The General Data Protection Regulation (GDPR) is set to change the rights of data subjects (i.e. people), and ergo how companies process and store data, and how they communicate with data subjects at the point of consent and beyond.
So far on the Econsultancy blog, we’ve concentrated on picking out examples of best practice UX for ‘opt-ins‘ and privacy notices. But as much as we can point out good practice, it’s often easier to spot those that look like they may be on shaky ground. I thought it would be useful to round up some examples to see what our readers think.
I don’t want to point the finger or scaremonger, merely to point out UX which is likely already earmarked for improvement ahead of the May 2018 deadline. In some cases, companies are straying into ‘dark patterns‘ territory, but others are guilty only of ill-thought-through design.
Remember that the key point of GDPR is lawfulness of data processing, which when it comes to user experience demands that the data subject gives their clear, affirmative consent (and then subsequently has rights such as the right to erasure or rectification). Alternatively, organisations may rely on other legal bases for processing, such as legitimate interests – though in this case, the organisation’s and individuals interests must be balanced, the processing must be expected by the individual, and a clear privacy notice should still be shown.
As the ICO advises in its guidance for consultation: ‘Consent means offering individuals genuine choice and control. Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of consent by default. Explicit consent requires a very clear and specific statement of consent.’
There’s much more to consider in the GDPR – see the ICO’s overview – notably storing consent profiles, notifying data subjects of breaches etc., but in this piece once again we’ll be looking at website UX at the point of data collection, where consent is relied upon.
1. We Buy Any Car: Opt-out below the fold
If you want to get a valuation for your car on the We Buy Any Car website, you simply have to enter your car registration number, mileage and check a box about service history and previous owners.
That brings you to the screen below, where the company asks for some personal details in order to proceed with your valuation. At first glance, there’s some good practice here – see how the email, postcode and mobile fields all include details of how this data will be used (‘so we can send your valuation’, ‘so we can find your nearest branch’ and ‘so we can text your valuation’).
But here’s the deal – how many users will have hit the ‘get my valuation’ button shown above, without bothering to scroll down beneath the fold? I would wager quite a high proportion. And why is that a problem? Well, take a look at the next screenshot below. It shows everything at the bottom of the same page, all of which sits beneath the fold (on my Macbook Pro).
And look at that! There’s another ‘get my valuation’ button, this time with a checkbox above it that is pre-checked and says ‘I am happy to receive this information’.
What information? Well the blurb above the checkbox says (paraphrasing) your personal information may be provided to associated companies for research and analysis, but also to provide you with info concerning services or products which may be of interest to you. The same goes for services and products from third parties.
This processing may be done on the basis of necessity to enter into a contract (I want my valuation), but the information is still likely to be missed, which isn’t ideal.
Though there is detail about being able to opt out of these comms in future (that’s good), this is clearly an example of a UX where the user may not have given their explicit consent to be contacted or for their data to be shared. The user may have simply not noticed that they had to actively opt-out of these extra comms (something that goes against the ICO’s GDPR guidance).
From May 2018, arguably the first ‘get my valuation’ button above the fold should be removed, requiring the user to scroll past the further information and the privacy statement.
2. Manchester Airport WiFi: Compulsory consent
It seems users have to consent to marketing comms as a precondition of accessing Manchester Airport’s free WiFi. See the image in the tweet below.
— Privacy Matters (@PrivacyMatters) 6 July 2017
The ICO’s GDPR guidance on consent says:
- Consent is appropriate if you can offer people real choice and control over how you use their data, and want to build their trust and engagement. But if you cannot offer a genuine choice, consent is not appropriate.
- If you would still process the personal data without consent, asking for consent is misleading and inherently unfair.
- If you make ‘consent’ a precondition of a service, consent is unlikely to be the most appropriate lawful basis.
As I made clear in a previous article linking GDPR with customer-centricity, those companies that think from a user’s point of view about transparency and appropriate processing will put their best foot forward.
Though social media is well-known as a place to vent, rather disgruntled tweets from users who object to the above precondition and are fed up with receiving marketing from Manchester Airport perhaps hint at a lack of balance in this example. Something to think about ahead of the GDPR coming into play.
Perhaps much better here to have no checkbox and rely on legitimate interests, as this would be less confusing for the customer, who feels railroaded into checking a box.
3. WhatsApp: ‘Hidden’ opt-out
Another example highlighted again by the excellent @PrivacyMatters – when WhatsApp updated its T&Cs in 2016 (to share data with Facebook), it sought affirmative consent from users before changing privacy settings. The FTC had already made clear that users should have opportunity to opt out of any future changes to how newly-collected data is used:
..the FTC has made clear that, absent affirmative express consent by a consumer, a company cannot use data in a manner that is materially inconsistent with promises made at the time of data collection..
