GDPR & User Experience

The EU data protection regulation transcribed in best practice for UX designers

Illustrated for West by Coraline Colasse

This article is a summary of a white paper ‘Le RGPD et les métiers du numérique’ 
I wrote for the
West Agency, originally written in French.

How to present the terms & conditions page? Is it really in the users’ best interest to provide these as a long and often unintelligible text on data use policy? How to correctly design the cookie consent banner? Is there a maximum number of user permissions that are allowed to pop-up at the launch of an app? These are the kind of questions every designer asks himself/herself at some point when creating interfaces. One of the aims of the new EU GDPR Regulation (General Data Protection Regulation), among many other things, is to respond to those questions and clarify the grey areas.

The new European regulation on data protection will definitely have an impact on the design of all digital services and products such as websites, mobile apps, software and IOT. Every company will need to review their data use policy and ensure the integration of the ‘Privacy by design’ principle from the very start of the design process of digital interfaces.

In this article, I attempt to transcribe the regulation into a series of best practice that, I hope, can be concretely adopted by UX designers and help them to comply easily with the new rules set out by the GDPR.* This article is based on my understanding and personal interpretation of the text. It should be used for information only.

*Keep in mind that some requirements of the GDPR and their proper application will probably evolve in the future.

First things first, what is GDPR?

Since the digital has become inherent to our lives and as the amount of data generated by digital interfaces increases accordingly, the need for regulating data management has become increasingly important and legislators at EU level could no longer afford to stay silent or vague given the risks associated with bad practices and abuses. One essential point was to review the current management system whereby data are regulated only by companies collecting them with no other form of supervision.

The General Data Protection Regulation was adopted as an attempt to give more control to users on their personal data, by making companies responsible for the way the manage and process data. But another goal was to respond to the rapid technological development and growth of the digital world and to assess how to prevent any potential harmful impact on the life of millions of European citizens.

The GDPR is setting a common legislative basis for all member states of the EU and is coming into effect in May 2018. Because it has been adopted at EU level, it applies to every company located in the European Union, but it also applies to those based outside of the EU as long as they are collecting personal data of European users. The fine for not complying can be very significant (up to 20 millions euros or equivalent to 4 % of annual global revenue of the firm).

Giving users more control over their data and the way they give their consent will require different prioritisation in user journeys and more accessible and human UX design. Some principles in the GDPR will have a direct impact on how we design interfaces.

Integrate ‘Privacy by design’

‘Privacy by design’ is one of the major principles introduced by the legislation. It means that the respect of private life has to be carefully considered and integrated as early as the design phase. For an UX designer, integrating ‘Privacy by design’ means to conceive a user journey which is explicit about the consequences of each action the user takes.

Don’ts

In the following example, on the left hand side, a user installs a playing music app on their mobile phone. During the launch, the app asks for permission to collect data through the user’s phone such as using their contact list. This request has no direct link with the actual purpose of the app which is about allowing the user to listen to music. As such, it can be considered irrelevant and it can be assumed that this is asked only for marketing ends. Under the GDPR and ‘Privacy by design’ principle, these types of practices will not be allowed anymore. The data collection is authorized only if it can be justified by the use of the digital product.

Illustrated for West by Coraline Colasse

Do’s

On the right hand side, the same app asks to collect behavioural data such as the music history of the user. These data would help the app to suggest similar content which would be justified by the purpose of the app. In this case, this type of data collection would be approved by the GDPR, if the app obtains the consent of the user beforehand.

Minimise data

The GDPR legislation also includes obligations to prevent abusive data collection or use when it comes to marketing strategy. Some organisations share or sell data they collect to third-party companies which increases the difficulty in tracking and protecting them. Minimising the amount of data collected helps to make sure they are protected and their use can be justified to the users or the authorities.

Minimising data processing is also a way to counter practices which requires users’ personal data in exchange for accessing free services.

Don’ts

The following website offers hiking maps. In this case, users have to fill in their birthday and gender information to be able to create an account. If they do not fill these fields, an error message appears preventing the users from subscribing. Such information however have nothing to do with hiking. This particular ‘dark pattern’ is called Forced Disclosure and consists in making users give out their personal data which has no direct link with the action taken.

Illustrated for West by Coraline Colasse

Do’s

In this digital agency contact form, the name and email address are required fields. The phone number is asked as well and this may be justified by the fact that the agency may need to contact people who would like to work with them but it is not a compulsory field. Moreover, each field contains an explanation about how the agency will use the information provided.

Illustrated for West by Coraline Colasse

Ensure explicit consent

Another implication of explicit consent is the ban of obtaining consent by default without clear action from the user or using other less explicit practices whereby users give their consent in exchange for a service or in a purchase user journey. Part of the legislation provides options for the user to be able to withdraw consent at any time. To ensure that consent is explicit, the data use policies of companies will also have to be better presented than in most current interfaces. Designers should avoid using complicated legislative vocabulary hard to understand for most users.

Don’ts

In this social media example, in the subscribing path, users may end up sharing their contact list from an external email account without explicitly acknowledging it.

