Put a Little UX in Your GDPR

Some data has to be earned.

A History Lesson

For years now there’s been an ordered stampede towards a targeted web, led by Facebook, Google, and Amazon. The math is simple: leverage deep analytics and personal information to curate targeted content. Next, use that content to build up comfortable spaces that mirror an individual’s worldview, tastes, and online habits. Finally, till this fertile data field to deliver increasingly customized content and nano-targeted advertisements.

This approach has proven lucrative for untold online businesses. The consumer upside is that, some uneasiness notwithstanding, it can be quite convenient to have sites cater both content and advertisements to your specific interests. Furthermore, behavioural data often isn’t siloed to a single site – tracking cookies like Google, Adobe, and Facebook’s collect browsing information across sessions and properties. This type of ubiquitous data gathering can get you a “The usual, sir?” from the barkeep, even though you’ve never before set foot in that saloon.

Large swaths of the modern web have been built around monetizing content through the visitor data that it brings in. In fact, these ecosystems are a feedback loop of “content, behaviour, data, optimization”. Every time through the loop, the content and embedded advertisements are optimized, increasing their value to both the audience and vendors (of goods, services, and ad space).

However, what happens if you can’t collect the information needed to personalize content? What if you can’t access comprehensive behavioural data on your visitors? How can Google or Facebook or any other vendor optimize your experience if they can’t reliably measure your actions to determine interest and infer your intent? How can Amazon recommend a book or tchotchke if it’s not allowed to remember what products you looked at previously?

In other words: what happens when GDPR comes knocking?

We’re All Data Subjects Now

The General Data Privacy Regulation is a reaction. It’s a reaction to successive reports of mass data breaches and the perception that large brokers in personal information have been cavalier in their management of other people’s personal data. It’s a reaction to an increasing public uneasiness with faceless multinational corporations holding and commoditizing unknown quantities of data about our daily lives, lives that are increasingly spent carrying a GPS-enabled phone, visiting sites that capture dozens of data points per click, and using apps and IoT devices that dispassionately listen in on our most intimate conversations. According to some, as “data subjects” – the GDPR nomenclature – we’ve been disregarded far too long.

Though GDPR is like other regulations that have come before – it’s a wordy, if generally inoffensive, bordering on bland text1 – it threatens to turn the foundations of e-commerce upside down. At minimum, GDPR has inserted some sand into the well-oiled, expertly tuned cogs of online commerce.

GDPR in a Nutshell

GDPR imposes responsibilities on the wardens of our data to ensure standards of transparency, responsiveness, and accountability that many consider overdue. On top of threatening heavily punitive fines and penalties (4% of global revenue or €20 million, whichever is more), GDPR establishes eight “rights” to privacy held by all EU citizens. It’s important to note that though GDPR is focused on EU citizens, the penalties apply to any site that captures information on anyone located in Europe, even by happenstance.

The eight “rights” have a broad-ranging impact on how “data controllers” may capture, manage, and dispose of personally identifiable information. Here are some key highlights:

  • Before any website or app can store a cookie on your device to track your actions, you must give it “specific, informed and unambiguous consent” to do so. GDPR will have none of this nonsense of “By continuing to use our site, you agree with us doing all kinds of shady things as laid out in our unreadable policy found at this link.” One way or another, a user must know what they’re sharing, how it will be used and then click/tap/swipe/tickle something on purpose to indicate their consent.
  • Data controllers must provide a means for users to submit “Forget Me” requests by which any information they are holding on that individual will be erased or irreversibly anonymized.
  • GDPR demands that demonstrable levels of security and care be taken in receiving, managing, and destroying personally identifiable information (aka “PII”).

It’s important to note that, being loath to miss a going trend, government regulators around the developed world at the country and state levels will undoubtedly follow Europe’s lead and develop their own, equivalent regulations. GDPR is therefore but the first of many. Furthermore, even in Europe, many individual member countries have yet to implement the local laws required to enforce GDPR on behalf of their own constituents. Each will have its own unique wrinkles.

However it shakes out, the days of easy data are, if not over, in severe peril.

Putting the UX into GDPR

Consider the following question: “What are the chances that you’ll agree to share information on your online activities to benefit multinational corporation X?”

How does “Zero, bordering on nil” sound?

On the face of it, it is unlikely that anyone will rationally agree to the types of information sharing required to fuel the targeted web. As digital professionals, we know that there are many mutually beneficial reasons for users to share information with a vendor. For one, personalized content and promotions can save effort and money. Second, by lowering the “cost of sale”, a vendor can also lower prices. Third (discounting the uncanny feeling that we’re being watched) it’s certainly less annoying to see ads that are at least peripherally related to one’s interests rather than random ads out of nowhere. (I’m talking to you, purveyors of “Try This One Strange Trick for Weight Loss”)

This poses a classic UX challenge: the user’s rational mind is unlikely to act in the way that the designer hopes. We therefore need to appeal, at least in part, to the subconscious mind.

A burden now falls on the vendor and its designers to facilitate the receipt of client information in exchange for convenience and an improved level of service. But how can we best overcome this challenge, lest we lose all of the hard-earned gains of the modern “targeted web”?

