Friction as a fix

Adding a little friction to experiences can help users slow down in those moments they may need to

An examination of cookie popups and why they should be designed with trust and privacy in mind.

A badly designed cookie vs lock combined with a clock.
A poorly designed cookie popup vs a lock merged with a clock (personal illustration)

Finally, I reached my curiosity breaking point. After seeing Cookie Popups repeatedly appearing for so long, I had no choice but to gain a deeper understanding of the significance of these consent popups.

I did this by conducting a single-day experiment. It entailed wiping the Cookies from my browser and analysing every website Cookie Popup I encountered from a designer's perspective.

My initial assumptions

  1. Why are Cookie Popups poorly designed and take so much of our time?
  2. Why do Cookies and Cookie Popups exist, and are they needed?

What are cookies and website cookie popups?

For their descriptions, I referenced Wikipedia.

Cookies are blocks of data transferred from websites onto the user's device/s (computer, phone or similar). They enable web servers to store and track the user's browser activity.

Website cookie popups are informed consent popups for the user to accept or decline the use of Cookies from the website.

The analysis

As I embarked on the experiment, I created a spreadsheet. Here, I recorded the design decisions and the flows step by step of each website Cookie Popup.

A cookie being inspected with a magnifying glass
A cookie being inspected with a magnifying glass (personal illustration)

In total, I recorded 48 Cookie Popups. The results showed that most Cookie Popups lack UX accessibility and empathy for the user. This was done through inconsistent designs, misleading wording, biased button designs, and ambiguous "Decline" option flows. Below are the top five takeaways from the analysis of my data.

The design prioritised the “Accept” button on 22 of the Cookie Popups; 18 Had equal priority, and the rest had no buttons. In 23 out of 48 Cookie Popups, the “Decline” button did not exist or was misleading. Almost all “Decline” Cookie flows entailed 1 or 2 clicks, with a couple requiring 3 to 5. 33 out of 48 primary texts on the Cookie Popups are website-specific, not user-specific, word, confusing or difficult to read. Over half gave access to the website while the Cookie Popup was present.
Top five takeaways from the data

Vitaly Friedman interviewed 62 people about the role of privacy and explained in his 4 part article titled Better Cookie Consent Experiences that:

many implementations don’t even respect users’ decisions anyway and set cookies despite their choices, assuming that most people will grant consent regardless.

Vitaly points out that business needs outweigh the user's needs. Furthermore, he states that

users could easily see through the companies’ agendas

This leads me to conclude that website Cookie Popups are intentionally poorly designed and incorporate deceptive design patterns.

To note — On the positive side, there are user-friendly Cookie Popups, even though they are rare.

Collective analysis

A row of cookies being inspected with a magnifying glass
A row of cookies being inspected with a magnifying glass (personal illustration)

In collecting and analysing the Cookie Popup screenshots, I found I had yet to complete the tasks I had planned for that day. The experiment I conducted increased the time it usually takes to decide whether to "Accept" or "Decline" or read through the small print of the Cookies on every website I visited before making a decision (who has the time to read the small print?).

Okay, that is as expected as conducting any experiment time is needed.

However, this made me think. What if the website Cookie Popups did not exist? Inevitably, the user would have more time to do what they wanted. Conversely, the website might need help to develop a catered experience for the website visitor. Furthermore, the downfalls previously mentioned would not exist.

A collage of Cookie Popups screenshots, part one (not legible)
A collection of Cookie Popups screenshots, 1/2 (not legible)

With 725.8 million internet users in Europe or thereabouts, can you imagine how many Cookie Popups appear, how much data is accumulated, and how much time is spent clicking through the popups?

Have you ever considered how much time you spend clicking on Cookie Popups and what you could do with that time?

Depending on your actions and how many websites you visit, the time it takes to go through the Website Cookie Popups is between less than a second and possibly into minutes. Then imagine adding all this time together; how much time would you have accumulated or lost, depending on your actions?

Thankfully, each website is supposed to save your initial Cookie Popup selections.

A collage of Cookie Popups screenshots, part 2 (not legible)
A collection of Cookie Popups screenshots, 2/2 (not legible)

To conclude, the Collective Analysis section shows that Cookie Popups are time-consuming. This possibly is consequential; nevertheless, it is a consequence of bad design, which puts Cookie Popups into the "attention economy" category. If your time equals your attention, then how much of your attention is taken from you when interacting with Cookie Popups?

Privacy and convenience

Earlier in this article, I asked, "Who has the time to read the small print?" on the Cookie Popups. I put this question to you because the intention behind the Cookie Popups should be explained within the small print.

