The Impact of GDPR on UX
The EU’s General Data Protection Regulation (otherwise known as GDPR) went into effect on May 25th 2018, and caused a massive upheaval in the online business world. Though it had been lined up two years prior, its more obtuse elements and varying significance outside of Europe meant that many businesses left it until the last second to openly address it.
Over the span of a month or so, companies everywhere suddenly panicked and rushed to figure out what they would need to be to become GDPR-compliant— but we also must be aware of its potential to have secondary effects on other areas of business.
Since UX involves user data, it seems reasonable to wonder how GDPR will ultimately affect the world of UX design. Will it lead to a lot of change, or not have much impact at all? That’s what we’re going to look at in this piece.
Standards raised throughout the world
Fundamentally, businesses that adhere to GDPR rules must ensure that any data they store that can practically be used to identify individuals is handled in a very particular way. The emphasis there is important, because anonymous information isn’t considered an issue— though GDPR’s impact is about more than its precise rules.
Simply intended to ensure a higher standard of user data protection for EU businesses and users, it has essentially served as a catalyst for a general revision of standards throughout the Western world. Some businesses that aren’t in the EU and don’t store data on EU citizens are not bound to follow it, but must make an effort regardless or look bad relative to companies using the advent of GDPR to assume a pro-privacy stance.
Comprehensive and meaningful consent to GDPR
When designing a UX that requires a personal login, the full force of GDPR applies as the associated data can clearly be linked to a specific person, and any part of the UX that requests or stores data must adhere to the rules.
If extended to the entire UX industry, this would kill off the following irritating practises (as indicated by the Information Commissioner’s Office (ICO) in this guidance document – PDF):
- Making it confusing and complicated to withdraw consent
- If it’s made simple and easy to provide consent, it must be just as simple and easy to remove it. It won’t be allowed to hide the option away.
- Requesting data not directly required for the business
- A recipe app does not have any compelling reason to request access to the microphone, for instance.
- Being vague about who is collecting the data
- Pseudonyms and shell companies will be highly questionable. The user must be able to tell what company their consent is going to.
- Bundling consent requests with other requests
- Users often have to accept terms and conditions or cookie policies, and some websites have tried to sneak in data consent without making it clear.
- Having consent as the default option
- It should require clear knowing action to signal consent, so no more leaving a box ticked initially and hoping that users don’t question it before they proceed.
- Using other ‘black hat’ UX tricks
- There should be no disconnect between what the user thinks their actions mean and what the UX interprets them to mean. Think back to Microsoft viewing someone closing a window as agreeing to its request.
No more tricks, subtle deceptions, or lies of omission. If you’ve ever tried installing freeware software that relies on sponsorships from other utilities, you’ll know how annoying it is to be required to fend off blatant efforts to get you to accept something you don’t want.
Think of layers of negatives making it unclear whether you’re rejecting or accepting something, agreement options being massively bigger and more prominent than rejection options (we tend to go with our attention), or unexpectedly-swapped layouts hoping to get you to click on ‘Yes’ by placing it where there was previously a ‘No’, etc. GDPR will consign them to the past.
Increasingly careful email CTAs
When websites started sending out GDPR compliance emails in droves, much ado was made about the aura of desperation produced. There was much satisfaction to be had in seeing companies that had been gleefully storing unnecessary information for years suddenly having to assume a conciliatory tone and properly ask for permission instead of assuming it.
Some businesses did this well, while others made a mess of it. Just take a look at some good and bad examples of how to do it. The smart companies kept their copy clear and succinct, explaining what they needed from the user and politely asking for it. The ill-advised ones waffled on interminably and left their users both confused and annoyed, adding to a lot of built-up resentment instead of mitigating it.
After all, email marketers have taken as many shortcuts as possible. Knowing that attention spans aren’t all that long and every inbox is saturated with newsletters and sales, they’ve been all too willing to throw in giant CTAs with huge quantities of tracking data linked to them, regardless of whether the linked pages met user expectations.
Now that the general public has been forced to learn about GDPR, however, that ‘trick the user into action if you must’ tactic might well become counterproductive. Any company engaging in marketing would be well served to take the time every few months to read up on some email marketing best practices to make sure that they are keeping up with changing expectations.
Greater levels of transparency with GDPR
In general, transparency is going to be the biggest result of GDPR in the long run. Like seeing the man behind the curtain in The Wizard of Oz, people now have some idea of what is being done with their data, and they aren’t going to be too inclined to trust companies that aren’t honest and transparent about what they do and how they do it.
Tone of voice is going to be a vital part of showing this transparency. If one company grudgingly acknowledges that it intends to adhere to the letter of the law, and another personably explains that it cares about its users and will work hard to protect their data, which one will be more likely to earn user consent? Being more personable is also fantastic for brand image in general, so it’s an easy win overall.
Today’s UX designer should bear this in mind at all times and create layouts that reassure the users about what’s happening and what is being requested. Users are no longer less likely to consent if they get that information, because they legally cannot consent without it, so there is no business incentive not to do it— and being more transparent than your competitors will leave you more likely to attract (and merit) customer loyalty.
GDPR in conclusion
Are you a UX designer trying to figure out how to approach UX in a post-GDPR world? Don’t focus too much on the exact details of the regulation. In the long term, what matters the most for the user is the reasoning behind GDPR, not the regulation itself. Prove that you’re invested in taking their privacy seriously and you’ll be in good shape.
@victoria
Agree with the thesis behind this. Do the right things and you won’t generally fall foul of the GDPR regulation.
The issue of Bundling consent requests with other requests has sadly not stopped. See this still everyday. Clearly legitimate interest has a role to play but you cannot insist on emailing me just because I download your ebook. That’s not how it works anymore!
I’m sure I’m one of many who had hundreds of unnecessary emails requesting me to reconfirm consent. Again legitimate interest is there if I bought something from you recently. Unless, of course, you had dodgy practices previously that you have now abandoned!
I’m sure we will get there!