There are a number of factors to the GDPR (General Data Protection Regulation) that from May 2018 will change how companies communicate with users and process their personal information.

One fundamental factor is privacy notices – how organisations explain at the point of data collection what users can expect will happen to their data. In this article, we'll dig into the topic of privacy notices more deeply, and present some best practice examples that appear to comply with the GDPR.

We all know privacy policies are painful

Who has ever read a privacy policy? Truthfully?

They are not quite as absurd as the iTunes terms and conditions (now a graphic novel), but a paper by McDonald and Cranor estimates that if the average person read every privacy policy for every website they visited in a year, that reading time would amount to some 244 hours.

In 2010, Facebook's privacy policy was longer than the US Constitution.

It's this absurdity that the GDPR is attempting to tackle – privacy policies may still be long and unwieldy documents, but users must be made aware of the salient facts in an easy-to-read notice at the point of consent or data collection.

The GDPR demands clarity through a privacy notice

This is what the GDPR has to say about the information companies provide about personal data processing – it must be:

  • concise, transparent, intelligible and easily accessible;
  • written in clear and plain language, particularly if addressed to a child; and
  • free of charge.  

This means a simple link to your crazy-long privacy policy during registration will likely not do the trick.

As the ICO puts it when discussing the GDPR, "being transparent by providing a privacy notice is an important part of fair processing. You can’t be fair if you are not being honest and open about who you are and what you are going to do with the personal data you collect."

What's more, the information you should provide is changing, too. The lawful basis for your data processing, how long you'll keep the data for, the user's right to complain – these are all pointed to in the GDPR.

The following questions should be considered when writing a privacy notice: 

  • What information is being collected?
  • Who is collecting it?
  • How is it collected?
  • Why is it being collected?
  • How will it be used?
  • Who will it be shared with?
  • What will be the effect of this on the individuals concerned?
  • Is the intended use likely to cause individuals to object or complain? 

(Note, for the full detail on what information should be provided to the data subjects at point of data collection, readers should check out article 13 of the GDPR, specifically paragraphs 1 and 2, summarised by the ICO here.) 

gdpr course

What does a privacy notice look like?

All this seems pretty straightforward so far, but what then does a privacy notice actually look like?

It's not as lengthy as the questions above may suggest, in fact it chiefly tackles what will be done with personal data, by whom, and who it will be shared with.

Here's an example, again from the excellent ICO guidance:

privacy notice

As you can see, the privacy notice is part of obtaining consent from the user (or telling them about legitimate interests, for example), and is presented at the point of data collection. (In a previous article on the Econsultancy blog we have looked at the UX of obtaining opt-in – essentially how checkboxes should be presented).

When planning privacy notices, you should be aware that more information may be needed than shown in the example above. Such information depends on what the user reasonably expects to happen to their data, and whether a lack of honesty/fairness might be levelled if pertinent information is not provided (e.g. use of personal data for profiling).

You can see a longer example of a privacy notice in a blog post from Scott Sammons, privacy expert – read it here.

Examples of good privacy policy UX

Back to the GDPR. What does best practice look like?


There are two concepts of privacy policy/notice UX that the ICO advocates. The first is layering – allowing users to access easy-to-understand information and then delve more deeply if required.

The prototype from the ICO shown below uses three layers. The first is a headline question (how will we use the information about you?), the second is the collapsible information about processing and sharing, and the third is the hyperlink to the relevant section of a full privacy policy.

This layering is a good way of saving space in a mobile UI.

layers privacy

Just-in-time privacy notices

Another superb prototype from the ICO, also useful in mobile UIs particularly, is the just-in-time privacy notice.

As you can see in the GIF below, when the user engages with a data field, relevant information is displayed at that time with a pop-up style hint.

just in time privacy notice

Who is adopting some of these practices?


