The General Data Protection Regulation (GDPR) is set to change the rights of data subjects (i.e. people), and ergo how companies process and store data, and how they communicate with data subjects at the point of consent and beyond.

So far on the Econsultancy blog, we've concentrated on picking out examples of best practice UX for 'opt-ins' and privacy notices. But as much as we can point out good practice, it's often easier to spot those that look like they may be on shaky ground. I thought it would be useful to round up some examples to see what our readers think. 

I don't want to point the finger or scaremonger, merely to point out UX which is likely already earmarked for improvement ahead of the May 2018 deadline. In some cases, companies are straying into 'dark patterns' territory, but others are guilty only of ill-thought-through design.

Remember that the key point of GDPR is lawfulness of data processing, which when it comes to user experience demands that the data subject gives their clear, affirmative consent (and then subsequently has rights such as the right to erasure or rectification). Alternatively, organisations may rely on other legal bases for processing, such as legitimate interests – though in this case, the organisation's and individuals interests must be balanced, the processing must be expected by the individual, and a clear privacy notice should still be shown.

As the ICO advises in its guidance for consultation: 'Consent means offering individuals genuine choice and control. Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of consent by default. Explicit consent requires a very clear and specific statement of consent.'

gdpr report banner

There's much more to consider in the GDPR – see the ICO's overview – notably storing consent profiles, notifying data subjects of breaches etc., but in this piece once again we'll be looking at website UX at the point of data collection, where consent is relied upon.

1. We Buy Any Car: Opt-out below the fold

If you want to get a valuation for your car on the We Buy Any Car website, you simply have to enter your car registration number, mileage and check a box about service history and previous owners.

That brings you to the screen below, where the company asks for some personal details in order to proceed with your valuation. At first glance, there's some good practice here – see how the email, postcode and mobile fields all include details of how this data will be used ('so we can send your valuation', 'so we can find your nearest branch' and 'so we can text your valuation').

webuyanycar above fold quote

But here's the deal – how many users will have hit the 'get my valuation' button shown above, without bothering to scroll down beneath the fold? I would wager quite a high proportion. And why is that a problem? Well, take a look at the next screenshot below. It shows everything at the bottom of the same page, all of which sits beneath the fold (on my Macbook Pro).

And look at that! There's another 'get my valuation' button, this time with a checkbox above it that is pre-checked and says 'I am happy to receive this information'.

What information? Well the blurb above the checkbox says (paraphrasing) your personal information may be provided to associated companies for research and analysis, but also to provide you with info concerning services or products which may be of interest to you. The same goes for services and products from third parties.

This processing may be done on the basis of necessity to enter into a contract (I want my valuation), but the information is still likely to be missed, which isn't ideal.

webuyanycar below fold quote

Though there is detail about being able to opt out of these comms in future (that's good), this is clearly an example of a UX where the user may not have given their explicit consent to be contacted or for their data to be shared. The user may have simply not noticed that they had to actively opt-out of these extra comms (something that goes against the ICO's GDPR guidance).

From May 2018, arguably the first 'get my valuation' button above the fold should be removed, requiring the user to scroll past the further information and the privacy statement.

2. Manchester Airport WiFi: Compulsory consent

It seems users have to consent to marketing comms as a precondition of accessing Manchester Airport's free WiFi. See the image in the tweet below.

The ICO's GDPR guidance on consent says:

  • Consent is appropriate if you can offer people real choice and control over how you use their data, and want to build their trust and engagement. But if you cannot offer a genuine choice, consent is not appropriate.
  • If you would still process the personal data without consent, asking for consent is misleading and inherently unfair.
  • If you make ‘consent’ a precondition of a service, consent is unlikely to be the most appropriate lawful basis.

As I made clear in a previous article linking GDPR with customer-centricity, those companies that think from a user's point of view about transparency and appropriate processing will put their best foot forward.

Though social media is well-known as a place to vent, rather disgruntled tweets from users who object to the above precondition and are fed up with receiving marketing from Manchester Airport perhaps hint at a lack of balance in this example. Something to think about ahead of the GDPR coming into play.

Perhaps much better here to have no checkbox and rely on legitimate interests, as this would be less confusing for the customer, who feels railroaded into checking a box.

3. WhatsApp: 'Hidden' opt-out

Another example highlighted again by the excellent @PrivacyMatters – when WhatsApp updated its T&Cs in 2016 (to share data with Facebook), it sought affirmative consent from users before changing privacy settings. The FTC had already made clear that users should have opportunity to opt out of any future changes to how newly-collected data is used:

..the FTC has made clear that, absent affirmative express consent by a consumer, a company cannot use data in a manner that is materially inconsistent with promises made at the time of data collection..

