Can policy and delivery be one?
The impact of the General Data Protection Regulation (GDPR) on the internet's user experience, particularly in relation to cookie banners, presents a compelling case study on the unforeseen consequences of policy implementation in the digital space.
When the GDPR was introduced, its primary aim was to enhance privacy protections for individuals within the European Union, giving them greater control over their personal data. A significant aspect of this regulation pertains to the use of cookies - small pieces of data stored on users’ devices to remember their actions and preferences on websites. As a result, one of the GDPR’s key requirements is that websites must obtain explicit consent from users before any non-essential cookies are stored or accessed on their devices.
The intepretation of this policy let to the universal adoption of ‘cookie banners’. While these were intended to empower users with choice and transparency, they have, in many ways, detracted from the quality of the user experience online. Basically, GDPR broke the internet.
The issue at hand is not the GDPR policy itself, but rather the disjointed approach taken in its implementation. The policy was developed with noble intentions by policymakers, but the execution was left to digital delivery teams, who often had to interpret the rules and implement solutions in isolation. This siloed approach resulted in a wide array of cookie consent banners that vary in design, clarity, and user-friendliness, leading to what many users perceive as an annoyance rather than a meaningful choice. This disconnect highlights a critical flaw in the traditional ‘waterfall’ approach to policy and digital delivery, where policy is formulated and then “thrown over the fence” to those responsible for its digital execution.
The unintended consequence of this approach has been that far from empowering users, the proliferation of intrusive and confusing cookie banners has led to ‘consent fatigue,’ where users blindly accept cookies without understanding their implications, thus undermining the GDPR’s original intent.
This is how a valid policy intent can lead to negative outcomes when the delivery mechanism is not adequately considered or integrated into the policy design process.
But what could have been if the GDPR policymakers and digital delivery teams had collaborated more closely from the outset?
Imagine a policy lab where the GDPR was co-designed using design thinking and service design methods. In such an environment, a more user-centric approach could have been taken, acknowledging the importance of both privacy protection and user experience.
In this alternate scenario, the teams might have conceived an asynchronous solution to address the policy’s intent while preserving the quality of the internet experience. For example, tracking details could be stored on a secure, government-operated website. A tool, accessible to all internet users, would then alert individuals to their tracking status and provide options to delete or block specific cookies. Such a solution would not only align with the GDPR’s privacy protection goals but also mitigate the negative impact on user experience by removing the need for intrusive consent banners.
This highlights the importance of considering the user experience of the policy from the outset, and involving a diverse range of stakeholders, including technologists, designers, policymakers, and end-users, in the policy development process.
Have you been briefed on policy intent and outcomes? Are you working on a similar challenge? Would you like to ask about how a policy co-design lab could work in your organisation?
I’d be happy to hear more about it.
In
(comments disabled)