GDPR as a mindset: Challenges of UX and microcopy (part 1)

Prototyping: From UX to Front End — Medium | Kinneret Yifrah

The digital world is in a frenzy.

On May 25th, the General Data Protection Regulation will come into effect.

This regulation has many implications, but this post will focus on the direct contact point with users — i.e. the challenge this sets for UX and microcopy professionals.

For the purpose of writing this post, I met with attorney Dan Or-Hof, founder of Or-Hof Technology and IP law firm, which also specializes in information privacy issues (

And if it’s not obvious, then I’ll say it loud and clear: This post is by no means a form of legal advice or counsel. Each one of you who has to comply with the GDPR must seek specific personal legal counsel, and work only according to their directives, as they know best about the product, its context, and the provisions of the law.

So, shall we begin?

What is the GDPR

The GDPR is a regulation under EU law, that will go into effect May 25th 2018, addressing data protection and privacy for all individuals within the EU when using digital products.

The law applies to anyone gathering and processing data from anyone currently in the EU (citizens, residents, tourists etc.), even if they’re situated outside the EU.

So if EU people are among your users, buying your products or services, or you are monitoring their presence online — the law applies to you, wherever you may reside, and so do the (very) hefty fines imposed for breaking it.

The law covers many aspects of privacy protection, including data security, appointing compliance officers, reporting to regulators, documentation, and more.

If you still aren’t familiar at least with the main terms, I recommend you read the ICO guidebook on the subject and then return to read the rest of this post.

How is the GDPR related to UX and microcopy?

From this huge bill, two aspects will play a big role in our work on the actual interface the users meet:

  1. Consent
  2. The right to browse, change and delete data

1. Consent

According to the GDPR, you must get your users’ explicit consent in order to gather their data and process, use, or share it.

An excellent summary on consent can be found here.

The UX challenges

  • To present the request for consent with minimum disturbance to the products’ flow and overall experience, without scaring away the users.
  • How to present the new, longer and more complex privacy policy, in a way that complies with the law, so users will be able to easily grasp and understand what it is they are agreeing to.

The microcopy challenges

  • Phrasing the request for consent in such a way that users will actually consent to it.
  • Transforming legal language into a natural language that sounds humane and trustworthy (and for the advanced class: a language that’s also in accordance with the brand’s voice and tone).

Since microcopy is my expertise, I dedicated a separate post for these two challenges, offering ways to overcome them. You’ll find a link at the end of this post.

Keep in mind: not everything requires user consent

The GDPR contains the term Legitimate Interest, which is another separate legal basis for gathering and processing data that does not require user consent. For example, processing data which is an integral part of the product or service (like sending an email reminder about an abandoned shopping cart or offering complementary items to a previously purchased product) may be deemed as legitimate interests, and subsequently might not need prior consent. But the term is still somewhat vaguely defined and its boundaries are still shaping as we speak.

If there’s a situation or topic where you find that it’s especially difficult to ask for consent without interrupting the user’s experience or deterring them in any way, you may want to check if there is a legitimate interest you can base your data analysis on and forgo the need for explicit consent.

What matters in these cases is that you (i.e. your legal department) document your decisions and know how to justify why some data falls under legitimate interest, and how this decision is in compliance with the spirit of the GDPR.

2. The right to browse, change and delete data

According to the GDPR, users will be able, at any time, to withdraw their consent to have their data collected and processed, to have it changed, or to request its deletion.

The UX challenge

Designing an interface that allows users to change their minds, including a form to request that their data be deleted. In a simple product this would entail a sentence or two and a button, but as the scope of data gathered becomes larger and more intricate (in terms of type of data, ways of processing, using and sharing it), the UI/UX might become more complex and challenging, and may call for a privacy dashboard.

Facebook, for example, has already announced they are developing a Privacy Center that will feature the core privacy settings, allowing users to easily understand them and make decisions accordingly.

The microcopy challenge

To come up with texts for such interfaces, including a consent-withdrawal form (the actual form, and its confirmation and error messages), which will achieve these three goals:

a. Help users — but really help them — handle their privacy issues with ease and comfort, so we can:
– Maintain a good user experience.
– Build trust in the candor of our intentions to use the data only for the benefit of our users.
– Comply with the law and be absolutely transparent.

b. Promote the business goal of having users agree to us using their data.

c. Comply with the law on browsing, changing and deleting user data.

How do we do this?

