All of us have been at least once frustrated by the fact that every website we visit requires us to click on a consent or cookie dialog and pop-ups. Cookies are a technology used for decades to allow websites to offer a more personalized user experience (UX), to authenticate users and also to analyze users’ behavior through tracking.
Due to the tracking nature of this technology, GDPR requires every website to provide specific cookie policies. The cookie policies are used to inform users about what information these cookies collect and how they are used. These result to the annoying, pop-up dialogs or overlays that a user has to take an action upon (agree, disagree or view more options).
Apart from the cookies, there are some other GDPR requirements that a website has to follow, especially if it stores or uses personal information.
It is evident, thus, that the UX design is greatly affected by the requirements of the GDPR. Since the UX plays an important role in user engagement, it is crucial to building websites that provide a good customer journey respecting at the same time the requirements of the GDPR.
The main aspects which the GDPR affects the UX are the user consent and the user’s rights to manage and delete their data.
Consent
According to the GDPR, consent is:
“Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.“
Taken into account the Information Commissioner’s Office (ICO) guidance document on consent [1] we should try to follow these pieces of advice [2].
- Start by going through your existing user journey and checking current consent practices. Do you provide enough context and details as to who and how user data is processed?
- Make sure you do not have any pre-checked consent boxes or other forms of default agreement. This applies to absolutely everything, including email newsletters.
- Users should have the option to easily withdraw consent at any time and you should clearly tell them how to do it.
- Specific consent requests, like marketing communication, should be separate from general terms and conditions.
- Keep your consent request granular and try to be very specific about what you ask permission for. Ask separate consent for different things.
- Disclose the names of controllers who process the data.
User Right to Manage and Delete Data
As it is required by the GDPR, users should have more control over their data and their accounts. They have to be able to change preferences up to deleting accounts altogether. There are some legal cases when this does not apply, but generally, every user shall have the right to request data erasure and get an official response from the company within a month.
The UX challenge is to present this feature in a way that is simple and genuinely helps users manage their data. But it should also meet the business goals of retaining customers.
GDPR Compliance and UX
Furthermore, what we should also avoid when designing a “GDPR-compliant” UX are the following [3]
Making it confusing and complicated to withdraw consent
If it’s made simple and easy to provide consent, it must be just as simple and easy to remove it. It won’t be allowed to hide the option away.
Requesting data not directly required for the business
A recipe app does not have any compelling reason to request access to the microphone, for instance.
Being vague about who is collecting the data
Pseudonyms and shell companies will be highly questionable. The user must be able to tell what company their consent is going to.
Bundling consent requests with other requests
Users often have to accept terms and conditions or cookie policies, and some websites have tried to sneak in data consent without making it clear.
Having consent as the default option
It should require clear knowing action to signal consent, so no more leaving a box ticked initially and hoping that users don’t question it before they proceed.
Using other ‘black hat’ UX tricks
There should be no disconnect between what the user thinks their actions mean and what the UX interprets them to mean.
Written by: Evangelos Kotsifakos
[1]https://ico.org.uk/media/about-the-ico/consultations/2013551/draft-gdpr-consent-guidance-for-consultation-201703.pdf
[2]https://designmodo.com/ux-gdpr/
[3]https://www.paulolyslager.com/impact-gdpr-on-ux/