There’s a moment in nearly every project where the work stops being about the user. Someone from legal joins the call, and suddenly the clean flow we spent weeks refining has to grow a checkbox, a banner, a paragraph of fine print, or an entire screen that exists only to protect the company. It’s easy to treat this as the enemy of good design. I’d argue the opposite. Legal requirements are constraints, and constraints are where design actually happens.
The trap most teams fall into is treating law and experience as adversaries fighting over the same pixels. The lawyer wants to be defensible. The designer wants freedom. Both of those goals can be true at the same time, but only if the two disciplines are in the room together early instead of handing artifacts back and forth at the end. When legal shows up after the design is “done,” you get the worst of both. A bolted-on disclosure that satisfies no one and a flow the user doesn’t want to use ever again.
The goal of this article is to walk through the places where law touches our work and show that legal expectations and low friction aren’t opposites. The best solution is almost always the one that achieves both.
Consent & Agreement
Consent is the clearest example of how a design decision becomes a legal one. As an example, the difference between a clickwrap and a browsewrap agreement is purely a matter of interaction design: clickwrap requires the user to take an affirmative action (“I agree”), while browsewrap assumes consent simply because the user kept using the site. Courts have repeatedly cared about exactly this distinction. In Specht v. Netscape, the court refused to enforce terms that lived below the download button, finding that a reference to license terms on a “submerged screen” wasn’t enough to bind the user. The legal protection failed because the design failed. A checkbox the user actually had to check would have been the more appropriate pattern and held up in court.
This is the part that should excite us rather than annoy us. The lawyer’s requirement (“we need provable, affirmative consent”) and the designer’s requirement (“don’t make the user feel cornered”) point to the same solution. Cookie banners are where this collaboration most visibly breaks down. When the CNIL fined Google €150 million and Facebook €60 million over their cookie consent, the violation wasn’t the absence of a “reject” option. It was that accepting took one click while rejecting took several. The asymmetry was the deceptive pattern. The lesson for us is precise: making the compliant choice harder than the convenient one is both bad design and illegal. A symmetric banner with “Accept all” and “Reject all” side by side is the rare case where the most ethical layout, the lowest-friction layout, and the most defensible layout are the same layout.
Disclosures & Disclaimers
Disclosures are where the phrase “clear and conspicuous” earns its keep, and that phrase is a design specification hiding inside a legal one. The FTC’s guidance for influencers is remarkably blunt about it. A disclosure buried in a wall of hashtags, hidden behind a “more” link, or shown only briefly in a video doesn’t count. They specifically warn against placing an #ad where people have to stop and click to see it. This is not a suggestion. This is a rule for information hierarchy. We are being told where to put the content on the screen.
This is precisely the territory where a designer and a lawyer should be sketching together. Left alone, a lawyer will often default to maximum coverage: more words, more caps lock, more places where the disclaimer appears. But a disclaimer nobody reads is a liability dressed up as protection.
The more thoughtful solution is to make the disclosure legible at the moment of decision. A “this is not investment advice” line is worthless at the bottom of a terms page and meaningful right next to the “Buy” button. The emerging wave of AI-generated content disclosure in the EU AI Act’s transparency rules will test this again. The teams that win won’t be the ones who slap a generic “made with AI” badge on everything; they’ll be the ones who design a disclosure that’s honest, present at the right moment, and doesn’t insult the user’s intelligence.
Notice & Transparency
Notice is the discipline of telling the user what’s happening to their data, and it’s where “legally sufficient” and “actually understood” drift furthest apart. We’ve all clicked through a privacy policy nobody could finish reading. Technically compliant, practically meaningless. The right to be forgotten (RTBF), established in Europe by Google Spain v. AEPD, gives a person the ability to demand erasure of their data, but a right the user can’t find is no right at all. The legal text creates the obligation; design decides whether it’s real.
The best privacy work I’ve seen splits this into two separate pieces. One is the full policy, the long document the lawyers need. The other is the short note that appears right when something happens. Like the section that explains why an app wants your location before asking for it. Users need that second one and asking a single document to do both makes this perform badly.
Push notification permission prompts are a common version of this. Apple’s App Tracking Transparency framework forced a generation of apps to actually ask before tracking, and the apps that survived the change were the ones that followed the prompt. Instead of firing the system permission dialog the instant the app opens (when the user has no context and immediately taps “Don’t Allow”), the thoughtful pattern is a “pre-permission” screen that explains the value first, then triggers the real prompt only when the user is likely to say yes. That’s a collaboration between the legal need for genuine, informed consent and the design need to not burn the user’s goodwill in the first three seconds. Notice done well is a feature, not a bug.
Accessibility & Inclusion
Accessibility is the one area where the legal requirement and the design ideal often point the same direction. The hard part has been getting organizations to act on it, and that took years of accessibility professionals fighting to be heard against teams who treated their work as optional. The law didn’t reveal some hidden truth; it gave that long-running advocacy a platform. In the United States, Robles v. Domino’s Pizza made it clear that the Americans with Disabilities Act reaches the website and the app, not just the physical store. The Supreme Court declined to hear Domino’s appeal, leaving the court’s ruling in place. Years earlier, the National Federation of the Blind’s case against Target ended in a multimillion-dollar settlement and helped establish that an inaccessible storefront online carries real legal exposure.
