Case Study— Consent is Cool

The General Data Protection Regulation— GDPR for short— was a massive consumer data protection and privacy law passed by the European Union in 2016 and implemented in 2018. For any company who collected data on European Union citizens, this demanded major changes to business practice and any products where personal information appeared.

Given the scope of the law and the changes it required, very few companies made changes before the effective date. There was also a lot of uncertainty in how some of the clauses might be interpreted by judges in the future— therefore, my role on the team was to design something entirely new. There weren’t any good (i.e. upheld by legal precedent) examples we could build from.

I worked closely with the legal staff to interpret the law and formulate design requirements.

Consent (is cool)

Consent is one of the key tenets of the GDPR law. The law defines it as “freely given, specific, informed and unambiguous indication […] by a statement or by a clear affirmative action.”

Users had to opt in to the uses of their information. Further, the law was interpreted that we couldn’t use design to make certain options more appealing, or use coercive design to steer a user to the choice we wanted them to take.

It was interpreted that using colors with strong imbued meanings like green and red were coercive— we had to choose and test novel colors. We added the icons to ease some of the cognitive dissonance these new colors presented in testing.
There was also a significant education portion of GDPR we needed to address. We had a large backend team located in a non E.U. country that was used to working directly with members. Because of the importance some teams assigned to these uses of personal information, our backend team often opted members in. While training was provided— additional reminders were needed.
We created a new feature called “my privacy and consents.” The notion of Privacy was better understood by non E.U. members; whereas those familiar with GDPR jargon were clearer with the word consents. Because other staff were able to update consents (in limited contexts), we needed to be transparent with the user about who— and when— a consent was updated.

Designing for some of these new requirements required establishing new patterns that also needed to be built into the organization’s design system— as well as working with developers to ensure that there was clarity around when a “yes/no” option was consent and required an alternative design. After all, the use of red and green is so well established that removing it entirely would have adversely affected task completion and increased user error.

Consent wasn’t the only consideration— we additionally I designed the flows for the “Right to be forgotten,” changed how we presented our privacy policy, and further revamped our UX research program to be GDPR compliant and respectful of our E.U. members’ rights.