Do you know which component of your website every single visitor interacts with at least once? Is it the powerful one-liner you shaped through hours of brainstorming? Maybe a hero image placed above the fold conveying a strong message about your product? Is it that main call-to-action button you refined with love and A/B testing?
None of these. It's the data collection consent message1 that every website visitor deals with at least once. Any website collecting unique data about users has to ask a visitor to approve or not approve the data collection before the it occurs. This consent is required by law in some countries.2 The problem is that most websites don’t explain what the consent is about. They don't give equal options for accepting or declining data collection during a website visit.
Recently I noticed a strange message on the site I frequently visit 3 :
My first reaction was self-reflection ("Am I really happy?") which was obviously not the purpose of my website visit.
I got another even stranger message later while visiting the other website:
I accidentally read this as "We value your privacy... I disagree." for a strange reason.
This was worse than all of the rest:
Seems like you're agreeing to the cookie consent and exiting the site.
Something was not just feeling right.
I suddenly became sensitive to UI obstacles of this type each time when I browsed the previously unvisited website and compulsively started to collect the most interesting screenshots of those elements. Here’s a collection of consent messages from the websites I visited in the past month4:
What I was experiencing was "consent fatigue": burdening users with questions and forcing decisions when they access a website for the first time.
I looked on the internet for an in-depth analysis of this phenomenon only to find out that most of the writings were focused around symptoms - that is, interface representations of the consent (modals, popups, fixed headers/footers, forced actions). There was little to none analysis for the root cause of consent fatigue.
I think this complex issue is related to communication and interaction. As an engineer and designer interested in hard problems I was intrigued to break it down and understand why consent components are designed this way and what could be improved.
I surveyed fellow designers from the UX community for representative examples of consent interactions. I asked the following question:
Does anyone know an example of usable, user-friendly and understandable example of cookie consent messaging and/or cookie interface? There are tons of bad examples around but very few good examples, thus I need your help - thanks in advance!
There were humorous responses:
Haha, that’s because there are no good examples. - Jess_Sand
Once I saw one on a food blog that said "We like cookies." - Katie
Negative answers:
Ultimately cookie consent is a user irritant so any "good" examples are still going to be poor UX. - Brett Maraldo
There were analytical answers:
It's german and doesn't look too great from a UI perspective, but from a UX point of view I like this example: https://taz.de/
Clearly asks me if I'm fine with all cookies or want to customize, if I customize I can either enable/disable cookies individually (okay) disable all but the essential cookies (so no ads or tracking cookies, this is what I want) again allows me to just accept all and everything without any dark patterns trying to trick me into allowing all.
Again, nothing fancy, but gives me clear options, direct access to the most used case (no ads and tracking), still customizable if I want and no dark patterns - Alex J
There were more answers with examples:
I'm not sure what exactly you're writing, but Pinterest does a good job at explaining things. - Anonymous
I was impressed with the clarity of Ikea’s flow at one point. - Jess_Sand
It’s not perfect (the banner to get there is still kind of intrusive), but I like that The Guardian just boils it down to two equally-weighted choices, and you only have to deep-dive into individual settings if you want to. - calum-b
I've used the Civic Cookie Consent script on a few sites and it is about the cleanest I could find. Very easy to integrate as well. It is used by the UK Information Commissioner's Office - which is the official source of info regarding UK cookie consent. - Darrell Wilson
Fellow UX people shared the same sentiment and were eager to share their experience - I was not alone!
I tried to analyze the content of consent messages as honestly as I could seeing them for the first time. I compiled a list of questions that the average website visitor could ask themselves when looking at a typical consent message:
All of the above questions can converge into:
Website owners presumably didn't plan this kind of experience for their users.
