Article written for Evident ID: UX Best Practices for Capturing Consent Post-GDPR.
The EU’s General Data Protection Regulation, or GDPR, is an unprecedented new data protection law that imposes compliance with stricter privacy rules, giving individuals greater control over their personal data.
Even without context, you’ve likely witnessed its effects in the form of a barrage of emails with updated privacy policies and consent requests that were sent to you in the weeks leading up to the GDPR’s enforcement on May 25, 2018. Emails like these were typically marked spam or promptly sent to the trash folder, but as individuals began to recognize the volatility of their online data protection, they were particularly helpful for data subjects to understand how to exercise their privacy rights.
As technology adapts to meet new privacy regulations and follow GDPR best practices, user experience designers will play an important role in modernizing digital products and contributing to the adoption of current and future regulations. One critical aspect of a UX designer’s responsibility is to understand and adapt to the new standards, ensuring that product workflows follow best practices to protect users’ privacy. With this in mind, UX designers should begin by prioritizing one of the GDPR’s core principles: capturing consent.
The GDPR defines consent as:
“Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
Here are a few examples illustrating how capturing consent within a user’s experience can be adjusted to comply with GDPR best practices.
Consent must be explicit, not implied
In this example, the user must explicitly click on a checkbox stating that they agree to the terms and conditions, and then click on a second checkbox stating that they agree to receive marketing newsletters. These are two separate and unrelated consent fields, and can not be bundled into a single record. If a user gives consent for one service, an organization can never assume implied consent for a related service.
Privacy by default
Following GDPR best practices, organizations may never default to a state in which consent is pre-assumed. The default state should be the most private state, and the burden of acquiring privacy should fall on the business, not the user. In this example, the user is signing up for a webinar, which is completely unrelated to receiving an email newsletter. The default setting in this case should be the most private state, in other words, the “Add me to the newsletter” checkbox must default to being de-selected so that the user must explicitly consent to it, rather than uncheck it to request privacy.
Users should be informed
Users must be clearly informed of their rights as data subjects, and should have the ability to revoke consent to access and/or process their personal data. In fact, consent should be just as easy for the user to revoke as it is to grant it. Information presented to the user should be in an easy-to-understand, natural language, and options to revoke it should never be hidden or made deliberately obscure or difficult to find. Content like privacy policies should be layered for usability, allowing users to make informed decisions on the use of their data.
Granular permissions
Another one of the GDPR best practices suggests that privacy controls for users should be laser-focused and specific, giving the user the ability to fine-tune what types of data they consent to making available. Data should never be bundled together in a way that punishes the user by making a service unusable because the subject did not consent to a certain type of non-essential data processing.
Context should be clear
The user should be made aware of the implications of consenting to the collection of each type of data, along with why the data is needed, how the data is used, and who it will be shared with. The user should never be expected to make a decision on whether or not to consent to the use of personal data without knowing the context of why they’re doing so.
Organizations that invest in compelling user experiences that follow GDPR best practices to respectfully obtain consent from data subjects will see a distinct competitive advantage.
Consent mechanisms that are easy to read and understand will eventually become the norm, but the sooner companies can implement a better user experience, the better. GDPR early adopters that leverage good user experience design to capture consent will find it easier to build long-term trust with their constituents.
Consent is just one aspect of GDPR where UX designers can provide support to help businesses adhere to the new data protection regulation. Stay tuned for more insight as we unpack additional ways that UX can support compliance.