Bookmark: "GDPR consent design: how granular must adtech opt-ins be?"

Sebastian Greger


The wireframes presented in this article should make every UX designer cringe:

Johnny Ryan of PageFair embarks on a step-by-step journey through various GDPR requirements and Article 29 Working Party opinions/guidelines, illustrating how the wide range of purposes adtech companies process personal data for would—-when taking the law as literal as possible—-require consent dialogues of epic dimensions:

Any individual controllers who intend to process data for their own unique purposes will need further granular opt-ins for these purposes. Since adtech companies tend to deviate from the common purposes outlined above, it is likely that most or all of them would ultimately require granular purpose consent for each controller.

However, even if all controllers pursued an identical set of purposes so that they could all receive consent via a single consent dialogue that contained a series of opt-ins, there would need to be a granular set of consent withdrawal controls that covered every single controller once consent had been given. The GDPR says that “the data subject may exercise his or her rights under this Regulation in respect of and against each of the controllers”.

I’m having a hard time to think of a single user clicking through that (hence the author’s verdict that behavioural adtech is doomed). And while it would be easy to put the blame on EU legislation, the real issue is the scale of invasive tracking established on the web today, becoming tangible in this way just as the GDPR intends (what Ryan refers to as “data leakage” is the practice of trackers handing on data to other parties—-an uncontrollable mesh for the website publisher who may ultimately be held liable for exposing their site’s users to it).

Johnny Ryan has presented a similar exercise before, and I am quite frankly surprised how sparse the conversation is about “consent design” in the UX community. We are 18 weeks away from the GDPR becoming enforceable, and it seems there is only very limited published work on how to obtain consent that would fulfil all the demands of the new EU regulation—-in particular when third parties are involved (not just adtech per se, but e.g. integrations of CRM systems, social media platforms etc.). This is the most thorough such exercise I am aware of.

As the laws are what they are, it is “high noon” to alert employers, clients and fellow designers about the fact that the only way to avert the developing UX nightmare that is “compliant consent pop-ups” is to radically rethink how businesses deal with personal data in tracking applications.


  1. PageFair is selling a product, but the GDPR-based and thoroughly referenced argumentation stands for itself—-so no matter the potential “sales” aspect of this text, the design experiments are of great value.

I'm Sebastian, Sociologist and Interaction Designer. This journal is mostly about bringing toge­ther social science and design for inclusive, privacy-focused, and sustainable "human-first" digital strategies. I also tend to a "digital garden" with carefully curated resources.

My monthly email newsletter has all of the above, and there are of course also an RSS feed and Twitter.