Clickety-click: 5 Years of Consent with the GDPR

Graham Carroll5th July 2023 - Graham Carroll

Clickety-click: 5 Years of Consent with the GDPR

For most, data privacy, consent, and the laws that govern it are about as appealing as watching paint dry. But are the tools we use every day that are designed to help control our consent really working?

Getting around the web is often a pain in the ass.

Newsletter pop-ups, display ads, and location alerts  – not fun.

And this pain manifests not least in the form of Consent Management Tools and their pop-up controls or Cookie banners. We’ve all been clicking, or at times ignoring some form of OK, Accept, Reject, etc almost every day for 5 years.

Consent with the GDPR

The GDPR is now 5 years old. It is a necessary and important EU directive that sets out laws and guidance on how personal data is controlled, stored and processed.

In front of that personal data sits the consent to have it in the first place, and that’s what this post is about.

“Most people are simply not thinking about their privacy or data rights. They just want to move on with their lives.”


One of the core principles of the GDPR regulation is that it requires companies to provide consent notices to consumers in “concise, transparent, intelligible and easily accessible form, using clear and plain language.”

But what are the design principles that ensure those notices and their user interfaces are clear and transparent?

Can organisations that design for a myriad of things – web, mobile, wearables, voice assistants, connected cars and every sort of IoT device really live up to these ever-changing laws and principles?

Do consent tools even work?

As is our nature, we tested this out.

In a set of usability tests with 20 people on a compliant consent tool pop-up, we found that the majority of users, 70%, clicked to Accept cookies.

When asked why they chose their action, answers from those who accepted included “That’s just what I always do” and “…it’s the fastest way to get rid of it.”

The problem is clear. Human nature prevails, and as cognitive misers, through simple repetition, we follow the path of least resistance.

Most people are simply not thinking about their privacy or data rights, they just want to move on with their lives.


But do consent tools actually work?

We tested this too.

Out of a quick straw poll selection of 12 random websites (May 2021), we found that just 7 of them (58%) did not fire cookies when Marketing Cookies were declined.

Good Cookie?

When it comes to content streamers and IoT stuff, many of these services need to collect data from you to give you a better user experience.

For example, Netflix.

When you’re milling around thinking about what to watch next, content streamers use first-party cookies and data to show you content that you might like based on your viewing history, gender, etc.

If Netflix kept showing you the same viewing options every day, including things that you’ve already watched that would get annoying.

While this use of personal data improves the user experience, there are other ways your data is used from deciding what content to produce to more grey areas such as how data is shared with 3rd parties.

In the case of Netflix, the only opt-out is to stop using the service.

The path of least resistance. (Michael Sankey)

Privacy by Design

Despite the clear challenges of getting consent, education for those who process and store personal data is critical.

I spoke some time ago at a webinar hosted by the brilliant Future of Privacy Forum who invited me to give a talk on consent transparency and designing for trust.

Interesting takeaways included:

  • The biggest challenge to increasing User Experience transparency may be encouraging people to make deliberate decisions from a UX design perspective.
  • Designers’ colour and shape choices in User Interface design can be subtle ‘dark patterns.’ These dark patterns might even prevent, e.g., colourblind users from understanding the options at hand.
  • Organisations should ask themselves whether they should be collecting certain data in the first place.
  • Organisations need to take steps to prevent user manipulation, both by UX/UI (e.g., cookie banners) and by algorithms.

There’s a link to the webinar at the end of this post.

What should change

This is usually the part where you get ‘the answer’ but there isn’t a definitive one or at least one that will make browsing websites and apps a little less annoying.

Google plans to phase out cookies with its Privacy Sandbox but consent banners are not going to go away soon, so they may continue to annoy.

But, the real message here is that regardless of what level of consent users and consumers give (or how engaged they are when they do it), as businesses, data controllers and data processors, the responsibility lies with us to ask for, use and store their data responsibly.

There are two things I would advise:

  • Understand where your greatest data risks lie and ensure that your processes around processing and controlling that data are airtight.
  • Educate and train your staff on the laws and best practices around data protection, particularly how they relate to your greatest risks.


Thank you for reading.


But wait, there’s more:

And if you want to go full geek, check out this 30-minute piece on GDPR after 5 years from Voice of ESG. It has some sound advice at the end on engaging in training and awareness for your team.

Graham Carroll
Graham Carroll

Graham is a co-Founder and Head of Strategy at Friday Agency. He writes mostly about Strategy, Content and UX here, and he talks, lectures and sometimes shouts about these things too.

Previous Post
Should you work with a UX Agency or build your own in-house UX Team?
The Crucial Role of UX in Digital Marketing
Next Post
The Crucial Role of UX in Digital Marketing