The problem with the way WhatsApp did this was that all users had to tap to agree when asked to share their personal data with Facebook companies to improve infrastructure and understanding of how the services are used (amongst other things).

One could debate whether this sort of data sharing is necessary for WhatsApp to function, but what was certainly less than desirable was the UX shown below.

Most users will have tapped agree without noticing there was in fact a choice being offered, specifically about the sharing of their WhatsApp data to improve 'Facebook ad targeting and products experiences'. As you can see from the screenshots, this option is 'hidden' in a concertina, with no hint that it resides there.

The default option on this slider button was opt-in, meaning most users will have shared their WhatsApp data with Facebook to improve Facebook advertising, but without giving explicit consent. Under the GDPR, one would expect this kind of UX to be dicey, and that's important because the regulation makes clear that all companies with data subjects in the EC must comply.

whatsapp t&cs

4. Morrisons, Flybe, Honda: The 'are your details correct?' email

There are several companies that have been fined in recent months by the ICO for flouting customers' marketing wishes by sending emails asking if user details are correct and whether users want to change their marketing permissions.

Though the introduction of the GDPR won't change anything here – these brands had already broken the Privacy and Electronic Communication Regulations (PECR) – the examples are pertinent as companies will increasingly be seeking re-permission from users ahead of the GDPR introduction date in 2018.

The brands in questions were Morrisons, Flybe and Honda:

  • Morrisons sent more than 130,000 emails in October and November 2016 to people who had opted out of marketing. The emails were titled ‘Your Account Details’ and invited customers to change their marketing preferences to start receiving money off coupons, extra More Points and the ‘latest news’ from Morrisons. The company was fined £10,500.
  • Honda sent nearly 290,000 emails asking customers to clarify choices about receiving marketing, but could not provide evidence that these customers had ever given consent to receive this type of email. A fine of £13,000 was handed out by the ICO.
  • Flybe sent 3.3m emails in August 2016, again to customers who had opted out of such communications. The email asked ‘Are your details correct?’ and offered entry into a prize draw for recipients who amended information or updated marketing preferences. Flybe was fined £70,000.  

When commenting on the Honda and Flybe cases, Steve Eckersley, the ICO's head of enforcement, gave some important advice for any company preparing for the GDPR:

Both companies sent emails asking for consent to future marketing. In doing so they broke the law. Sending emails to determine whether people want to receive marketing without the right consent, is still marketing and it is against the law.

In direct reference to the new regulation, Eckersley said “Businesses must understand they can’t break one law to get ready for another.” 

5. Econsultancy: Combined T&Cs and privacy policy consent

Writing an article about UX that needs to be improved, I'm aware that I'm open to the accusation of throwing stones in a glass house.

If you register with Econsultancy, you'll find there is an opt in (which is good) but that it is a combined T&Cs and privacy policy opt in, which ultimately means that users must consent to marketing comms in order to register. Section 5 of our privacy policy says "...we may from time to time contact you by email, SMS, telephone or post about our products and services (including from all our brands) that may be of interest to you."

Though some of the marketing through these channels by Econsultancy is undoutedly expected by the registrant and represents a legitimate interest under the GDPR (e.g. learning about our big annual event), other forms of communication arguably may not be (e.g. a telephone call to sell a ticket for said event).

One of the (many) reasons users register with Econsultancy is to receive our Digital Pulse email, and our account settings let users opt out from a variety of different emails, including the Pulse and certain marketing emails, but nevertheless, our registration form (from May 2018) should arguably give users a granular opt in to being contacted through email, SMS, telephone or post.

Having to contact a company after registration to request not to be contacted with marketing content via certain media may not be something that sits well with the GDPR. It is covered by legitimate interests, though one might debate the definition of 'direct marketing' – is it just mail, or more than that?

Econsultancy currently has a working group looking at GDPR compliance, and registration will undoubtedly be something we look at, to enable users to give their explicit consent to communication that may fall outside of 'legitimate interests' (for example, being asked to take part in a survey).

Again, there's nothing black and white here, as the registrant is entering into a contract to receive particular services – it's all about expectations and transparency.

econ registration

6. Incisive Media: Combined consent and hidden opt-outs

Incisive Media also has a combined T&Cs and privacy checkbox. Unlike Econsultancy, it offers granular control of marketing communications at point of user consent (split into first- and third-party preferences, each with checkboxes for mail, phone, email).

However, as you can see below, this user consent is done on an opt-out basis. The user would have to click six boxes to opt-out of each form of marketing, from first and third parties. And what's more, these choices are hidden in a concertina.

