Report published January 2024
As more and more people engage with digital products and services, there is a need to find new ways of empowering them over their personal data and privacy. Transparency, education, controls and consent moments have emerged as key UX tools in achieving this aim.
This best practice guide focuses on consent moments. How can we design consents that empower users, balancing their need for control with usability?Download report: best_practices_for_consent_design.pdf 28 MB
The promise of consent is to give users control over when and how their data is processed. If users are informed, they can make better decisions about their privacy and exert control over how and when their data is shared.
However, there is a central tension inherent in this promise: on the one hand, the need to give users enough information and granular control, and on the other the risk of causing consent fatigue.
When designed well, consent is a moment to pause, adding friction to slow the user down. This gives them time and space to make an informed choice. Best-practice consent moments prompt a “lean-in” experience where people are engaged in their privacy choice and, as a result, are more likely to make informed decisions.
However, using consent too frequently or indiscriminately risks adding too much friction. This can cause users to disengage, make arbitrary decisions and for product makers may force a trade-off between ease of use and meaningful engagement. In this way, paradoxically, more consent moments may lead to less control for users.
Around the world, policy and product makers have been trying to strike a balance between these tensions, so users make informed decisions about their data.
The European Commission recently noted in their Cookie Pledge, that “many people are tired of having to engage constantly with complex cookie banners generating the so-called cookies fatigue and as a result they may simply give up trying to express their real privacy preferences”.
In Australia, the Australian Privacy Act Review Report has stated that “an over-reliance on notice and consent can place an unrealistic burden on individuals to understand the risks of complicated information handling practices and may not result in improved privacy outcomes”.
The National Privacy Commission in the Philippines is actively advocating for companies to move away from an over-reliance on consent, stating that “organizations must avoid consent fatigue by properly identifying the lawful basis for processing prior to any data collection. If another lawful basis applies, then a request for consent is unnecessary and does not need to be made”.
We present the design patterns in this report as a continuation of a long-running conversation about consent moments, and how design thinking can help us create consent that lives up to its promise – empowering users with more control over their data.