Examine the settings/preferences UI. Check whether privacy options are logically grouped (Profile, Content, Communication, Tracking, etc.). Verify each setting has a plain-language description that explains what the setting does and why the user might want it.
Pass criteria: At least 1 of the following conditions is met. Privacy settings are organized into 3+ functional groups. Each setting has a descriptive label and help text. Language is clear and not technical jargon.
Fail criteria: All privacy settings mixed in one long list. Settings have cryptic names or no explanation. Organization is alphabetical rather than functional.
Skip (N/A) when: Never — usable privacy settings are important.
Detail on fail: Example: "Privacy settings grouped by data type (analytics, tracking, ads) but no grouping by user action (profile control, communication)."
Remediation: Organize settings by functional area with clear descriptions:
<section>
<h3>Profile Visibility</h3>
<p>Control who can see your profile and content</p>
<SettingToggle
id="profileVisibility"
label="Profile visible to"
options={['Everyone', 'Friends Only', 'Private']}
description="Choose who can view your profile and basic information"
/>
<SettingToggle
id="postsDefault"
label="New posts visible to"
description="Default visibility for posts you create"
/>
</section>
<section>
<h3>Communication</h3>
<p>Control how others can contact you</p>
<SettingToggle
id="dmOpen"
label="Allow direct messages from"
description="Block messages from non-friends if desired"
/>
</section>
<section>
<h3>Data & Analytics</h3>
<p>Control data collection and usage</p>
<SettingToggle
id="analyticsOptIn"
label="Send anonymous usage data"
description="Help us improve by sharing how you use the platform"
/>
</section>