As with many companies out there, Microsoft is getting some things right and others arguably not so. When I investigated signing up for an Outlook email account, I was pleased to see that the form I had to fill in employed the just-in-time technique noted above. You can see it in the screenshot below.

microsoft just in time privacy notice

Just-in-time privacy notice from Microsoft

However, Microsoft doesn't include a privacy notice at the end of the form when I am ready to sign up. Arguably there should be some information at this level about what data of mine will be used and how. I am also required to opt-out of marketing, which will be a no-no under the GDPR.

Microsoft should be given credit though for its use of layering when a user clicks through to the privacy policy. As you can see from the screenshot, there are clickable subtitles in the form of questions, top-line information given and then links to more detailed information.

microsoft privacy policy

Age UK

Age UK was included in my last article about opting in to marketing consent. For a simple transaction (a donation), the privacy notice is clear, and sits next to the option to opt in to marketing.

You can see the message below, it's not extensive, it focuses on the main area of doubt a user may have in consenting to marketing – will my data be passed on?

Age UK assuages these doubts and also details the option of changing your mind. There is then a link to a more detailed privacy policy.

It should be stressed that direct marketing may rely on the basis of legitimate interests (not always consent, though the individual still needs to be made aware at data collection). Sending email marketing is possibly governed by both the PECR and the GDPR, depending on the level of processing of data. This article by the DMA gives a handy summary.

age uk privacy notice

The charity's privacy policy is partly shown below and was updated in April 2017. I like the layout of information. It looks well prepared for next year's regulation and includes information about updating your details, security precautions, any transfer outside of Europe and any profiling that may take place. Check it out here.

age uk privacy policy

The beginning of Age UK's privacy policy


USwitch has a very simple UX for comparing energy prices, but it remembers to include some just-in-time information. See the screenshots below.

Note the use of the word 'optional' in the phone number field, too.

uswitch just-in-time privacy

uswitch just-in-time privacy

However, when I went further through the process of applying for quotes, I could not see an obvious privacy notice. It may be argued that all the information I input (energy consumption etc.) is necessary to provide a quote, but I would still have been reassured with another notice about what happens to my data.

USwitch does have a good privacy policy, though, similar in style to Age UK, with clear headings and a range of information, also updated in April 2017 (see it here).


There are likely better examples out there with whiter-than-white compliance. But remember, it's horses for courses.

As the ICO points out, consumer expectations are key. You have to "Actively give privacy information if:

  • you are collecting sensitive information;
  • the intended use of the information is likely to be unexpected or objectionable;
  • providing personal information, or failing to do so, will have a significant effect on the individual; or
  • the information will be shared with another organisation in a way that individuals would not expect."

Ridding the internet of legalese and promoting transparency is not a new concept

As an addendum, it's worth noting that the challenge of keeping the user informed is one that many academics and developers have worked on before.

One nice example is the open source code available from the Application Developers Alliance. It partnered with Intuit in creating privacy notices for apps (see below) that would comply with the Mobile App Privacy Voluntary Code in the US. 

intuit and privacy alliance notice

Open source privacy notice from App Developers Alliance

Another example of previous attempts to bring some saliency to the privacy notice is the use of iconography. There are no standard icons used to denote various levels of privacy or data use, but their appeal is obvious – they are language neutral. As GDPR applies to users based across the EC, we cannot assume all users understand one of the major languages of the region.

Aza Raskin of Mozilla has developed privacy icons inspired by Creative Commons. Along with some standard short text, the icons simplify privacy policy, though it should be noted that most of this sort of work has been academic. There remains difficulty in the issue of jurisdiction.

mozilla privacy icons

Image via CREATe - The use of privacy icons and standard contract terms to build consumer trust 

Note that this article represents the views of the author solely, and are not intended to constitute legal advice.

Are you a privacy expert? Let us know your thoughts in the comments below...

gdpr report banner

Ben Davis

Published 25 July, 2017 by Ben Davis @ Econsultancy

Ben Davis is Editor at Econsultancy. He lives in Manchester, England. You can contact him at, follow at @herrhuld or connect via LinkedIn.

1244 more posts from this author

You might be interested in

Comments (7)

Save or Cancel

Andrew Plant, SEO and Content Manager at UCAS

Great article.

