UX best practices for GDPR compliance

When the European Union’s General Data Protection Regulation, or GDPR, went into effect on May 25, 2018, things changed for digital experiences. The legal framework imposes stricter privacy rules. In addition, it aims to give individuals more control over their personal information. Primarily, GDPR addresses how an organization obtains and manages user data, and it’s based on the seven principles of designing for privacy by Dr. Ann Cavoukian. The GDPR has impacted how organizations handle user data and design digital experiences. A UX designer must adhere to the legislation while creating an easy and enjoyable digital experience for the user.

GDPR is legally binding for organizations processing the personal data of EU residents. If an organization breaches GDPR, it can be fined, whichever is higher; up to 4% of worldwide turnover for the preceding financial year, or €20 million.

The good news is that privacy best practices align with UX research best practices, so following them will result in a better experience for the user you’re seeking to create. Here’s what to prioritize when designing experiences that involve privacy consent.

User consent must be explicit, not implied

A digital experience should not influence a user’s consent to privacy. Users must opt-in or actively consent to have their data collected, stored, or used. This means forms cannot leverage pre-checked boxes.

In addition, the user must fully understand their options. Therefore, designers should avoid leading users to make one decision over another regarding their consent to privacy. That means no buried text or flashy call-to-action buttons leading users to pick one option over another.

Because consent must be explicit and not assumed, organizations must offer privacy by default. Your organization is responsible for providing privacy to a user who takes no action.

Always provide an individual opt-in for data collection that is separate from the terms and conditions. Your digital experience should not mix privacy consent when users agree to something different.

Additionally, users should be given the right to withdraw consent at any time. Removing permission should be accessible and easy to find at any time.

A user has the right to granular permissions, clear context, and transparency

Users should be able to consent to different types of data collection. The user should never be asked to share data without being told why. If your organization uses third-party data collectors, name them explicitly. It’s critical to offer complete transparency into when you collect data, where it is stored, and when it’s eventually destroyed.

More importantly, if your organization collects data to improve the user experience, then say so. Clearly explain why consent will benefit a user’s experience and how.

Common points in the user journey for UX professionals to adhere to privacy UX are when users register an account, consent to cookies, agree to privacy policies, give in-app consent, and personalize data settings in your product or newsletter.

For real-world application of the new regulations, check out some GDPR consent examples from across various industries.