Grant / November 2023

From Policy To Pixels: Strategic UX Design and User Support for GDPR Implementation

This piece originally appeared on the Superbloom Blog here:

Download the report

By: Susan Kennedy, Ame Elliott, and Georgia Bullen

Introducing our new report “From Policy to Pixels: Strategic UX Design and User Support for GDPR Implementation.” Supported by the University of California Berkeley Center for Long-Term Cybersecurity (CLTC), we conducted research to better understand how GDPR policy implementation is situated in current UX practices and how multi-disciplinary product teams reach design decisions.

We have all seen them: the boxes that pop up when we enter a site, obstructing our view and interrupting our reason for being there in the first place. These boxes are cookie banners, and they exist to inform you of your right to opt-in to data collection (or opt-out, based on the laws where you live). By presenting the user with that choice immediately upon pulling up a website, the user is forced to make a decision to continue their original task. This is a good thing, right? Users should be able to decide whether businesses collect their personal data. However; in practice, it’s not that simple. The design of these banners greatly impact the user’s experience, and their experience impacts their ability to make an informed and active choice.

Cookie banner design is important, and too often overlooked. We explored this issue and are pleased to present the results in our new report “From Policy to Pixels: Strategic UX Design and User Support for GDPR Implementation.” Supported by the Center for Long-Term Cybersecurity (CLTC) at the University of California Berkeley, we conducted qualitative interviews with five designers and front-end developers with experience in creating cookie banners. Our goal was to situate GDPR policy implementation in current UX practices, and understand how multi-disciplinary product teams reach design decisions as a compliance effort. As part of our work, in July 2022, the CLTC invited us to participate in its symposium “Comparing Effects and Responses to GDPR and CCPA/CPRA,” which brought together multi-disciplinary researchers to discuss current and developing data privacy policies. (Read the symposium summary here.)

What does design have to do with policy?

GDPR is the EUs General Data Protection Regulation, which among other things requires that businesses give online users a choice regarding data collection. This is why cookie banners are ubiquitous in the EU. However; it’s been well proven that cookie banners do not work, at least not in common design implementations. With data privacy laws being introduced and updated all around the world, there is an urgent opportunity to examine how the user-facing implementation of these policies work and what can be done to improve them. In our study, we found that business discussions about cookie banner implementation promote a focus on compliance legalese rather than interactive, usable visual elements that enable active choice. 

In our paper, we outline these core findings, and propose a preliminary framework of personas (archetypal profiles) for capturing a range of attitudes towards GDPR cookie consent compliance and graphical implementation. Using those personas to evaluate existing tools for cookie management, we identified a gap in the tooling and support ecosystem that can meet the needs of people without large budgets or specialized legal or technical knowledge who are eager to cater a cookie banner experience around meaningful, user-centered consent. Equipping people without specialized domain knowledge or personal passion for privacy to participate in discussion about GDPR cookie consent implementation is essential for shifting the status quo and making informed consent a reality.

Want to learn more? 

From Policy to Pixels: Strategic UX Design and User Support for GDPR Implementation

And see a printable Zine that introduces our persona framework, outlining divergent approaches to cookie banner implementation.


Project Contributors: Ame Elliott, Susan Kennedy, Georgia Bullen.

* Susan Kennedy undertook this work with Ame Elliott while she was Program Manager at Superbloom. She is now at Open Technology Fund and may be found on LinkedIn.

With support from Center for Long-Term Cybersecurity (CLTC) University of California Berkeley.