A distributed access control module in wireless sensor networks (WSNs) allows the network to authorize and grant user access privileges for in-network data access. Prior research mainly focuses on designing such access control modules for WSNs, but little attention has been paid to protect user's identity privacy when a user is verified by the network for data accesses. Often, a user does not want the WSN to associate his identity to the data he requests, particularly in a single-owner multi-user WSN. In this paper, we present the design, implementation, and evaluation of a novel approach, Priccess, to ensure privacy-preserving access control. In addition to the theoretical analysis that demonstrates the security properties of Priccess, this paper also reports the experimental results of Priccess in a network of Imote2 motes, which show the efficiency of Priccess in practice.