I arrived at the meeting with Or-Hof with a clear list of questions:

  • At what point do you present the user with the request for consent?
  • What should be included in the initial message and what can be left in the extended privacy policy?
  • What is regarded as accepting consent — is clicking an I Accept button enough? Or do you need to actually tick a checkbox?

And other similar, very specific, issues.

But his answer was much more interesting:

The GDPR gives us a frame, not guidelines as to UI/UX design nor to phrasing texts.

For example, the GDPR requires user consent to be: ”…given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication… by a written statement, including by electronic means, or an oral statement”. It says that “Silence, pre-ticked boxes or inactivity should not therefore constitute consent”. Acceptable consent, it says, is users actively ticking a box, choosing a setting, or any other way that clearly indicates, in its specific context, that users are consenting to have their data processed.

What does it mean “Or any other way”? Does the OK, thanks button qualify? What about the Got it button? Is a sentence like “by using the product you are confirming its privacy policy” good enough? And what should be written beside the checkbox: should we write all the necessary details or just give a general statement and refer the user to the privacy policy?

These have no clear answer, like Or-Hof says:

GDPR is a mindset.

It requires the collecting and using of data to be under the users’ control and a matter of their personal choice, and therefore it requires us to be transparent, accessible, clear and friendly.

And that’s it.

This is our new work environment.

So how do we adapt? As always, by being creative.

As with every other UI, complexity requires the use of UX and microcopy tricks and tools in order to make it easier for users, simplify the situation for them and make it more intuitive, as smooth as possible.

“And don’t ask your legal team how to do it”, recommends Or-Hof, “it’s not their job. Get from them what you need to present and do your thing in implementing it in the best way for the users and the business. Only when you come up with several different but good options, return to the legal department and get their approval as to each compliance with the requirements of the law”.

A new challenge requires rethinking

Consent for the use of cookies is frequently asked for nowadays by a strip that pops up upon entering a site, either at the top or bottom of the screen. Is this the only way to display a consent request?

This is Facebook’s current privacy settings interface. Is it the best way to go?


Or-Hof however recommends not to rush in and copy whatever has been done in the field already.

We are faced with a new challenge, one that encompasses UX, business goals and intricate regulation. So, we better rethink the entire thing from scratch; forsake existing standards, appropriate for the limited regulation that existed so far, and invent a new standard, or even a few new standards to choose from as needed.

  • Maybe an excellent icon system will evolve, making complex phrasing redundant for users, and us.
  • Maybe the Just in time alerts system will be used more widely (asking for consent only when users preform a specific action, like in iOS).

I recently liked something on LinkedIn and got this, just in time:

  • Maybe we’ll find out that asking for consent as part of the sign-up process converts better than the one at the entry point to the site, and maybe a notice appearing from the side of the screen is a better converter than ones on the top or bottom of the screen.
  • Maybe we’ll find ways to incorporate the request for consent in the product’s concept in a cool and refreshing way.
  • Maybe they’ll find a new interactive way to present privacy policies in a way users will be happy to read them, understand them easily, and make their relevant choices quickly. If we succeed in doing that, a friendly reference to the privacy policy may be all we need to comply with the GDPR.

If UX tools and practices brought users to pay online and subscribe to mailing lists, they can do this too 🙂

Read more about the microcopy of consent and privacy policies in the special follow-up post >

Final thoughts: The legal team and us

My experience with legal teams, as far as dealing with highly regulated matters, leads me to expect them to be less-than-fond of the risk taken in adopting innovating solutions that are untried and have yet to withstand the test of the judicial process.

Part of the solution to this is to acquaint ourselves with the law, at least to the extent that allows us to speak in GDPR terms. Once we do that, we will be able to defend our creative solutions in front of legal counsel and remind them that we are also required to be friendly and keep things clear and simple.

Another part of the solution has to do with risk management. Or-Hof says the GDPR might bring change to the perception of risk management on the subject, as it is a newly forming area, and unless we try new things — we will never know what works and what doesn’t. The business people will have to weigh in on the balance of product/business success in relation to legal counsel, and decide which risks, if any, are worth taking.

In any case, whatever the risk taken, the most important thing is to act honestly, following the spirit of the GDPR guides, and give users the best tools to control their own privacy while still enjoying a quality, personal, digital product, explicitly backing every decision you make by the principles laid out in the GDPR.


GDPR as a mindset: Challenges of UX and microcopy (part 1) was originally published in Prototypr on Medium, where people are continuing the conversation by highlighting and responding to this story.