There is a lot to think about with GDPR as consent has been flipped on its head.

The need to have a clear and transparent way of proving how consent was gained is key. Data storage and management will be central to all of this.

about 1 year ago


Laurent Christoph, Experience Strategist at Lloyds Banking Group

Whilst consumers have genuine concerns about privacy its often not the main concern when they are about to buy a product or join a service. If they "want it" enough they are likely to pay less attention to privacy notices (if any at all).

So what should companies do? Well, you can insert positive friction in the journey, develop a longer term comms strategy centred on privacy, have a more contextual approach to data collection and consent gathering etc...

This requires a change of mindset for many digital marketers: from designing for 'quick and easy' to designing for 'awareness and understanding'. Design for the intended outcomes, not just ease of use or ticking the GDPR box (no pun intended).

Fundamentally it requires a renewed focus on raising awareness of the importance of privacy as well as a strategy to empower customers to regain control over their personal information. In that respect GDPR has already been successful in getting many organisations to think and act differently - but there's still a lot more to do.

about 1 year ago

Ben Davis

Ben Davis, Editor at EconsultancyStaff

@Laurent Couldn't agree more

about 1 year ago

Roy Smith

Roy Smith, CEO at PrivacyCheq

While many enterprises may struggle to create the IT resources needed to achieve full GDPR notice and consent compliance, there are commercial SaaS services that handle layered notices, just-in-time details, multilanguage, granular consent, anonymous consent, and compliant logging and maintenance of consent. <commercial plug> My company PrivacyCheq offers a GDPR/ePrivacy consent management service called ConsentCheq. </plug>

about 1 year ago


Velzara Koleva, Product Copywriter at John Lewis Partnership

A very insightful article, that raises nevertheless a few questions regarding regulation.
First, the opening sentence "a number of factors to the GDPR (General Data Protection Regulation) that from May 2018 will change" makes an overt claim into changes. However, would you be able to elaborate a little more on those changes?
Second, what strikes me is that under GDPR, another overpowering EU regulation, an opt-out of marcomms is the red line as stated above " I am also required to opt-out of marketing, which will be a no-no under the GDPR." This leads to two critical points a) consumers would be technically left with no choice, which is likely to produce negative impacts for both business and customers b) banning an opt-out mechanism would further prove that EU regulation in some respects is ill-thought and one size doesn't fit all. It is also unequivocal that this can potentially create a political backlash regarding the dominance and superiority of the EU and the diminished power of state governments. The latter is particularly evident in one of the key changes of the policy concerning the extra-territorial applicability
Last but not least, as much as data protection is vital along with its handling, a critical opinion is welcome to avoid any potential pitfalls as well as protect customers and businesses in a democratically open, fair and beneficial way.

about 1 year ago


Darren Revell, Founder at RecruiterWEB

Excellent advice thanks for sharing.

12 months ago

GDPR Privacy Policy

GDPR Privacy Policy, Data Protection at GDPR Privacy Policy

If you are looking for a truly GDPR-complaint website privacy policy, you can find a good example here:

Don't forget, that as well as being clear, concise and transparent there are also very specific obligations in Articles 12 to 22 of the GDPR that you must also comply with in specific ways - failure to meet every single applicable requirement exactly as required is an automatic breach of the GDPR. For example, Article 21(4) requires that the right to object be explicitly brought to the attention of the data subject and presented clearly and separately from any other information. Many privacy policies have erroneously bundled all of the data subject rights together, showing a misunderstanding of the legislation or a lack of attention to detail.

The danger with privacy policies is that they are public and therefore visible to anyone to see, including any non-compliance.

10 months ago

Save or Cancel

Enjoying this article?

Get more just like this, delivered to your inbox.

Keep up to date with the latest analysis, inspiration and learning from the Econsultancy blog with our free Digital Pulse newsletter. You will receive a hand-picked digest of the latest and greatest articles, as well as snippets of new market data, best practice guides and trends research.