Privacy Zuchering is a ‘dark pattern’ named after the famous social media CEO because of the lack of clarity in the settings of the social media in its early stages. It consists in misleading users by making them share more information than what they initially intended to.

Illustrated for West by Coraline Colasse

Do’s

This other social media example is an exception regarding the presentation of the terms and conditions and could be considered best practice example. In the form, an explanation is provided about how the data are going to be used by the company in a clear and accessible manner. The layout has been divided into separate sections to hierarchise the content and ease the navigation. The GDPR legislation tends to favour concise and comprehensible legislative explanation such as this rather than long blocks of text which may be more difficult to engage with.

Illustrated for West by Coraline Colasse

Focus on Opt-in/Opt-out

Opt-in or opt-out checkboxes are used to allow users to decide whether they want to receive promotional offers or not, or to give consent for data use, or not. Opt-in situations are when users have to actively check the box to agree with the statement and if they are placed by default in a refusal position. On the contrary, if the checkbox is “pre-checked” to mislead the users or if users are placed by default to agree with the data use, then they have to opt-out in order to refuse the proposed statement. Since the GDPR considers data protection as a setting that should be designed by default, this means that the user who ‘does nothing’ should be protected by default. In other words, opt-out checkboxes are unlikely to be allowed after the legislation enters into force.

Don’t

The example below presents a food ordering form. The way it is designed can be considered a ‘dark pattern’ since it uses both double negation to make users believe they are in an opt-in situation, and a pre-checked permission box.

Illustrated for West by Coraline Colasse

Do

On this e-commerce website selling clothes, the tone of voice in the opt-in text is engaging and commercial without being misleading. Users should understand straight away the implications of each of their action. They are placed by default in a refusal position of commercial prospection. Terms and conditions are not specifically highlighted but they are still easily accessible.

Another best practice for opt-in is to unbundled them in order to clearly distinguish them by purpose. Here, for instance, the opt-in from the company itself and the one giving permission for third-party companies are clearly separated.

Illustrated for West by Coraline Colasse

Informing about cookies

Under the new legislation, cookie use need to be explained on the homepage or at least on a second level page in the navigation. The data use policy page will have to detail how data are collected through cookies, the nature and purpose of each of them, and the length of the consent to these cookies . Settings must be accessible at all times. It should be as easy for users to withdraw a consent to cookies than it is easy to give it. Here again, for UX designers this means that accessible and clear withdrawing solutions will have to be proactively designed in interfaces.

Don’ts

In the example below, taken from a museum’s website, users do not have to explicitly agree to the use of cookies. The cookie’s presentation in small font at the bottom of the page stated in “By continuing to navigate on this website, you agree with the use of cookies” is not optimal.

Users do not know neither what type of cookie is used, nor what they are used for. The CTA “Learn more” is also hidden and redirects to a page explaining their use in rather complex language.

Illustrated for West by Coraline Colasse

Do’s

A good example of how to present cookies consent can be illustrated with the website of this company selling technological products. Here, users can actively choose the degree of consent they want to give and which type of cookies they are agreeing to.

The granularity in the options allows to clearly show the purpose of each cookie to the user and reinforces the user’s trust feeling who, as a result, may be more willing to give their consent.

Illustrated for West by Coraline Colasse

To conclude

The GDPR regulation plays in favour of UX designers by claiming transparency and clarity in data processing as well as respect of the users. However, designers will need careful interpretation, intelligence and subtle skills to explain complex legislative notions without confusing the visual design or extending too much users’ journeys on digital platforms. Generally speaking, forms used in account creation or in purchase tunnel will be the interactions demanding most care and vigilance from designers. It will equally be important to review the way legislative texts are currently presented to better explain to users their rights in relation to personal data.

Within companies, the GDPR will likely require different digital teams and departments to work more closely together in a cross-disciplinary way to design new user journeys in compliance with the new legislation.

Take Away

Major principles

  • Be user-centric and proactive by integrating private life notion in the design of interfaces
  • Show the functionalities of the interface in a transparent manner to the user
  • Ensure users are not misled when buying a product or service or when accepting consent to use their data
  • Be aware of all types of dark patterns to avoid designing one

Best practices

  • Analyse users’ journey and spot the interactions through which the users are giving permission to use their data
  • Minimize the amount of consent a user needs to give and ask permissions only for strictly what is necessary for the good functioning of the interface
  • Design terms and conditions in an intuitive and accessible way by working with the hierarchy of the information displayed
  • Use clear and comprehensible vocabulary

In details

  • Design forms that respect the users’ best interests
  • Ask information only if it is justified by the context of use of the product or service
  • Ensure rightly presented and active opt-in
  • Unbundle and distinguish visually the different types of consent
  • Offer granular options when possible
  • Design change of settings in an accessible way

Thank you for reading! Don’t forget to clap if you enjoyed it ! :)


This article is a summary of a white paper ‘Le RGPD et les métiers du numérique’ I wrote for the West Agency, originally written in French. A special thanks to Coraline Colasse for her great illustrations!