It's important to try minimizing blindspots while doing analysis like this. Therefore I changed sides and tried to be in the shoes of a website owner who are obliged to place consent message on the website. Here are concerns I could think of:
Those questions boil down to:
To understand reciprocity between basic user and business needs lets show them side-by-side:
| User needs | Business needs |
|---|---|
| To get the job done on the website and move on | To earn money while keeping the user engaged |
| To know what kind of data I will leave on the website To control amount of data I give to website To know how the data about my behavior is used after I leave the website |
To analyze user behavior in order to optimize the website for user needs and desired KPIs To inform the user about behavior data utilization without impacting the business |
Analyzing interaction design on a compiled set of consent messages5 was no less interesting - I saw the main ideas repeating themselves. Here are observed interaction patterns ordered by level of severity, from mediocre to acceptable UX6:
While I try not to be prescriptive in this analysis, I’d say that the only fair and non misleading example is the last one. It’s also the only one that gives us an actual choice to not share our data.
Websites (unfairly) assume that visitors know what a cookie is and does.
The consent question is frequently misleading: accept cookies vs. whether to track a visitor or not.
Most consent messages do not use plain language. They obscure the message by emphasizing technical details ("we use cookies") over collecting user behavior data that is being saved, used or sold.
"We've put cookies on your device to make the website better" translates to the users’ language as: "I’m using my computer's resources to save files so that the website owner can track me and make their website better for their business needs."
Typical website consent element say: "Accept cookies or no access for you."
Consent messages are persuasive which aren’t GDPR compliant: consent must be freely given so the message should be neutral.
Saying "We use cookies" doesn’t tell the user anything - it’s like saying "a car uses a road." The website owner can say "We use HTML and Javascript to provide you content on this website." That information is of low value to the user. So the cookie isn’t the problem, it’s what the website does with the information.
It’s impossible to summarise all the implications of the users’ decision under one call to action like "Accept" or "I agree."
Users do not understand what is going on with their data and don’tt know that somebody has their information, how and where data is being used.
Some websites notify users that by using the site consent is granted - therefore, users implicitly accept the consent. Other websites allow users to accept or reject consent explicitly, through direct interaction. The latter is a more fair option.
Many websites collect user data whether users agree or not, making the notification pointless.
Almost every consent notification breaks the basic rules of UX: understandability, clarity, brevity. It causes confusion. It negatively affects the overall website experience - especially when it's placed intrusively.
Regular website user has to make a lot of decisions while browsing. I think there in lies the root cause for consent fatigue: when designers flood the website with elements that require users' response without explaining value, it results in a poor experience.
The fact is that third-party trackers are building up databases with information about you and your browsing habits. Advertising networks use cookies to track users' behavior and cross-site movement. "Ads keep our service free" is a try-to-be-sincere message that some websites convey in their consent messages. What those websites are trying to say is "Please give us consent for saving and processing data about your behavior so that we can keep our site in operation for free to you."
Technically, the consent is not uniquely related to approval for saving cookies to your hard drive. Your unique "browser fingerprint" could be created using your IP address, browser version, operating system and other data you expose whenever visiting some site on the internet7.
Let's call the things by their real names. It's not "cookie consent" - it's "approval for data collection" and in many cases "agreement for selling your data to 3rd parties." Mentioning cookies just obscures the real intent of the website owner. Fair cookie consent must be about a purpose (tracking), not about a means to an end (cookie).
So, how can we improve the current state of things? Is there a solution to consent fatigue? How can we inform users honestly while still keeping our business sustainable?
While doing research projects I saw that most users overcome obstacles like modal windows and notification banners by blindly and automatically clicking the most obvious element. Consequently, users give away their data for use in promotional purposes or have websites sold data to 3rd parties, without ever knowing it.
Let's be honest - almost every user will eventually click to accept cookies if they have strong motivation to use the website. I think designers should pay attention to a fair choice between giving and denying consent. They should focus on the clarity of consent messages while avoiding ambiguity.
Website visitors should be able to make an informed decision if they are willing to give their data, what amount of data is given to whom in what timespan, and for what purpose data will be used. Therefore, website owners should not nudge the visitors toward their preferred option - which is fingerprinting, tracking and eventually selling their data. Website owners should give a fair choice between two options. They should explain what happens to users' data, how it will be stored and for how long. Nothing should be left to interpretation.
