How will GDPR affect UX design?

“An update to our privacy policy.”

Sound familiar? Chances are, you’ve been inundated with emails just like this: companies alerting you of changes to their privacy policies in advance of the GDPR.

The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for collecting and processing personal information within the European Union, and it’s going into effect on May 25. This doesn’t just affect companies in the EU—it also affects any company that does business in Europe. And if those dozens of emails are any indication, GDPR will impact everything from website design to UX.

Think about it, you'll probably get more GDPR emails than birthday wishes this year.

— Julie (@syswarren) May 23, 2018

Maud Maréchal, a UX designer at West, an agency in France, recently shared her thoughts on how the legislation will affect the user experience.

“Giving users more control over their data and the way they give their consent will require different prioritization in user journeys and more accessible and human UX design. Some principles in the GDPR will have a direct impact on how we design interfaces,” wrote Maud.

Here are a few things that designers will need to keep in mind, according to Maud:

Design around the user’s private life

One of the major tenants of the legislation is “Privacy by Design.” This means that the user experience and customer journey need to respect the user’s private life from the get-go, and each action a user takes need to be directly relevant to their experience on your site or app. For example, let’s say a recipe app asks for permission to collect data through a user’s phone, like asking to access the contact list. This request has nothing to do with the purpose of the app and would not be allowed under GDPR.

“Putting ourselves in our customers’ shoes is always good practice.”

On the other hand, if the recipe app asks to collect behavioral data, like search history, that would be okay. Why? Because it could help the app show relevant, customized content to the user.

Offer accessible, clear choices around cookies

Under the new legislation, cookie usage will need to be explained on the homepage or second-level page on the navigation. Users need to understand how data is collected through cookies, the purpose of the data, and how long they are consenting to these cookies. And, they should be able to withdraw consent at any time.

Designers and copywriters need to proactively highlight this information in a clear way. A good example would be to present users with the option to choose the level of consent they want to give, like in the excellent illustration below:

Avoid misleading copy and checkboxes

Confusing opt-in or opt-out checkboxes are everywhere. You don’t really know what you’re signing up for, but end up getting dozens of marketing emails anyway. Under the GDPR, data protection is a setting that should be designed by default, so a user who “does nothing” should be protected from opting in to anything.

For example, if your website or check-out experience has a pre-checked box that subscribes customers to a newsletter, this will no longer be allowed.

And watch out for misleading copy like this, which includes a pre-checked permission box and double-negative to make customers think they are in an opt-in situation: “I would not like to receive XYZ newsletter” and “I would like to receive XYZ newsletter and offers from other companies.”

When possible, make sure to unbundle every opt-in action to make it as clear as possible for customers.

Don’t ask for too much

We’ve all seen those websites that ask for every piece of personal information just to download something. For example, if you want to download a bike map, you need to enter your name, birthday, gender, city, and state—information that has nothing to do with biking nor accessing a bike map.

However, let’s say you own a catering company and have a “Contact Us” form. It would be okay to ask for name, email, and phone number because you may need to contact the customer to discuss the order. Another fantastic image from Coraline Colasse helps us visualize this:

When in doubt, just be transparent

Translating the new GDPR regulations into customer-friendly interactions will be a challenge. You don’t want to overload the visual design or add too many steps to the user journey, but at the same time, still need to communicate complex ideas.

The good news is that GDPR favors transparency, clarity, and empathy for customers. Putting ourselves in our customers’ shoes is always good practice, with or without legislation to prompt us.