It is unlikely that anyone will rationally agree to the types of information sharing required […] (but) there are many mutually beneficial reasons for users to share information with a vendor.

Clever Opt-Ins Aren’t the Answer

As with the web in general, users experience a site as part of an aggregate. Because our minds consume hundreds if not thousands of pages in a given month, nothing in your design can ever be perceived in a vacuum. In fact, many elements of a design are quickly categorized by the user’s mind: “Submit Search Button”, “Inconsequential Copy”, “Ambient Decoration” and “Dangerous Button” (e.g. “complete purchase” or “cancel and throw away all of my painstaking work”). Add to that list “Just Another Opt-In”.

As much as we’d like to think otherwise, putting clever, punny text onto your opt-in overlay isn’t going to convince anyone to agree to your terms of service. They don’t need to read it to know what you’re asking for. In fact, the moment they see the bar, they’ve probably already decided whether you’re worth agreeing with or not. If you have established trust with them through previous visits or completed, satisfactory purchases, they will likely agree with anything you put in front of them to keep getting good service.

Mentally, this reaction looks like “Move mouse to the right half of the overlay and click on the first shiny thing I see”, so design accordingly. Thankfully, some people will agree to anything, and over time it’s likely that many people will assume the mindset that it’s too much effort to evaluate each opt-in on its merits and just accept them all by default. This will deaden the value of GDPR as an incentive to good behaviour by “data controllers” but it will certainly make it easier on designers.

If, however, you have no relationship with a discerning user, they may instinctively switch to hunting for a “Close” or “Decline” button. You’re going to have to build up their trust and hope that they agree with your opt-in request next time.

As is typical in sales and marketing, ask questions to get the answer you want, make it easier to find the agreement button versus the cancel or decline one. Furthermore, because there is already an established UXD convention around opt-in overlays, unless you want to force the user to think more carefully about his or her decision, you’re probably best to follow that convention: copy on left, Accept and Cancel on the right.

In designing cookie opt-ins, always act in good faith and keep in mind that the regulation is quite clear that you cannot punish users for not opting in. That means that you can’t go out of your way to make life difficult for people who decline your invitation to opt in.

From Article 7 of the GDPR text:

“When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”

In simpler terms: consent through arm twisting isn’t freely given.

Ask questions to get the answer you want: make it easier to find the agreement button versus the cancel or decline one.

Demonstrate Value, Establish Trustworthiness

It is a fact that making it less expensive to line up individuals with the products or services they desire can benefit both the seller and purchaser. First, you’re increasing your conversion rate. Second, you’re saving people’s precious time. Finally, if you pass along some of your savings, you can offer them the same product or service for a little less money. These things matter, so why not build them into your expressed value proposition? This is a direct way of justifying to your customers why it’s in their best interests to securely share information with you.

The process of content and offer optimization are core parts of many online vendors’ business models. Their competitiveness in the marketplace is directly proportional to their ability to leverage personal and aggregate audience information into effective targeting and optimization practices. However, now that users must be convinced to share data, tying sharing with key value propositions (e.g. cheaper, customized, and easier to find deals) is a transparent way of buttressing those practices.

If you must be transparent about the information you’re gathering and what you’re doing with it, be equally (if not more) transparent about how greatly this practice benefits your audience.

When you think about it, nobody considers a bridal registry an undue invasion of privacy because, in the end, the bride always gets what she wants. How can you make your customers feel just as appreciated for sharing their interests with you?

Further to this point, what if you could quantify the benefit to a customer based on the data you can collect? Perhaps you can transparently and elegantly indicate that “this cross-sell promotion and savings are brought to you through the magic of personalization cookie data”. It’s certainly worth exploring how transparency can be leveraged to further establish a site’s trustworthiness.

Nobody considers a bridal registry an undue invasion of privacy because, in the end, the bride always gets what she wants.

GDPR Is the New Baseline

The recency of GDPR’s coming into force has it on everyone’s lips, from Seville to Saint-Malo. However, it is best to see it not as a novelty but the new normal. Much like accessibility, internationalization, security, etc. that preceded it, the UX language we establish and the underlying subsystems that are built will henceforth be baked into the effort for creating any system dealing in personal information.

In the coming years, best practices will be developed. Amendments and local laws will react to keep savvy developers from doing an end-run around certain provisions. Above all, for all its restrictions, there is an opportunity hidden in GDPR. The efforts we make to implement transparent lead capture, onboarding and “Forget Me” functionality can in turn serve to power the next generation of e-commerce and online services. With more integrated WCM + CRM stacks, a tighter loop between Marketing and Sales, and more discipline around the data we sometimes take for granted, we will accomplish much more than we do today.

As always in the online world, it’s only a question of who will have the vision to take hold of the opportunity.


  1. Rest aid “Calm” offers soothingly read GDPR excerpts as a means to more quickly fall asleep https://blog.calm.com/relax/once-upon-a-gdpr

Taylor Bastien

Taylor is a senior consultant at T4G where he delivers digital marketing solutions to domestic and international clients. When he’s not on the clock, he enjoys staying fit, learning languages, and spending time with his family.