Again, there are obvious changes that would benefit the user here and help to bring things in line ahead of May 2018. Third parties should be named, for example.

incisive media registration incisive media registration

Incisive Media registration, via @PrivacyMatters

Note that this article represents the views of the author solely, and is not intended to constitute legal advice. The article was updated in December 2017 to add clarity about legal bases other than consent, as well as the PECR's role in direct marketing.

If you are involved with preparations ahead of the GDPR, please let us know your thoughts in the comments below.

gdpr course

Ben Davis

Published 1 August, 2017 by Ben Davis @ Econsultancy

Ben Davis is Editor at Econsultancy. He lives in Manchester, England. You can contact him at, follow at @herrhuld or connect via LinkedIn.

1231 more posts from this author

You might be interested in

Comments (6)

Save or Cancel
Pete Austin

Pete Austin, Founder and Author at Fresh Relevance

Re: "Remember that the key point of GDPR is lawfulness of data processing, which when it comes to user experience demands that the data subject gives their clear, affirmative consent (and then subsequently has rights such as the right to erasure or rectification)."

"Demands" is too strong. Consent is just one of 6 possible grounds for lawful data processing. Here's the full list (click the link for full details). The last 2 are especially relevant to marketers. One theory based on #e could be along the lines of: marketing is in the public interest because marketing is necessary for capitalism to function well, and capitalism is in the public interest, e.g. compare the fate of people living in capitalist vs non-capitalist countries.

(a) the data subject has given consent...
(b) processing is necessary for the performance of a contract...
(c) processing is necessary for compliance with a legal obligation...
(d) processing is necessary in order to protect the vital interests of the data subject...
(e) processing is necessary for the performance of a task carried out in the public interest...
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller...

12 months ago

Ben Davis

Ben Davis, Editor at EconsultancyStaff

@Pete The fate of capitalism is one argument I haven't heard yet! But it is the subtext for many a privacy discussion, I suppose.

Thanks for raising the issue of 'legitimate interests' again. Any marketer interested in what this covers (which will likely include on-site personalisation and some DM) see the full guidance on this specific issue, including examples in the following doc from the Data Protection Network -

12 months ago

Chris Ellis

Chris Ellis, Group Digital Marketing Manager at Belron International Ltd

@Pete Austin nice try and I hope you were being light-hearted for the sake of constructive debate, but in reality I can't imagine any business being allowed to send any marketing comms without consent as the lawful ground under the GDPR.

12 months ago


Matt Lovell, Head of Customer Data, Insight & Analytics at Eurostar International Ltd.

Nice article Ben. My other favourite I see from time to time is the 'to unsubscribe / opt out, click here' where the 'click here' CTA is white text on a white background as if the fact they've included it even if it is invisible to the naked eye means they're still compliant.

The other issue beyond privacy notices is the confused nature of functional and clear preference centres / opt outs. This is something I've recently experienced with the Times where in order to view their content I had to sign up and now, despite having unsubscribed from every email possible within their preference centre, i'm still receiving daily emails from them.

It demonstrates that companies need to not only plan through how things will work but also actually make sure the functionality works as otherwise at the moment, they're definitely in breach having failed to let me fully opt out of comms...

12 months ago

Ben Davis

Ben Davis, Editor at EconsultancyStaff

@Matt Yep, with media it seems particularly tricky to me. Companies want to make you aware of content, but opting out has to be easy. The BBC is an interesting example - in your account you can 'turn off personalisation' with a little button which stops content-led emails. Anything else will come with an unsubscribe link, I believe.

Some media organisations believe that 'free content' means they are entitled to blast lots of email at the user, but control is essential for that user. Would be interested to see what the Times privacy policy says - i.e. how you as a user can completely unsubscribe - I presume it is detailed there, but is simply not an intuitive process for the user.

12 months ago


Matt Lovell, Head of Customer Data, Insight & Analytics at Eurostar International Ltd.

@Ben - You'd love to think that News Inc. were all nice and compliant but not so much.

Privacy Policy tells you to unsubscribe from the communications, the emails tell you to update your preferences and despite doing that, it has no impact. Let's hope for their sake they have plans to be slightly more customer focused come May-18.

For now, they've received a nice complaint from me and I look forward to their response!

12 months ago

Save or Cancel

Enjoying this article?

Get more just like this, delivered to your inbox.

Keep up to date with the latest analysis, inspiration and learning from the Econsultancy blog with our free Digital Pulse newsletter. You will receive a hand-picked digest of the latest and greatest articles, as well as snippets of new market data, best practice guides and trends research.