We should be aware that design cannot resolve all problems; however, one innocent design decision can mess up complex business rules. Designers should aim beyond design: talking with all business stakeholders, questioning current business models and working on incremental improvements is always a good idea.
I remember browsing the web in a browser within a single window, struggling to type full URLs along with http:// prefix and with poor support to web standards8. The browser evolution went a long way since then. Typical web users expect a consistent experience across browsers: standardized components such as a refresh button, address bar that accepts both URLs and search queries, back and forward buttons, tabs, secure HTTPS protocol notifications, incognito mode and so on. This is analogous to driving your car: steering wheel, pedals, lights and blinkers are found in every contemporary vehicle.
I dream of having something similar: a standardized browser component that handles user-generated data with respect to privacy and transparency.
This component will treat users' data with respect, inform the user about which data is sent, when and to whom. It will give users the option to take control of their data. I think GDPR rules are a good start towards better "privacy as experience" and better handling of user data.
A consent indicator is constantly shown in the browser (similar to SSL "lock" indicator ); the user can interact with the indicator and understand what the website will do with data. The user is always able to revoke consent, being aware of the implications.
The idea of a unified privacy control is not new at all - there were already some initiatives (although at the level of network protocols) that were promising9. Big tech companies these days realize that allowing users to control their privacy is an opportunity to make a competitional advantage in the fragmented browser market and they are making some minuscule but promising steps toward better browsing privacy10.
By moving decisions about data collecting from website to browsers, everybody wins: users get a coherent and unique experience across websites and businesses can monetize their content by exposing clearly what data is being used for what purposes; and if the user does not give the consent, he won't get to the content. I know that paywall model is unpopular among users but at least users will not be the product anymore11.
This proposal is not without flaws. The questions easily pile up:
Website designers should implement ethical design strategies in every website component, no matter if the website resides in the EU or not. The topic of user data is beyond GDPR - website consent messages should be designed with the same level of detail as the core product, whether the website falls under GDPR rules or not. Brands need to be transparent about how they use data. Businesses should provide all users with proper options to fully control their data.
While we are waiting for the web to consolidate, designers should be reminded once again: every user on your website will see data consent message at least once - it doesn’t matter on which page they landed. It deserves some love. Keep that in mind when designing your next masterpiece.
I am Milovan Jovičić, UX consultant, design generalist and violinist.
I founded Practical UX and Alpha Design Studio.
My intent is to make technology human and to utilise it for augmenting human intellect.
Thanks to Slobodan Stojanovic, Bojan Joncic, Janko Jovanovic, Bojan Djuricic and Keith Baumwald for reading early draft of this.
All websites are accessed in October 2020.
I am intentionally not saying "cookie consent message" as websites can collect data using many technologies, along with cookies. ↩︎
Analysing the law is out of the scope of this essay. We will focus here on how the consent message affects the experience of the user. There are other standard website components that inform how data is collected and processed, such as privacy and cookie policies - which are also out of scope. ↩︎
October, 2020 ↩︎
I compiled around 100 of them, obviously a limited set - see my collage at the beginning of the text. ↩︎
I will focus here on content and call to actions only. I do not want to mention obstacle models and other anti-patterns that obscure content, which is a story in itself ↩︎
Go find out for yourself: visit AmIUnique.org ↩︎
You guessed right, that was Internet Explorer 5.5 ↩︎
DNT HTTP header field, proposed in 2009. and adopted by Mozilla Firefox was the first attempt to unify encapsulate and control privacy by the browser. The initiative was unfortunately shut down in 2018. It is superseded with Global Privacy Control header, and we'll see how it goes. ↩︎
Apple, Cloudflare and Fastly at the end of 2020. united in an attempt to make DNS more private ↩︎
"Television Delivers People", a classic short from 1973 made by Richard Serra is worth watching if you want to dig more on the subject ↩︎
I noticed that Brave web browser tried to go beyond paywall by allowing "tipping" content creators, while supporting publishers at the same time. I like this idea a lot. ↩︎
Disclaimer: I do not have any connection with those guys, I just think this component gives usable and fair options to users ↩︎