User Experience for GDPR Compliant Website Consent

On May 25, 2018, the world marked another historical internet milestone as the European Union (EU) launched a sweeping set of data privacy laws known as General Data Protection Regulation (GDPR). GDPR gives consumers protections and rights for how their personal data is collected and used, and it comes with serious penalties for businesses that violate those rights. GDPR is not just limited to businesses operating within the EU. Any company that reaches customers in the EU is subject to these laws — which means almost all e-commerce businesses and services will need to be GDPR compliant now that the laws are in effect. In this post we will cover providing informed website consent which is one the of most visible user experience aspects of GDPR.

A 30,000 Foot View of GDPR

At a very high level, GDPR governs how businesses handle personally identifiable information (PII). This is a very important GDPR distinction and there still is some uncertainty about what actually constitutes PII. Regardless of how PII is defined, consumers have specific rights for the data that is collected about them. Below are a few (but certainly not all) of the consumer rights afforded by GDPR:

  • The Right to Breach Notification
    Under the GDPR, a data breach that is likely to “result in a risk for the rights and freedoms of individuals” must be reported to customers “without undue delay” within 72 hours of first having become aware of the breach.
  • Right to Access
    GDR gives consumers “confirmation as to whether or not personal data concerning them is being processed” as well as “where and for what purpose” consumers’ personal data is being used. “Data controllers” are required to provide a copy of any personal data being collected, free of charge, in an electronic format upon request.
  • Right to be Forgotten
    Also called Data Erasure, consumers (also called “data subjects”) can request that data controllers erase their personal data and cease any further processing of their data.

PRO TIP: The EU created an information portal that lays out the specific GDPR regulations. For a full explanation of all the rights afforded by GDPR, please see The EU’s GDPR Information Portal.

Website Visitors’ Right to Consent

One of the primary (and perhaps the most visible) aspects of GDPR is the right to opt-in consent for website data collection. The right to consent has some very important components that User Experience Managers and Web Designers need to be aware of:

  • Data collection consent must be “clear and distinguishable from other web features and components”.
  • Consent must be provided to site visitors in an intelligible and easily accessible form, using clear and plain language.
  • Consent must include opt-out selections that are “as easy to withdraw consent as they are to give”.

Website Consent User Experience

GDPR website consent compliance begins with the all-important cookie notification (commonly called a cookie banner). It is important to note that under GDPR, “cookies” is a broad term that covers any tracking pixel that is used on your site. Since GDPR requires that cookie banners be “clear and distinguishable from other web features and components”, most User Experience Managers and Web Designers choose to display their banner through a modal window at the top or the bottom of a site’s landing page. When deploying a cookie banner, be very mindful and deliberate with the delicate balance between being informative and raising undue suspicion. Below are some tips to keep in mind when designing your cookie banner:

  • Make your banner fit naturally into your page.
    Banners should feel like they are informative rather than a warning. Choose background colors and font faces that align with your current web pages. The key here is to provide consumers with the information they need without alarming them.
  • Remember that less is more with your cookie banner.
    GDPR regulations call for simple and direct statements, so try to limit your cookie banner statements to one or two simple sentences. Try using passive statements like “This website uses cookies to help your user experience” rather than directives like “Please allow us to store your data”. Use direct and concise call to actions like “I agree” or “Accept” or even “OK”.
  • Align your consent with your company’s policies.
    GDPR provides some guidelines around establishing cookie consent, but what constitutes acceptance (scrolling, changing pages, clicking a CTA, etc.) is another area that is being widely interpreted and debated. Be sure you are aligning your cookie banner acceptance with your company’s legal counsel.

Cookie Banner Consent Models

To effectively create a cookie banner, it is helpful to understand the five consent models by which cookie banners can be made:

  1. Information Only
    Summary: By visiting the site, you accept our use of cookies.
    This model tells the user that cookies are in use, and their choices are to accept the fact or navigate away.
  2. Implied Consent
    Summary: We are using and have set cookies, but you can switch them off.
    The key differentiator to the Information Only model is that the site provides the ability to directly opt-out or refuse cookies, even though they are set by default on first arrival.
  3. Soft Opt-In
    Summary: We will use cookies if you continue to use the site.
    Soft opt-in can look a lot like Information Only, however the crucial difference is that cookies are blocked on first arrival to the site (the landing page). Any further user interaction, such as clicking on a link to a second page, is then taken as consent, and cookies are then set normally on the second page.
  4. Explicit Consent
    Summary: Please click to accept cookies on this site.
    With this model you have to block cookies until users perform a specific action that signifies their acceptance of cookies. The action should only signify that acceptance. Essentially this means they have to tick a box or click a button or a link that says ‘I accept cookies’ or something very similar.
  5. Mixed Consent
    Summary: We have set cookies already, and would like to set some more.
    As the name suggests, this is really a hybrid approach where different models are applied to different types of cookies according to their purpose. An example would be relying on Implied Consent for web analytics and Soft Opt-in for third party advertising.

PRO TIP: For an in-depth look at cookie banner models and for more information on best practices for each model, The Cookie Collective has published an excellent guide called Five Models for Cookie Law Consent.

A Couple of Cookie Banner Examples

Nottingham Forest Football Club uses a simple and effective Information Only consent model. Tracking begins whether you accept cookies or not; there is a clear explanation of cookies page, but there is no way to turn built-in way to turn cookies off. Users that do not wish to be tracked further must exit the site.

MailChimp uses a Mixed Consent model of Implied Consent and Soft Opt-In models. Some trackers are blocked on landing pages, and any of the individual trackers on this site can be turned off and back on again at a visitor’s discretion.

Consent Management Platforms

We mentioned earlier that GDPR requires every tracking mechanism on your site be “as easy to withdraw consent as they are to give”. Therefore, after creating a well crafted cookie banner, make sure that users have a way to opt-out of tracking that they do not wish to participate in. Many sites provide links that instruct users how to disable cookies in their browsers altogether, but the best way to ensure GDPR compliance is to use a service or a website plug-in that will manage the opt-in and out process for visitors. Consent Management Platforms (CMPs) perform tasks such as scanning your site for cookies and creating dynamic opt-in and out toggles for visitors.

PRO TIP: The Interactive Advertising Bureau (IAB) maintains an extensive list of CMPs that they have certified here.

Below are two free IAB certified CMPs. You may want to start with one of these solutions before moving to a paid one:

  • One Trust
    “OneTrust offers a free edition of our privacy management platform to help organizations operationalize their privacy program for GDPR compliance.”
  • EZOIC
    “Ezoic’s Consent Management Platform is a free application inside the Ezoic app store that gives publishers the ability to configure and setup privacy and cookie permissions for visitors to comply with GDPR regulations.”

You can also write your own CMP solution provided it covers all of your tracking pixels and cookies. AppNexus has a CMP GitHub project here.

My Own Legalese

This post is meant to be a design guide and not a legal guide for your GDPR compliance. Make sure to consult with your company’s legal counsel as you develop your cookie banner model, its messaging, and opt-out methods.

About Me

I am a veteran Digital Analytics evangelist and thought leader with over fifteen years of experience in information management and application development. I specialize in providing strategic and technical guidance for complex digital analytics implementations, and I love giving Digital Analytics talks and presentations. My contact info is here.