The technologically illiterate Eurocrats who wouldn’t know what a cookie was unless they could dunk it? 

The regulators with 50+ pages of waffled guidance?

The lawyers whose advice was little more than verbatim regurgitation of the law, trundled out at a thousand pounds an hour?

Yeah, that lot. They should have just left us digital folk alone instead of interfering in stuff they didn’t understand. Right?


Actually it was our fault. To some extent it was directly my fault, but really the blame needs to lie at the collective feet of digital marketers, designers, brand owners and the tech community at large. 

We didn’t have to end up with cookie banners all over the place. We got them to a large extent because most of the digital industry tried to stick its head in the sand and hope the problem would go away.  

We had three years warning to figure out how to solve the problem without banners, but almost nobody wanted to know about it. When they finally faced up to the need for change, banners were the quickest solution.  

Now we have both user and developer expectation that they are the only solution, creating market inertia against a shift to an alternative.

However, I am not here to point fingers for past wrongs, but give a warning for the future. There is a change coming far bigger than the cookie law and if the digital industry doesn’t learn from those mistakes, it will find itself repeating them in little more than a year or two from now. Only the cost of getting it wrong will be much greater.


Launched at the beginning of 2012, the EU General Data Protection Regulation (GDPR) is a legal juggernaut designed to harmonise data privacy across Europe and strengthen consumer protection.  

It has been subject to massive lobbying, with over 4,000 tabled amendments, currently exists in three different versions and is widely expected to be negotiated into a finished package around the end of this year.  

Following this there will be two years for everybody to make changes to comply, but all of those in the know believe this will prove to be a very short time for most companies to adapt.

The requirements for complying with the GDPR are wide ranging, and include similar requirements as the cookie law. However the reason that no-one will be able ignore it until the last minute this time is the level of fines for non-compliance.  

These could go as high as 5% of global turnover or €100m. Costs could be higher still if rights for consumers to take collective legal action make it in.

The figures are deliberately significant, designed to make sure that responsibility for compliance will rest at the highest levels in the organisation. They are also intended to ensure that management takes a ‘risk minimisation’ approach to the law. Anything less will come with too much potential cost, and possibly become uninsurable.

The GDPR will impact many areas of business operations but digital interfaces will be in the front line, not least because the changes in the law are happening partly in reaction to the advance of technology into every aspect of people’s lives. With this in mind, there will likely be organisational diktats from above to ‘get compliant’.

The risk here is that getting compliant in a purely reactive, ‘do what the law says’ kind of way could destroy UIs, ruin the customer experience and scare visitors away.

What is really needed is some innovative thinking and a whole new way of engaging with the needs and interests of individuals.

Transparency and control

What we have right now is a model of data collection and usage based on an over-stretched idea of user ‘consent’ which largely relies on hiding information away in privacy notices that no-one reads, and where the assumed permissions are in reality lack of user knowledge and choice.

The GDPR sets out to destroy this ‘consent by acquiescence’, and if you listen to the legal bods, you get presented with images of notices and check boxes taking over the interface. However this only really going to highlight the risks to users, who are already increasingly concerned about how their information is used.

The brands that will succeed in this new era will not be those fixated on consent, but the ones that embrace the twin notions of ‘transparency’ and ‘control’, for which consent is merely a proxy. These concepts are only very rarely supported in current UX design. 

What is needed is to bring these two disciplines right to the fore of the interface. The recent changes by Google to provide users with privacy choices are a clear indication that they recognise the need to tackle this issue. Many will argue that they are still falling short, but it clearly shows the general direction of travel.


In the UK the BBC will launch myBBC this autumn and from the beginning of its development it has emphasised transparency and control. A stress has been put on making it clear to users what data is being collected and why, then giving them control over it, but this is not done just using tick boxes and T&Cs. 

Most importantly the UX team has been involved from the beginning and are seen as key to making sure that the necessary compliance is done with as little friction as possible.  

As James Leaton Gray, the man who was charged with designing the privacy system for myBBC, puts it: 

The idea is that privacy is completely integrated into the product, not seen as an add on that no one will use, just there to keep the lawyers happy.

The BBC said that it’s taking this approach to ensure the trust its audience has in it is continued into the digital age.


Trust is another word that will play an important role in interface design in coming years. However, while a lot of companies talk about it, not many are really investing in getting it right online yet.  

The current message ‘Trust us, we take privacy seriously’ is often obfuscation. As long as dark patterns like pre-ticked boxes accompany web forms for data sharing, trust is being forced.  

Such behaviour will need to go. Instead the message needs to become ‘Let us show you we are trustworthy’. The way to do that will be to cede control to the user and persuade them of the benefits of engaging rather than assuming you can engage them unless they opt-out.

To succeed in the face of the challenge of the GDPR you will need to do more than the least possible to comply according to the advice from lawyers. Instead, set out to change your interfaces to promote transparency and hand control over data to users.  

Get it right and trust and consent will follow.

With thanks to James Leaton Gray for his contribution about his work on myBBC.