UX best practices for GDPR compliance

Posted on October 11, 2022
2 min read

Share

When the European Union’s General Data Protection Regulation, or GDPR, went into effect on May 25, 2018, things changed for digital experiences. The legal framework imposes stricter privacy rules. In addition, it aims to give individuals more control over their personal information. Primarily, GDPR addresses how an organization obtains and manages user data, and it’s based on the seven principles of designing for privacy by Dr. Ann Cavoukian. The GDPR has impacted how organizations handle user data and design digital experiences. A UX designer must adhere to the legislation while creating an easy and enjoyable digital experience for the user.

GDPR is legally binding for organizations processing the personal data of EU residents. If an organization breaches GDPR, it can be fined, whichever is higher; up to 4% of worldwide turnover for the preceding financial year, or €20 million.

The good news is that privacy best practices align with UX research best practices, so following them will result in a better experience for the user you’re seeking to create. Here’s what to prioritize when designing experiences that involve privacy consent.

User consent must be explicit, not implied

A digital experience should not influence a user’s consent to privacy. Users must opt-in or actively consent to have their data collected, stored, or used. This means forms cannot leverage pre-checked boxes.

In addition, the user must fully understand their options. Therefore, designers should avoid leading users to make one decision over another regarding their consent to privacy. That means no buried text or flashy call-to-action buttons leading users to pick one option over another.

Because consent must be explicit and not assumed, organizations must offer privacy by default. Your organization is responsible for providing privacy to a user who takes no action.

Always provide an individual opt-in for data collection that is separate from the terms and conditions. Your digital experience should not mix privacy consent when users agree to something different.

Additionally, users should be given the right to withdraw consent at any time. Removing permission should be accessible and easy to find at any time.

A user has the right to granular permissions, clear context, and transparency

Users should be able to consent to different types of data collection. The user should never be asked to share data without being told why. If your organization uses third-party data collectors, name them explicitly. It’s critical to offer complete transparency into when you collect data, where it is stored, and when it’s eventually destroyed.

More importantly, if your organization collects data to improve the user experience, then say so. Clearly explain why consent will benefit a user’s experience and how.

Common points in the user journey for UX professionals to adhere to privacy UX are when users register an account, consent to cookies, agree to privacy policies, give in-app consent, and personalize data settings in your product or newsletter.

For real-world application of the new regulations, check out some GDPR consent examples from across various industries.

UserTesting complete guide resource cover image

The complete guide to user testing websites, apps, and prototypes

This guide will walk you through how to gather remote customer feedback, including practical examples from UserTesting’s platform. 

In this Article

    Read more

    • AI is reshaping UX research — but the real risk isn't job loss, it's losing relevance. Learn how researchers can stay strategic in an AI-driven world.

      Blog

      The UX researchers who don't adapt to AI won't be replaced by it—they'll just be left out

      The UX researchers who don't adapt to AI won't be replaced by it —...
    • Learn how to integrate testing into your workflow without slowing down. Discover low-fidelity testing tips and sprint strategies that build team confidence.

      Blog

      The test you skip is the one that costs you the most

      Product teams are fond of saying they don't have time to test. What they...
    • AI is changing research fast. Leaders from Salesforce, Slack, Adobe, and Siemens share what should be automated—and what must stay human.

      Blog

      The AI question researchers should be asking

      The most important question about AI isn't whether it will replace researchers. It's whether...