The problem with the way WhatsApp did this was that all users had to tap to agree when asked to share their personal data with Facebook companies to improve infrastructure and understanding of how the services are used (amongst other things).
One could debate whether this sort of data sharing is necessary for WhatsApp to function, but what was certainly less than desirable was the UX shown below.
Most users will have tapped agree without noticing there was in fact a choice being offered, specifically about the sharing of their WhatsApp data to improve ‘Facebook ad targeting and products experiences’. As you can see from the screenshots, this option is ‘hidden’ in a concertina, with no hint that it resides there.
The default option on this slider button was opt-in, meaning most users will have shared their WhatsApp data with Facebook to improve Facebook advertising, but without giving explicit consent. Under the GDPR, one would expect this kind of UX to be dicey, and that’s important because the regulation makes clear that all companies with data subjects in the EC must comply.
4. Morrisons, Flybe, Honda: The ‘are your details correct?’ email
There are several companies that have been fined in recent months by the ICO for flouting customers’ marketing wishes by sending emails asking if user details are correct and whether users want to change their marketing permissions.
Though the introduction of the GDPR won’t change anything here – these brands had already broken the Privacy and Electronic Communication Regulations (PECR) – the examples are pertinent as companies will increasingly be seeking re-permission from users ahead of the GDPR introduction date in 2018.
The brands in questions were Morrisons, Flybe and Honda:
- Morrisons sent more than 130,000 emails in October and November 2016 to people who had opted out of marketing. The emails were titled ‘Your Account Details’ and invited customers to change their marketing preferences to start receiving money off coupons, extra More Points and the ‘latest news’ from Morrisons. The company was fined £10,500.
- Honda sent nearly 290,000 emails asking customers to clarify choices about receiving marketing, but could not provide evidence that these customers had ever given consent to receive this type of email. A fine of £13,000 was handed out by the ICO.
- Flybe sent 3.3m emails in August 2016, again to customers who had opted out of such communications. The email asked ‘Are your details correct?’ and offered entry into a prize draw for recipients who amended information or updated marketing preferences. Flybe was fined £70,000.
When commenting on the Honda and Flybe cases, Steve Eckersley, the ICO’s head of enforcement, gave some important advice for any company preparing for the GDPR:
Both companies sent emails asking for consent to future marketing. In doing so they broke the law. Sending emails to determine whether people want to receive marketing without the right consent, is still marketing and it is against the law.
In direct reference to the new regulation, Eckersley said “Businesses must understand they can’t break one law to get ready for another.”
Writing an article about UX that needs to be improved, I’m aware that I’m open to the accusation of throwing stones in a glass house.
Though some of the marketing through these channels by Econsultancy is undoutedly expected by the registrant and represents a legitimate interest under the GDPR (e.g. learning about our big annual event), other forms of communication arguably may not be (e.g. a telephone call to sell a ticket for said event).
One of the (many) reasons users register with Econsultancy is to receive our Digital Pulse email, and our account settings let users opt out from a variety of different emails, including the Pulse and certain marketing emails, but nevertheless, our registration form (from May 2018) should arguably give users a granular opt in to being contacted through email, SMS, telephone or post.
Having to contact a company after registration to request not to be contacted with marketing content via certain media may not be something that sits well with the GDPR. It is covered by legitimate interests, though one might debate the definition of ‘direct marketing’ – is it just mail, or more than that?
Econsultancy currently has a working group looking at GDPR compliance, and registration will undoubtedly be something we look at, to enable users to give their explicit consent to communication that may fall outside of ‘legitimate interests’ (for example, being asked to take part in a survey).
Again, there’s nothing black and white here, as the registrant is entering into a contract to receive particular services – it’s all about expectations and transparency.
6. Incisive Media: Combined consent and hidden opt-outs
Incisive Media also has a combined T&Cs and privacy checkbox. Unlike Econsultancy, it offers granular control of marketing communications at point of user consent (split into first- and third-party preferences, each with checkboxes for mail, phone, email).
However, as you can see below, this user consent is done on an opt-out basis. The user would have to click six boxes to opt-out of each form of marketing, from first and third parties. And what’s more, these choices are hidden in a concertina.
Again, there are obvious changes that would benefit the user here and help to bring things in line ahead of May 2018. Third parties should be named, for example.
Incisive Media registration, via @PrivacyMatters
Note that this article represents the views of the author solely, and is not intended to constitute legal advice. The article was updated in December 2017 to add clarity about legal bases other than consent, as well as the PECR’s role in direct marketing.
If you are involved with preparations ahead of the GDPR, please let us know your thoughts in the comments below.