The journey should feel like an experience and not a contract. Ensuring that the customer clearly understands your proposition, the key terms they must commit to, and the benefit they will receive is an essential part of the customer journey. When you are developing the setup customer journey, ensure that you understand and meet your GDPR obligations, which must be reflected within your T&Cs and Privacy Notice.
Other pages in this section
The design pattern for most Terms and Conditions and Privacy Notice experiences is:
Current research consistently showcases that the majority of people do skip a careful reading of these terms and conditions, can misunderstand if these are not clearly presented to them, and as a result, are poorly informed at the point of agreement (i.e. a decision to sign up for a new product or service).
By actively designing terms and conditions experiences to inform and empower your customers they are better able to make an active and informed choice. This guidance is intended to help you deliver a simple, actionable and meaningful disclosure experience to customers.
Setting up a new service should be simple. The key terms around the use of personal data must be transparent and clearly set out in plain language in order to meet GDPR requirements.
A Privacy Notice is a legal requirement under GDPR that must be presented prior to any data processing.
It is also a fundamental part of your value proposition, integral to the customer and brand experience and the creation of trust between customer and provider.
Privacy Notices are primarily delivered statically, although sometimes they’re also delivered dynamically. Static Privacy Notices should be prioritised in your information architecture. They should be provided as appropriate at the times they’re needed most and in language that is easily understood. Dynamic notices should be delivered based on time or event triggers. They serve the purpose of giving people enough information to make an informed, active decision about how their data is used. Read the ICO Guidance on Privacy Notices and what must be included in a Privacy Notice.
Static Privacy Notices
Your Static Privacy Notice should be prioritised in your information architecture. It should be easily accessible and easily understood by your customers and stakeholders.
Refer to our guidance on comprehension, and particularly consider layering, using plain English and differentiating the form factor (video, visualisations, interactions and iconography) to support different audiences, learning styles and appetite for information.
It needs to be relevant, meaningful and importantly transparent, with examples to make it relevant to customers. It should be part of your brand positioning.
If this feels like a legal document, it may need more work. Think of this as an experience, not a contract.
Dynamic Privacy Notices
Dynamic Privacy Notices are time or event based. They provide important information about the data, the data people are being asked to share and with whom, the protections in place and the potential consequences of doing so. They are deliberately designed to avoid points of friction. The ICO describes this approach as a Just in Time Notice. The ICO has provided helpful guidance on the different methods you can adopt when considering how to provide your Privacy Notice in the most effective way.
The challenge is the fine line between valuable and value-less friction. If presented at the wrong time (or not at all), could amount to an breach of your obligations under GDPR via an ineffective form factor, they could detract from the focus of an action and result in abandonment. It’s therefore crucial that you provide notices when legally required to do so.
The only way to develop an understanding of this is to put it to the test.
Stop Sharing Next