🎉 UserExperior is now part of DevRev  |  Learn more
UX design and GDPR – Everything you Need to Know
User Experience

UX design and GDPR – Everything you Need to Know

Vimlesh Gautam
 min read
Schedule a Demo

“To comply with GDPR, as of May 25th, I will no longer be remembering anybody’s name, face or personal details without their explicit consent

….phew, finally a viable excuse”

– Jessica; @ticky 

This humorous tweet aptly summarizes the objective of the GDPR or General Data Protection Regulation, a legal framework specific to the European Union that was passed on March 25, 2018. The GDPR aims at protecting the privacy of internet users by regulating the way their personal information is obtained and processed. 

It majorly affects the way businesses operate online and not just for companies based in the EU but also foreign companies that are doing business there. It makes sense that GDPR affects the legal and engineering departments but it equally affects digital marketing and User Experience too since they involve user data. In terms of UX,

it means 3 things:

Customer Privacy, Consent & Transparency

Privacy policies

Have you even once taken the time to read the entire privacy policy statement before checking the ‘I accept the terms and conditions’ box? Most of us haven’t. Traditionally, a privacy policy is supposed to inform users of what the company is going to do with their personal information, how they will collect this information, who they will share it with and how they will use it. Before the GDPR, this was all written in complex, legal jargon that may not be easily comprehensible by folks that aren’t well-versed with the subject. 

The GDPR improves the state of these forms by making it legally binding for companies to make privacy notices more clear and accessible to the users so that they are fully aware of what they sign up for.

This means that the privacy notices must be:

  • Written and presented in a clear, concise manner
  • Free of cost 
  • Transparent, accessible and comprehensible


Consent Forms

 GDPR defines consent as, “Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”


Consent forms are a way to inform customers of the company’s privacy policy and gain their permission to access their personal details but the crucial part is HOW this consent is obtained.

Before the GDPR was passed, consent forms were taken with a pinch of salt but now, while drafting consent forms, companies are obliged to follow the following rules:

  • Opt-in: Users must voluntarily opt-in to having their data collected and used by the company.

  • Granular: Users must give consent to every type of data processing activity.

  • Withdrawable: Companies are obliged to inform users that they have the right to withdraw their consent at any given time. They must also explicitly tell the users how it can be done.

  • Transparent: Every organisation, including the company and third parties that have access to and will handle the personal data of users must be named.

  • Separate: Privacy terms and conditions and consent forms are separate entities and must be treated that way.

  • Beneficial: Obtaining consent is not enough. Companies need to inform the users as to why they are collecting data and how it will benefit the users’ experience. 


All in all, the biggest result of the GDPR is transparency. Users will have a clear picture of why their data is being collected, who is collecting it, how it will be used and how it will benefit them. Knowledge is power and with this power, users will be better equipped to differentiate between companies that are honest and transparent and those that aren’t. 

How can GDPR be practiced in UX design?

While Registering an Account

When a first time user is registering with the company, they are bound to encounter a request for data.

It is important for companies to explain why they are being asked for this information and how it will be used. This can be done in the following ways:

1. ‘Just in time’ data collection explanations: ‘Just in time’ are relevant notices that show up during the time that data is being collected. These give users context on the data that is being collected, how it will be used and how consent can be withdrawn wherever applicable.  

2. Labelling required and optional data: Clear labelling of the fields of data collection that are required and optional will help users understand the extent of privacy that is guaranteed to them.

3. Email marketing preferences: GDPR rules state that consent to email marketing cannot be assumed when users share email addresses. This means that users must be explained the benefits of opting in. They should also be given granular control over what emails they will be receiving by giving them options of the content and frequency. 

4. Encourage reading the privacy policy: Privacy policies should not be skipped and companies should encourage users to read them by emphasising the benefits of doing so. This helps capacitate users to make informed choices on consenting data collection.

While Mentioning Privacy Policy

GDPR makes it legally binding for companies to eliminate technical legal jargon and make their privacy policy comprehensible for users. Here’s how it can be done:

  1. Separate policy sections: The key is to make the privacy policy user-friendly. Categorising each section under clear subheadings improves readability while making it easier for users to locate and access relevant information.
  2. Explain the benefits: GDPR is not just a law but a gateway for companies to build their users’ trust. This can be done by explaining to users the benefits of data collection and how the collected information relates directly to the company’s business.
  3. Be transparent on third parties that have access to the data: The language used in the privacy policy is of utmost importance. Being sly about slipping in information instead of being clear and precise could lead to accusations of malpractice. That is why, it is best for companies to mention the names of every company, including their own that will handle the data. 

During Onboarding

Onboarding users is an excellent way to immerse them into the functionality of the app but it should simultaneously be used to inform them about data collection. This is how:

  1. Explain the value: If the app relies heavily on data collected from its users, it is absolutely necessary to inform the users about the same while explaining the benefits. Just like the message one hears on a customer service helpline that says, “This call may be recorded for internal training purposes”. Explaining the benefits they will receive from the data collected, like personalised searches, targeted ads, etc will help the users consent voluntarily.
  2. Assure users that they are in control: Reassuring customers that their data is in safe hands and is being handled by professionals will help build a foundation of trust between users and companies as GDPR has now equipped individuals with enough information to know their fundamental rights on the internet.  

Taking In-app Consent

GDPR requires companies to take explicit in-app consent from users while accessing their data. This can be done in two ways:

  1. ‘Just in time’ notices: ‘Just in time’ are relevant notices that show up during the time that data is being collected. These give users context on the data that is being collected, how it will be used and how consent can be withdrawn wherever applicable. 
  2. Directing users to data settings: An excellent way to get explicit, voluntary consent from users is by directing them to their phone settings where data sharing is controlled. For example, before asking for their location, users can be directed to the location services feature in their phone settings. 

Allowing Full Control of their Data in Data settings

With GDPR, it is now obligatory to give users total access to all the data that is collected from them. This means that users can now browse, change and delete the data that apps hold. Here’s what they are allowed to do:

  1. Revoke consent: Since users are now allowed to revoke consent that they had previously agreed to give, it is best to inform them about this possibility, where they can access their data and also explain the implications of how revoking consent may affect their experience within the app.
  2. Granular marketing preferences: Giving users access to their marketing preferences within the app, like how often they want to be contacted, what kind of content they wish to receive, etc is a great way to make customers feel in control and gain their loyalty.
  3. Download and delete their data: GDPR allows customers to delete their data at their free will. To avoid unnecessary accusations, it is best not to hide this option under several layers of settings. 

In conclusion, although GDPR seems complex to understand, it all boils down to one thing – transparency. Companies should make the intention of data handling crystal clear and privacy controls should be made accessible and user friendly in the design and language. Becoming GDPR compliant means that companies must minimise the data that they collect and limit it to what they really require. Instead of looking at GDPR as a hassle, it should be used as a tool to build a trusting relationship with customers! 

Create a more beautiful
user experience

Schedule a 30-minute demo to learn how UserExperior can help you
visualize critical issues on your app and correct them faster.

Related Posts

UserExperior Technologies LLC
2033 Gateway Place, 5th Floor
San Jose, CA 95110
UserExperior has successfully completed a System and Organization Controls (SOC) 2 Type 2 audit, performed by Sensiba San Filippo, LLP (SSF).
Information Security Management System of UserExperior Pvt Ltd has been assessed and found to conform to the requirements of ISO/IEC 27001:2013.

Privacy & Security | Terms & Conditions | GDPR