Best UX practices for GDPR compliance

What’s collected

Firstly, companies need to explicitly explain what the data is that they want to collect. Your customers should have a very clear understanding about exactly what it is they’re consenting to. For example, if you need to collect data for a certain feature of your product or service — for example data about a person’s facial characteristics for face recognition technology then you should be clear about this. Inform the user, in short, about how such a feature works — everything they need to know about how and why this data is intended to be captured must be included. If relevant, include links to where the user can dive further into the details.

How it’s processed

You should briefly describe how the data is used and for what purpose. Be transparent.

Active opt-in

Users must actively opt-in to have their data collected, stored and used. No pre-ticked checkboxes allowed! As UX designers, our job is to lead the user in the direction we want, e.g. to create higher conversion rates by using prominent call-to-action buttons, for example. Looking through GDPR glasses, we have to think a bit differently. We want the user to make a properly informed decision when they move forward. It is important to avoid creating bias around the decision by creating more prominent call-to-actions for accepting consent requests. The user’s options must be given equal visual prominence.

On the left, you can see that a user has to actively check the box themselves to opt in. On the right, the company has pre-checked the opt-in box for the user which is not explicit consent/active opt-in.

Clearly separate terms and conditions from consent requests

Agreeing to terms and conditions and giving consents to various activities are not the same thing. These should be clearly separated and easily distinguishable from each other. They must provide individual opt-ins for consent.

To the right you can see that the consent for agreeing to the terms, collection of location data, name and address is grouped. This is not allowed. These must be clearly separated as in the example to the left.

Granular choices

Allow customers to consent separately for different types of data collection and processing. Help the user to have full control of their consents and permissions by creating an easily understood overview of each activity you need and want their consent to carry out.

From a best-practice point of view, it’s no longer good enough for a one-size fits all approach to data collection. If you need a user’s address, consent for this should be captured separately to needing to know a person’s location whilst in app, for example. This is a win-win situation for the user and the company collecting the data. For example, if consent for location or address is captured together and a person opts out of this entirely, the company loses two valuable data sets instead of just one.

Make it easy to withdraw

Users have the right to withdraw their consent at any time. When users consent, they should be informed where and how to withdraw. It is likely they will forget how to do this after the first time they see this so it’s the company’s responsibility to make withdrawal options easily accessible at all times. A good practice could be to provide permission options in context of data about you being used.

An overview section such as the one to the left should be easily accessible at all times in your service. To the right you can see that the user is offered withdrawal option in the context of using a map which has personal information stored about the user.


Your organisation and any third-party relying on the user’s consent must be clearly named.

To the right you can see that the company are grouping the consent for sharing personal information with third parties. The user doesn’t know who they are, which is bad practice and not compliant with the regulation. To the left, the third parties are clearly named. In addition, the user is offered granular choices about whom to share this information with.

Easy language

You should, of course, ensure language around communicating new data policies and consent is as easy to understand as possible. This should be an important consideration when it comes to any user communications, but , it’s especially important for GDPR which involves a heap of choice and it’s actually something users aren’t, for the most part, used to being in control of. Avoid complex phrasing when explaining reasons for consent.. Team up with your copywriter and compliance officer to work out some good pieces of text that also fit in with the UI experience and user flow.

Use examples

Use illustrations or real examples which clearly show how a particular feature that is dependent on consented information would or will work in practice. This helps to manage user expectation and assists them to making informed decisions. For example, if you’re planning on running personalised ads, it could be helpful to the user if they could actually see an example of how what they could expect to see with and without the personalisation.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store



We enable better banking with #mobilepayments and #PSD2. Fastest growing EMEA fintech/winner of best mobile payments platform, Europe.