GDPR is here and, yes, user experience is still broken

New data regulations held the promise of an improved user experience for digital services, but the reality is more pop-ups, confusion and inconsistency.

In the era of GDPR, informed users were expecting to have greater control of their data. But what they hoped for, maybe subconsciously, was that this control would not just keep their personal data safe but also improve the user experience of digital services. Fewer surprising (and not in a good way) emails; fewer creepy ads; more transparent and therefore trustworthy and, dare I say, fun-to-use websites.

However, it’s clear that the variety of different approaches to compliance have not produced a utopian consistency in web forms, check-boxes and privacy notices – the user experience side of GDPR. Let’s not wade through the finer points of the legislation again; suffice to say that some companies have let ‘legitimate interests’ do more legwork than others, for better or worse, and the guidance from the ICO has not always been seen as gospel.

The rather frustrating thing is that stricter interpretations of the regulation have not felt good. Yes, the killing off of sneaky language (‘click if you don’t want to receive marketing’) has certainly been a good thing, but a focus on user consent for tracking and personalisation has resulted in sometimes stultifying user experiences.

For starters, US-based companies such as Walmart-owned Modcloth, the Chicago Tribune, NPR and, ironically, the Association of National Advertisers have gone as far as effectively shuttering their websites to EU users, rather than risk non-compliance in these areas. But more annoying are the consent management platforms (CMPs) being used by many publishers.

CMPs present customised pop-ups to users, allowing them to opt in to data sharing with ad partners and decide for what purposes the publisher can process their data – analytics or personalisation, for example. In theory, which is all we have had for the past few years from studying the GDPR text, this is a wonderful thing.

In reality, though, there are issues with these pop-ups. First, without stereotyping my grandmother, the last thing she needs when she visits a new and unfamiliar website is more shit popping up in her browser. Conceptually, it is difficult for her to understand the competing designs on her attention coming from the operating system, browser, publisher and advertiser (let alone ad networks, demand-side platforms, etc).

In her mind, if she has entered her credit card details on a website, then ‘the computer’ has her bank details and every single message could be of paramount importance. I’m getting sidetracked here, but it’s easy to see how the ecosystem has already failed her in some ways, even before CMPs arrived.

Display advertising is not keeping publishers afloat, yet it is still ruining websites. Hmm.

The next problem is that even for digital natives, this stuff is annoying. Mobile experiences have long been compromised by pop-ups and now we have added in a bunch more to slow things down and conceal the actual content further still. I’ve even found mobile websites where, presumably due to a bug in this new tech, it is impossible to tap the ‘agree’ or ‘continue’ button and I have been unable to view any content at all.

Dan Barker, an excellent ecommerce and digital marketing consultant, pointed out on Twitter: “Lots of big media sites are using a GDPR plugin from Quantcast to manage privacy options. But it is very odd… Here’s an example from @politico. I turn everything off, click ‘Save & Exit’, reload the page, and they fire 58 trackers before asking me to opt in again.”

There’s another issue: CMPs or more bespoke preference centres are also not consistent. In an article on Medium, programmer Giacomo Tesio writes about his experience on publisher InfoWorld’s website. He was served a privacy pop-up briefly saying that some (unnamed and unnumbered) third parties need consent to store cookies, undertake personalisation, etc. Two options were presented – ‘update privacy settings’ and the rather throwaway ‘sounds good, thanks!’.

Tesio writes that the pop-up expanded into a window where he could precisely decide which permissions he gave the website. Everything seemed to him to be clear, well explained and free from deception until the last step – ‘vendor consents’.

InfoWorld wanted to share his data with 338 vendors, and with a single click of ‘sounds good, thanks!’, that’s what it would have done. When Tesio realised this, he decided not to give any consent whatsoever, however in order to make this choice he had to click 338 times – there was no ‘deselect all’ button. This seems like a dark pattern in sheep’s clothing.

Let’s end on a wistful note. USA Today, as developer Marcel Freinbichler points out on Twitter, “decided to run a separate version of their website for EU users, which has all the tracking scripts and ads removed. The site seemed very fast, so I did a performance audit. How fast the internet could be without all the junk.” The result was that the site required just 500KB of data to load, rather than 5.2MB.

Without all the junk, indeed. Display advertising is not keeping publishers afloat, yet it is still ruining websites. Hmm.

Ben Davis is editor at Marketing Week’s sister title Econsultancy.



There are 5 comments at the moment, we would love to hear your opinion too.

  1. Roy Smith 14 Aug 2018

    Agree with your points regarding the numerous ‘holes’ in the CMPs that publishers are using but I wanted to add a few.

    (1) Ad Consent is NOT Enterprise Consent – The consent solutions offered by Quantcast and all the other IAB members are more accurately called “Ad Consent” solutions because they only concern themselves with consent related to ad delivery. Since nearly all publishers and content sites capture private data themselves (for email newsletter lists, user generated content, and surveys as examples) they are clearly in violation of GDPR if they don’t give users clear notice and gather their consent for those non-Ad-delivery related data. In other words, the Ad business has provided publishers with a solution that keeps the ads running but really isn’t a consent solution at all for the publisher. To comply, publishers need to offer users a second consent flow that covers the data they capture under normal operations. Few publishers understand this and most think they have achieved GDPR consent compliance by using one of the free Ad consent systems mentioned in your post.

    (2) Consent is a key operational function post May 25th and ‘band aid’ solutions will actually hurt business in the long run. Here’s why. Repeatedly being asked for consent is annoying to users and they will rapidly tune out due to ‘Consent Fatigue” when continually asked for consent by different looking screens from ad companies, from publishers, from third party partners.

    Under GDPR, consent is a living ‘mining claim’ that users can revoke at any time. Consent needs to be verified every time private user data is processed. That can’t really happen when there are 2 or 3 separate systems holding different aspects of consent Do companies keep financial records in 4 different silos? No, because it’s important enough data to maintain a secure central silo with managed access. Under GDPR, CaCPA, ePrivacy and all of the related privacy regs that are coming to force, Consent is just as important as financial data. Enterprises need to treat it that way.

    (3) Nobody is thinking about the user experience yet. Imagine if every site you visit has two or three separate popups gathering consent for this and that subsystem. It’s unthinkable. The only way consent is ever going to work for users is if they are given an easy-to-use, single-sign-on privacy management system where they can get clear info on what will happen with their data and manage privacy across many publishers. A great analogy for this is the way PayPal has become the predominant payment portal for online commerce by creating a trusted central site that people are willing to spend the effort to sign up for because of the obvious convenience they will enjoy in the future. GDPR is a big regulation and it’s going to require big operational changes for business to function well going forward.

    Thanks for this great post!

  2. Noah Mail 15 Aug 2018

    Posted on a site that has an opt out for direct marketing and whose Cookie consent options are non-existent, save for browser settings only. Laughable if it wasn’t so saddening.

  3. Noah Mail 15 Aug 2018

    “If you continue browsing, we assume that you consent to our use of cookies. More information can be found in our Privacy & Cookies Policy.”
    Assumed consent…… It doesn’t exist anymore!

  4. Pete Austin 20 Aug 2018

    Great article. The GDPR is basically broken. Inspired me to think about a possible solution.

Leave a comment