Privacy is frequently misconstrued as a security concern or post-hoc remediation, leading to the omission of privacy requirements during early development stages and escalating regulatory compliance risks. Method: This paper introduces the first privacy requirement elicitation framework spanning the entire software lifecycle. It uniquely integrates Chain-of-Thought (CoT) prompting with In-Context Learning (ICL) to guide large language models (LLMs)—specifically GPT-4o and Llama 3—to automatically identify privacy-related behaviors from early- and mid-phase artifacts (e.g., requirements documents, design specifications) and generate structured privacy requirements in user-story format. Contribution/Results: Unlike conventional compliance-auditing approaches, our framework embeds privacy engineering proactively. Empirical evaluation shows that mainstream LLMs achieve F1-scores exceeding 0.8 on both privacy behavior identification and user-story generation tasks; fine-tuning further improves performance, demonstrating the method’s effectiveness, robustness, and scalability.

Research shows that analysts and developers consider privacy as a security concept or as an afterthought, which may lead to non-compliance and violation of users' privacy. Most current approaches, however, focus on extracting legal requirements from the regulations and evaluating the compliance of software and processes with them. In this paper, we develop a novel approach based on chain-of-thought prompting (CoT), in-context-learning (ICL), and Large Language Models (LLMs) to extract privacy behaviors from various software documents prior to and during software development, and then generate privacy requirements in the format of user stories. Our results show that most commonly used LLMs, such as GPT-4o and Llama 3, can identify privacy behaviors and generate privacy user stories with F1 scores exceeding 0.8. We also show that the performance of these models could be improved through parameter-tuning. Our findings provide insight into using and optimizing LLMs for generating privacy requirements given software documents created prior to or throughout the software development lifecycle.