The UX of Privacy Notices: 3 Different Ways to Gather Valid Consent

Feroot Privacy Notice UX_medium

Since GDPR came into effect in May 2018, most companies have updated their privacy policies. But there is still a lot of confusion about what needs to be included and what is considered "valid consent". Moreover, there has been very little attention given to the user experience (UX). After all, one of the primary purposes of privacy notices is to give users more control over their data. So how are you doing this exactly? And what is your strategy to gain customers' trust in the process? 

This article looks at three different ways to craft a good privacy notice and clarifies what is required for compliance under the GDPR and CCPA. 

Privacy Notices: What is Required for Compliance under GDPR & CCPA

Articles 13 and 14 of the GDPR and the associated guidance from the European Commission provide very specific guidance on what must be disclosed to data subjects when you are collecting their consent. Determining which Article  (13 or 14) applies to your situation depends on how you obtain the personal data in the first place. For instance, if personal data comes from the data subject directly, then Article 13 applies. But if the data controller receives personal data from a third party – say by purchasing a list or sponsoring an event – then Article 14 explains how and when disclosures should be made.

The CCPA (California Consumer Protection Act) is very similar to the GDPR in terms of what is required for disclosure. In short, privacy policies need to be transparent, written in plain and clear language and include the following information:

  1. Contact information for the company (ideally the Data Privacy Officer)

  2. What you’re going to use the data for

  3. List the categories of data you’re collecting

  4. How long you’re going to keep the data for, or else the criteria for keeping it

  5. How to contact you about issues or how to remove the data

  6. If the data is going to be used for profiling and in general terms the logic involved

  7. The identify of any parties with whom the data will be shared

Most companies do a pretty good job of including all the above information in their privacy notice, however, many forget to include “parties with whom the data will be shared” (ie., third party vendors).  

According to the U.K. Information Commissioner’s Office outline on privacy notices, this is a very important requirement.  So be careful — if consent is to be considered valid under the GDPR and CCPA, you need to be specific about who is storing and processing your customers’ data. This is also referred to as a “transparency notice” (i.e, disclosing third party vendors). And don't forget, you also need to provide customers an easy way to withdraw consent from these vendors. From both a compliance and UX perspective, this process should be as seamless as it was for providing their consent in the first place.

Option #1 — The tick-off-a-box approach

This is by far the most common, but not necessarily the best, or even most compliant solution. After filling out a form, users are presented with a small checkbox to tick off their consent. This box is usually beside or below the form and provides users with a link to the companies’ Privacy Policy or Privacy Statement.

The problem with this method is that it requires an extra step. And let's be honest — who bothers to click through? And even if you do click through, you're faced with a long legalese document. We're not lawyers, but this could potentially become a problem when determining "valid consent". Secondly, it’s not easy for clients to withdraw consent  — another key requirement for GDPR and CCPA compliance. With the tick-off-a box approach, users who want to withdraw consent have to click through to your policy, scroll through statement and scan the fine print for the right contact information, then email someone and wait to hear back. This can take hours, days or even weeks (remember, you have 30 days to respond to their request). Overall, this is a very poor privacy experience and only meets the bare minimum requirements for GDPR and CCPA compliance. 

Privacy Policies: Example of the tick-off-a-box approach

Tick off a Box with Red Circle_Bigger (2)

Option #2. The Pop-Up or Just-in Time Method

This is a slightly more user-friendly option, as the relevant information is displayed at the time you provide personal data. A good example of a company doing this is Microsoft. As you fill in your personal data, a box pops-up explaining why and how they are processing your data. Right away it’s a more transparent and user-friendly experience. Microsoft also does a good job of layering. As you can see in the screenshot below, there are clickable subtitles for each section, in a question format that links to more detailed information. This makes it much easier to find the relevant data and gives users more control and navigation options to get the right information quickly.

Microsoft Just in time approach

Microsoft Privacy Statement 


Option #3: A Privacy Dashboard with Tabs

We’re big fans of this method because it provides customers with specific, transparent information right away and a user-friendly interface to request more information without having to click through to another page. The tabular format or dashboard allows visitors to quickly and easily digest what you are doing with their data, where it is stored and processed, and finally who the relevant contact is for managing your data. This avoids the tedious process of reading through a long, legalese document to find relevant information, thereby helping you collect more “valid consent”. Plus, it shows your existing customers (and potential new customers) that you take their privacy seriously — a big concern for everyone these days even if you are a data processor! Plus, this method is unique, so it will help you stand out from your competitors.

Feroot Tab Privacy Notice


If you have taken the first and necessary step towards privacy compliance by updating your privacy policies and using plain and clear language — good job. Now, with privacy being top of mind for consumers and critical for data controllers choosing third-party vendors, it might be time to re-evaluate the privacy experience. Why? Because this could be a great way to differentiate yourself from other vendors and gather more valid and informed consent.

For this, you'll want to ask yourself the following: is the experience of reading our privacy policies as seamless as it could be or am I making it more difficult and slowing down the decision-making process? Am I communicating to new leads that I really care about data protection or am I am doing the bare minimum? Am I providing customers with an easy way to withdraw consent? Have I ensured that I am collecting "valid consent"? Am I making it easy for data controllers and customers to find the information they need quickly? If you answered no to any of these, maybe it's time to re-think your privacy statement and give it a privacy experience makeover. 

For more tips on how to gather valid consent with your privacy notice, check out this excellent resource by the Office of the Privacy Commissioner of Canada —  "Guidelines for Gathering Valid Consent"

About Feroot

Feroot is on a mission to turn privacy from compliance to a competitive advantage. Our Privacy Platform allows you to quickly and efficiently manage on-premise, third-party vendors across applications and automatically integrate privacy notices in a user-friendly way.  

To learn more about Feroot, ask to get a demo today!

Picture of Lori Smith
Lori Smith
Lori is marketing lead at Feroot Privacy

More articles