UX Design and GDPR: Everything You Need to Know
The internet is where we spend a lot of our time, whether working, studying or communicating. And if in physical life there are very clear laws and regulations in terms of privacy and personal life, things are quite different on the web.
In light of recent user privacy scandals and increased involvement of local governments in the web regulation, it was just a matter of time for the General Data Protection Regulation (GDPR) to arrive.
Data protection reform has been in the works for over four years, and GDPR is one of the main components of this new framework.
What is GDPR?
GDPR is a new EU regulation on data protection and privacy that goes into effect May 25, 2018. It primarily addresses the process of obtaining and managing user data, giving EU residents more control over their privacy on the web.
This regulation will certainly bring in major changes to how businesses operate online. But it will also simplify the regulatory environment across all EU member states, making it easier to comply with requirements.
It is important to understand that GDPR is not a directive, but a regulation, which does not entail local governments to make any legislation changes. However, it is still applicable and legally binding for companies processing personal data of EU residents. Moreover, failure to comply with GDPR will result in significant penalties of up to 4% of global turnover or 20 million euro, whichever is higher.
Businesses need to adjust their current privacy policies and the way they are presented on the web. And this presents new challenges for the user experience.
Previously, data collection and processing information was usually a part of the general terms and conditions, which hardly anyone read. So very few users knew exactly who and how was processing their personal data. GDPR will bring in more transparency and will allow users to easily acknowledge what they are giving consent for.
But before diving into the UX implications of the GDPR, I would like to clearly state that this article does not provide legal advice in any form. In order to comply with GDPR requirements, you need to seek professional legal counsel.
What Does GDPR Mean for UX?
The regulation itself is a lengthy document covering a range of data protection issues, but there are two main aspects that will affect the user experience most:
- User consent
- User rights to manage or delete their data
In terms of GDPR, user consent is defined as follows.
“Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.“
It should be explicitly clear that the user has allowed you, as a business, or controller, to collect and process their personal data.
Now, let’s see how exactly you can modify your data collection forms to comply with this requirement.
- Start by going through your existing user journey and checking current consent practices. Do you provide enough context and details as to who and how user data is processed?
- Make sure you do not have any pre-checked consent boxes or other forms of default agreement. This applies to absolutely everything, including email newsletters.
- Users should have the option to easily withdraw consent at any time and you should clearly tell them how to do it.
- Specific consent requests, like marketing communication, should be separate from general terms and conditions.
- Keep your consent request granular and try to be very specific about what you ask permission for. Ask separate consent for different things.
- Disclose the names of controllers who will be processing the data.
While providing all of this information is fair and important for the user, but it should not make the user experience heavier. This is a real challenge.
H&M UK has adopted the new GDPR rules and here’s how they greet new visitors on their website.
When it comes to getting user consent in a simple and granular way, ASOS and IKEA are setting a great example.
Simple checkboxes are a great way of letting users choose the exact type of communication they are willing to receive from the brand. And this might improve the email marketing performance, as customers will be more interested in the content they have agreed to receive.
It is not certain how these changes will affect registration form conversion rates in the long run. So it makes sense to test and iterate the microcopy and UI within GDPR limits in order to find the best performing option.
Another great example from ASOS shows how you can allow users to easily opt out and withdraw consent using friendly and subtle microcopy.
As you adapt your user experience to GDPR, keep in mind that not everything requires user consent and there is no need to interrupt the UX with additional consent requests. For instance, sending email reminders about abandoned hotel bookings might be legitimate even without separate user consent. That is why it is better to check with a legal representative as a part of your GDPR UX optimization.
User Right to Manage and Delete Data
After GDPR takes effect, users should have more control over their data and their accounts. They will be able to change preferences up to deleting accounts altogether. This right is not absoluteregardingand there are some legal cases when this does not apply. But generally, every user will have the right to request data erasure and get an official response from the company within a month.
The UX challenge is to present this feature in a way that is simple and genuinely helps users manage their data. But it should also meet the business goals of retaining customers. Let’s look at a few examples by major brands.
MailChimp is quite straightforward and allows users to delete or download data right in the account settings.
Canva also keeps everything simple and accessible in the account settings. However, users do not have the option to download all their data in bulk before deleting.
Another example of great microcopy and UX comes from Buffer. First of all, the “Leave Buffer” option is not hidden somewhere in the fine print in account settings. It is a menu item, always at hand. And the languages used on the page takes the overall user experience over to the next level.
The main idea behind this is that users will always find a way to stop using your service if they are not satisfied. So there is no point in hiding this feature.
GDPR is here, and if you haven’t reviewed your website UX in terms of data protection and privacy, it’s time. This regulation is a step forward in creating a safe and transparent user experience across all websites and platforms. It will give people more control over their data and more tools to be informed and to act whenever they feel unsafe.
GDPR is essentially a set of guidelines for a better, more authentic user experience.
What UX challenges have you faced while adapting to GDPR?