Lock combined with a clock.
A lock merged with a clock (personal illustration)

To save some time, GDPR.EU explains their intention as follows:

“In and of themselves, cookies are harmless and serve crucial functions for websites. Cookies can also generally be easily viewed and deleted.”

The website continues:

“cookies can store a wealth of data, enough to potentially identify you without your consent.”

All about Cookies answers the question: Are cookies safe to accept? with

Yes, most cookies are safe to accept. They’re intended to personalise your online experience and add to your convenience when using a website.

In other words, by pressing the "Accept" button, you gain convenience and grant websites access to your data. In contrast, when you press the "Decline" button, you gain a sense of partial personal data privacy.

On a side note

If you are concerned about your data when using AI (LLMs), read Professor Uri Gal's article in The Conversation, "ChatGPT is a data privacy nightmare. If you've ever posted online, you ought to be concerned". My three key takeaways from his piece are:

  1. The data (prompts) you input into ChatGPT now belong to ChatGPT.
  2. They also have Cookies and can share the Cookie data they obtain with other companies.
  3. Your written content on "a blog post", "product review, or" if you've "commented on an article online, there's a good chance this information" is consumed by ChatGPT.

Additionally, All About Cookies in their "Should You Accept Cookies?" page passively indicates the following:

“Collection of all this data may seem like an infringement on your privacy, and it can be. But sometimes cookies collect this data to help you”.

This needs further research to divulge fully. Nonetheless, I share my findings not to alarm you but to make you aware, even though it is somewhat scary.

The takeaway

Jon Reily says:

Some say the days of true privacy are over while others fear that we’ve gone too far and barriers need to be put into place.

Is the debate about privacy over? Not even close.

The user may gain convenience by pressing "Accept," but at what cost? Is the user fully informed of the possible consequences? This point reiterates that the design of Cookie Popups is intentionally poorly designed and incorporates dark design patterns, which in some instances allows for the breach of user privacy.

If you have concerns browsing the internet and allowing Cookies to track your interactions or have grown tired of inconsistent and poor Cookie Popup designs, read Matt Burgess's article on How to bypass and block infuriating cookie popups. Or, consider a VPN, a virtual private network service.

Design conclusion

I firmly believe that choice is fundamental in all aspects of life, and choice is the original intention of Cookie Popups: the choice to share your data. The intention needs to be recovered in the majority of Cookie Popup designs as it seems to be forgotten or ignored.

Unhappy and badly designed cookie.
A poorly designed cookie popup (personal illustration)

If the design disadvantage outweighs the advantage, it is poor design. To quote Ehsan Noursalehi from "Why Do We Interface" and from the perspective of a designer:

“Our job is to design communication, or rather to encode information in a way that it can be reliably decoded by another human being.”

If the website Cookie Popup is challenging to decode for the user, it is a failed design, and the user's experience follows.

If you want to stand out amongst the crowd and design a successful and user-friendly Cookie Popup, an excellent place to start is at Nerd Cow. Then have a read over Greet Jans's article to help you "breakthrough digital sameness" and again reference Vitaly Friedman for his in-depth Cookie Popup analysis and design suggestions.

The bottom line

Looking back at the experiment, are my assumptions proved right or wrong?

Assumption 1: Why are Cookie Popups poorly designed and take so much of our time? The experiment proved my assumption that website Cookie Popups could be better designed and not lead the users with time-consuming dark design patterns.

Assumption 2: Why do Cookies and Cookie Popups exist, and are they needed? Cookie Popups are required for everyone's sake, so they should be designed empathetically and consistently. If the Website Cookie Popups strategy is designed with the user in mind, the results will develop trust towards the user's privacy and give them more time to do what they need. Trust is not a finite resource, as written in The State of UX in 2024.

We can’t just design our way out of the insidious digital environments we created over the past decade. A modal asking for cookie permissions or warning about potential risks is not stopping users anymore — we are way past this point. We made our digital products all too convenient, and the ubiquitous yet impenetrable legalese of user agreements has made people numb to risks.

So, let's begin re/designing our Cookie Popups with trust, UX accessibility and empathy. Then examine the original intention of your Cookies and their Popups and consider what you/your company aims to communicate through them. Wheather its trust and transparency or fear and the promotion of numbness to risks because the users will inevitably see through the agenda.

Love or hate them, Cookies are here to stay. Accept or Decline them; either way, you have the right to choose. Design with insight; don't abuse the confidence the user places within you.

What happens when cookie banners are poorly designed? was originally published in UX Collective on Medium, where people are continuing the conversation by highlighting and responding to this story.






Leave a Reply

Your email address will not be published. Required fields are marked *