Opposti ai dark patterns, prendono origine da un desiderio di semplificazione
The following list provides an overview of best practices described in the Guidelines at the end of each use case. These can be used to design user interfaces which facilitate the effective implementation of the GDPR. Such best practices can offer a first step toward a standardised way for users to effectively control their data and exercise their rights.
Bulk options: Putting options that have the same processing purpose together, so that users can
change them more easily, while still leaving users the possibility to make more granular changes. If
social media platforms present bulk options, these should not contain unexpected or unrelated
elements (for example elements with different purposes). If the processing require consent, the bulk
options must be in line with the EDPB Guidelines on consent, especially para. 42-44.
Contact information: The company contact address for addressing data protection requests should be
such as a section on the identity of the data controller, a rights related section or a contact section.
Reaching the supervisory authority: Stating the specific identity of the supervisory authority and
including a link to its website or the specific website page related to lodging a complaint. This
information should be present in a section where users can expect to find it, such as a rights related
with headings and sub-headings that shows the different passages the privacy notice contains. The
names of the single passages clearly lead users regarding the exact content and allow them to quickly
identify and jump to the section they are looking for.
Change spotting and comparison: When changes are made to the privacy notice, make previous
versions accessible with date of release and highlight changes.
Coherent wordings: Across the website, the same wording and definition is used for the same data
Providing definitions: When using unfamiliar or technical words or jargon, providing a definition in
plain language will help users understand the information provided to them. The definition can be
given directly into the text, when users hover over the word, as well as be made available in a glossary.
Contrasting Data protection elements: Making data protection related elements or actions visually
striking in an interface that is not directly dedicated to the matter. For example, when posting a public
message on the platform, controls over association of the geolocation should be directly available and
Data Protection Onboarding: Just after the creation of an account, include data protection points
within the onboarding experience of the social media provider for users to smoothly discover and set
their preferences. For example, this can be done by inviting them to set their data protection
preferences after adding their first friend or sharing their first post.
Use of examples: In addition to mandatory information clearly and precisely stating the purpose of
processing, examples can be used to illustrate a specific data processing to make it more tangible for
Sticky navigation: While consulting a page related to data protection, the table of contents can be
constantly displayed on the screen allowing users to always situate themselves on the page and to
quickly navigate in the content thanks to anchor links.
Back to top: Include a return to top button at the bottom of the page or as a sticky element at the
bottom of the window to facilitate users’ navigation on a page.
Notifications: Notifications can be used to raise awareness of users on aspects, change or risks related
to personal data processing (e.g. when a data breach occurred). These notifications can be
implemented in several ways, such as through inbox messages, pop-in windows, fixed banners at the
top of the webpage, etc.
Explaining consequences: When users want to activate or deactivate a data protection control, or give
or withdraw their consent, inform them in a neutral way on the consequences of such action.
Cross-device consistency: When the social media platform is available through different devices (e.g.
computer, smartphones, etc.), settings and information related to data protection should be located
in the same spaces across the different versions and should be accessible through the same journey
and interface elements (menu, icons, etc.).
Data protection directory: For easy orientation through the different section of the menu, provide
users with an easily accessible page from where all data protection related actions and information
are accessible. This page could be found in the social media provider main navigation menu, the user
the most appropriate time for the user to have a specific and continuous information on how their
data are processed.
Self-explanatory URL: pages related to data protection settings or information should use a web
address that clearly reflects their content. For example, a page centralising data protection control
could have a URL such as [social-network.com]/data-settings.
Exercise of the rights form: to facilitate users in exercising their GDPR rights, provide a dedicated form
that helps users understand their rights and that guides them carry out these kind of requests.