The message has often been “do accessibility or get sued.” The better reading is that the law finally caught up to what good designers have wanted to do. WCAG isn’t a legal document, it’s a design and engineering standard that the law happens to point at. This is the rare section where the lawyer and the designer don’t need to negotiate a balance at all. The legally fortified version is the more usable version. Captions help the deaf user and the person watching in a quiet office. Sufficient contrast helps the blind user and everyone outside in bright sun. When I’ve argued that users should be able to choose colors that work for them, this wasn’t from a compliance angle, it was just a more considerate way of designing. Accessibility is the proof that constraints make the product better for people.
Identity & Verification
Verification requires the deliberate design of friction. The law sometimes wants the user to slow down and prove who they are, and that’s a fundamentally different design problem than the most other areas of user experience. A Know Your Customer flow at a bank exists to stop fraud and money laundering, and accredited investor verification under Regulation D exists to keep certain risky offerings away from people the regulators have decided shouldn’t access them. You cannot design these to be frictionless, and you shouldn’t try.
What you can design is honest friction instead of dishonest friction. The age gate that asks “Are you 18?” with a single Yes button is bullshit. Everyone knows it won’t stop anyone. Either the law requires real verification, in which case build a real flow with real checks, or it requires a good-faith barrier, in which case at least make it a deliberate one. This is a place where designers should push lawyers as hard as lawyers push designers. The reflex in compliance is to add more steps “to be safe,” but every unnecessary verification step is a place where a legitimate user abandons.
The collaborative question is: what is the minimum proof the law actually requires, and how do we collect exactly that and nothing more? Over-collecting identity data isn’t just bad for conversion, it’s a liability the moment you’re breached. Restraint is both the better experience and the safer legal position.
Regulated Industries
Some industries come pre-loaded with rules so specific that the script is essentially written for you. HIPAA dictates how a patient authorizes the release of their health information. The Fair Debt Collection Practices Act dictates what a debt collector must disclose and even supplies a model validation notice. In these spaces, the lawyer isn’t offering an opinion, they’re delivering the law, and the designer’s job shifts from “what should this say” to “how do we deliver legally mandated language without making the experience feel like the inside of a courtroom.”
This is a unique design responsibility. Mandatory language tends to be dense, defensive, and written by and for lawyers. The craft is in the framing around it. Progressive disclosure so the user isn’t hit with everything at once, plain-language summaries sitting beside the legally required text rather than replacing it, and pacing that respects why the friction exists. A HIPAA authorization should feel like the patient is making an informed choice about their own records, not signing away rights they don’t understand. The collaboration here is translation. The lawyer guarantees the words that must appear and the designer guarantees the human on the other end actually comprehends what they’re agreeing to. Both of those have to be true, and only working together gets you there.
Intellectual Property
Intellectual property is interesting because the design challenge isn’t usually a single user’s flow, it’s a system that has to serve two opposed parties fairly. A DMCA takedown process has to let a rights holder report infringement and let the accused file a counter-notice, while the platform sitting in the middle is trying not to lose its safe harbor. If either side’s path is too hard to find, the legal protection for both parties can fade along with user trust in the platform.
This is also where over-enforcement becomes its own design failure. Automated systems built to satisfy copyright law, like content-matching at upload time, routinely sweep up fair use, parody, and outright false claims because the friction of fighting back is so high that most users just give up. A thoughtful counter-notice flow is a legal safeguard and a user-experience safeguard at once. It keeps the platform compliant while giving wrongly-flagged users a real, navigable path toward a resolution. The elegant version makes both submitting a claim and contesting one feel legitimate and proportionate, rather than weaponizing friction against whichever party the platform would rather not hear from.
Commerce
If there’s one section that proves friction can be a legal liability rather than a shield, it’s commerce. For a long time the prevailing design pattern was to make signing up effortless and cancelling miserable, the so-called “roach motel.” Regulators have decisively turned on this. The FTC sued Amazon over what its own employees reportedly called the “Iliad Flow”, a Prime cancellation process so deliberately convoluted it was named after a long, grueling epic. The whole premise of that enforcement is that asymmetric friction, easy in and hard out, is itself the harm.
The regulatory direction has been less than desirable, which is exactly why design judgment matters more than following strict laws. The FTC finalized a “click-to-cancel” rule in 2024 requiring that cancelling be as easy as signing up, only for the court to void it in July 2025 days before it took effect. But the underlying principle didn’t disappear with the rule. State laws like California’s Automatic Renewal Law and the federal ROSCA still demand clear auto-renewal disclosure and a straightforward way out, and enforcement against deceptive subscription design continues regardless of any one rulemaking. The point for designers is to stop optimizing for the loophole. The symmetry of “as easy to leave as it was to join” is where both the law and the user are heading, and building toward it now is cheaper than retrofitting it after a lawsuit.
Stop, collaborate, and listen
The thread running through all of this is that the designer and the lawyer are not negotiating over how much of the experience each one gets to ruin. They’re solving the same problem from two directions. The lawyer is trying to protect the company and the designer is trying to produce the best user experience. A clear path is a defensible one. The cases where companies got sued, fined, or dragged through the FTC weren’t cases of too little legalese, they were cases of design that hid, tricked, or exhausted the user. The deceptive pattern and the legal violation keep turning out to be the same thing.
So, bring legal in at the wireframe (or I guess at the prompt), not right before the deploy. Ask the lawyer what the rule actually requires rather than what feels safe, and ask the designer how to deliver it so a real person understands. The least fun part of our work, the disclosures and the consent flows and the fine print, is also where the most underrated work lives. Legal requirements and a frictionless experience are not a tradeoff to be balanced. Done right, they are the same goal wearing two different job titles.