This post originally appeared on Ueno’s blog. Dear Ueno is an advice column for people who for some weird reason think we know what we’re doing. Find out more, or read our old advice.

* * *


Jan from Michigan sent us an email:

Dear Ueno,

What is GDPR and what does it mean for designers? Should I be doing something?

Liz Donovan, in charge of marketing and things at Ueno NYC, cheerfully replies:

Hi there, Jan.

Everyone recently received a bunch of emails about updated privacy policies that they promptly deleted. I don’t blame them.

If you work in marketing, design, technology, or any web-related job, you might have seen the letters GDPR floating around. But it’s still a pretty foggy concept.

Let’s try to clear some of the fog.

What. The. GDPR.

The General Data Protection Regulation (GDPR) is a new legislation in the European Union that sets rules for how companies can collect and process Personally Identifiable Information (PII). It officially went into effect on May 25th, 2018.

PII includes things like name, email address, birthdate, identification documents (passport, social security number), address, phone number, password, biometrics (face, fingerprint, voice) — basically all the information that’s unique to you.

So it only applies to companies and people in the EU?

Nope. A company based in the US probably has website visitors who are citizens of the EU, so they also need to be compliant. It is the World Wide Web, after all.

What are the rules?

  • Companies that collect personal data must be upfront about what they’re collecting, why they’re collecting it, how long they will keep it, and if they’re sharing it with any other companies or outside the EU.
  • Individuals whose data is captured can request a copy of all the data a company has about them, and they have the right for the data to be erased.
  • Some companies are required to employ a Data Protection Officer (DPO), who is responsible for managing compliance with the GDPR. This applies to a) public authorities, b) organizations that engage in large scale systematic monitoring, or c) organizations that engage in large scale processing of sensitive personal data.

What does this mean for the general public?

  • For individuals: If you’re an EU citizen your data will be more protected and you have more control over what companies do with it. Yay! For everyone else, nothing much to see here — move along.
  • For companies: Regardless of where they’re based, if they handle Personally Identifiable Information for EU Citizens may face fines if they don’t get compliant ASAP.

What does this mean for me as a designer? What should I be doing for the sites I make?

GDPR is great for users, and most of the compliance action takes place on the data storage, engineering, or marketing side. That said, it’s still tricky for designers because the requirements are vague.

Basic compliance:

  • Use simple, clear language.
  • 2-choice CTAs need to be presented with equal importance“Yes, I accept,” and “No, I decline” must be styled in the same way, with no primary/secondary styling.
  • GDPR compliance opt-in checkboxes cannot be checked by default.Sneaking in a checked “yes, sign me up for your newsletter!” checkbox in your signup flow is not allowed.
  • If the user is opting in to anything anywhere, you need to let them opt out — probably in the Settings section.
  • Make sure your Settings section includes a “Download your data” option.
  • Newsletters are double-opt-in — after signing up on your website, you must send them another email asking them to confirm their subscription.
  • Granular permissions.

Checklist for designers:

  • Are your designs misleading in any way? (It helps to think of GDPR as a way of being “ethical” as a designer.)
  • Do you need all the information you’re asking the user to give you? Why? And what are you giving the user in return?
  • Are you communicating about privacy in a simple and clear way?
  • Do your designs help the company build trust with the user?
  • Is it clear that the user can manage privacy controls at any time?
  • Is it clear where privacy settings can be managed?
  • Is it abundantly clear what information the user is currently sharing or not sharing?
  • What information would the user expect to find in the “download your information” feature?
  • Does your design make it clear what the user should expect to see in their downloaded information?

Hope this helps.

— Liz.

P.S. Special thanks to Carolyn Zhang and Joshua Munsch for their contribution.

Obligatory legal disclaimer: Please don’t sue us if this explanation isn’t 100% legally precise. As always, consult with your lawyer before doing anything, ever.