| UI or UX | UI + UX - Specific opt-in decision for optional data use, participation, communication, sharing, or training | UI + UX - Cookie and tracking consent control | UI + UX - Persistent hub for communication, consent, topic, privacy, language, and personalization choices | UI + UX - User-controlled rules for notification type, channel, frequency, timing, privacy, and exceptions | UI + UX - Durable permission administration for users, groups, roles, inherited access, effective access, and revocation | UI + UX - Runtime checkpoint that pauses AI or automation until an eligible human authorizes the next step |
| UI guidance | Render a consent prompt as a focused opt-in decision that names the requester, purpose, data involved, optionality, benefit, consequence of declining, withdrawal route, and consent record before the user chooses. | Render a clearly labelled cookie banner at the top of the document before ordinary page content, with service-specific copy, essential-cookie information, equal accept and reject actions for non-essential purposes, and a link to detailed cookie settings. | Render a preference center as a returnable hub with categories for communications, channels, topics or interests, notification delivery, privacy and data sharing, cookie or tracking consent, personalization, language or locale, required messages, managed values, source-of-truth status, and save feedback. | Render notification preferences as a structured matrix or grouped settings surface that shows notification type, source, delivery channel, device, frequency, quiet-time rule, preview privacy, override, and current saved state. | Render permission sharing as an access-management surface with the protected resource, current direct grants, inherited grants, groups, guests, anonymous or link access, role or permission level, effective access, pending changes, and revoke or save actions. | Render a human approval gate as a paused automation checkpoint with the proposed action, tool or workflow step, triggering rule, risk level, payload snapshot, requester or agent, approver eligibility, timeout, and explicit approve, reject, edit, cancel, or bypass controls. |
| UX guidance | Use consent prompt when the product needs the user to knowingly agree to a specific optional data-processing purpose such as marketing, research participation, AI training, personalization, partner sharing, or sensitive-data use. | Use a cookie banner to collect or confirm choices for non-essential cookies, local storage, pixels, service-worker storage, analytics, advertising, personalization, or similar device storage technologies. | Use a preference center when users need durable control over what they receive, which channels may be used, which topics they want, which consent purposes are active, how personalization uses their data, and which choices cannot be disabled. | Use notification preferences when users need to reduce noise without missing important mentions, assignments, security notices, incidents, reminders, or followed-object updates. | Use permission sharing when authorized owners or admins need to grant, change, audit, or revoke durable access to a space, site, repository, folder, project, board, dataset, environment, or sensitive object. | Use human approval gate when automation is ready to act but policy, risk, confidence, cost, access, publication, deployment, customer impact, or legal consequence requires a human decision before execution continues. |
| Good UI | A research signup screen asks whether the user consents to being contacted for follow-up interviews, names the research team, shows what contact data is used, offers Yes and No thanks buttons, and links to withdrawal. | A service banner says it uses essential cookies and asks to use analytics cookies, with Accept analytics cookies, Reject analytics cookies, and View cookies controls at the same level. | A customer account preference center shows Email, SMS, Push, Topics, Cookies, Data sharing, Language, and Required service messages, each with current status, scope, and last saved time. | A notification preferences page groups Mentions, Assigned work, Followed threads, Security, Digest, and Marketing, with columns for In-app, Email, Push, Banner, and Digest frequency. | A repository access page lists teams, outside collaborators, deploy keys, and direct users with Read, Triage, Write, Maintain, and Admin roles, showing that only Admin can manage access. | An AI support agent pauses before issuing a refund, shows the proposed amount, customer, policy match, confidence, source grounding, approver role, timeout, Approve refund, Edit amount, Reject, and Stop run controls. |
| Bad UI | A modal says By continuing you agree to personalized offers and partner sharing, with a large Continue button and a small privacy policy link. | A banner has a large Accept all button and a small Manage settings link but no reject action on the first layer. | A single Receive updates switch hides whether it controls marketing email, SMS, push, product notices, analytics consent, or service messages. | A single Notifications off switch disables email, push, badges, and mention banners without saying whether security alerts or approvals still arrive. | A permissions page shows only individual names and Remove buttons even though group membership and parent folder inheritance still grant access. | A banner says Human approval needed but does not show the tool call, payload, approver, timeout, or resume consequence. |
| Good UX | A user declines partner sharing and can still complete checkout; the service records no partner-sharing consent and shows how to change the choice later. | A first-time visitor rejects analytics cookies and the site loads without optional analytics, while essential security cookies remain explained. | A user turns off promotional email, keeps outage SMS and account security email, changes language to Spanish, withdraws ad personalization, and sees which transactional messages remain required. | A user keeps mentions and assigned-work banners on, moves repository watch updates to daily digest, mutes marketing email, and sees a preview of what will still notify them during quiet hours. | A site owner adds the Finance Reviewers group as Visitors, sees that Members can contribute content, confirms no anonymous access is enabled, and saves with an audit note. | A billing lead opens the paused refund gate, sees that the amount is under policy but source grounding is partial, edits the refund to the verified amount, approves, and the agent resumes only that step. |
| Bad UX | A user clicks Next to finish onboarding and unknowingly opts into marketing because the consent copy was bundled into the terms paragraph. | Reject only closes the banner while ad pixels and analytics continue firing. | A user declines analytics in a cookie banner but later cannot find the preference center needed to withdraw personalization consent after signing in. | A user disables email for a noisy project and still receives duplicate push and desktop banners because those channels live in separate hidden settings. | An owner downgrades a user to Viewer, but the user keeps edit rights through a connected team and the UI never explains effective access. | A human approves a stale agent action from email and the agent applies it to a different customer state. |
| Best fit | The product needs a user's active agreement for optional data use, marketing, research participation, personalization, partner sharing, AI training, or sensitive-data processing. | The service sets non-essential cookies or similar device storage technologies. | Users need to revisit and change communication, consent, topic, personalization, privacy, channel, language, or data-sharing choices. | Users receive enough notifications that they need control over type, channel, device, frequency, timing, or source. | Owners or admins need to manage durable access to spaces, sites, repositories, projects, folders, datasets, boards, environments, or sensitive objects. | An AI agent, workflow, deployment, or automation is ready to perform a high-impact step and must pause for human authorization. |
| Avoid when | The choice is only about non-essential cookies or device storage; use cookie banner. | The service uses only strictly necessary cookies and can explain them on a cookies page. | The product only needs a small app setting unrelated to communications, consent, or personalization. | The product has only a few low-volume notifications that can be handled by defaults and inline controls. | The task is quick one-object sharing with a link or a few recipients and no broader permission model. | The action has already happened and users only need an audit log. |
| Required state | Pre-consent state with optional processing off and the core task still understandable. | First visit with no saved preference. | Overview with preference categories and current effective status | Default notification preferences state. | Default access list state with users, groups, guests, anonymous access, roles, and effective access. | Paused gate state with proposed action, payload snapshot, reason for gate, and run context. |
| Accessibility burden | Use a labelled region or dialog title that names the consent purpose, not a vague privacy heading. | Label the cookie banner region with the service name so users know which service is asking for the choice. | Group categories with headings, fieldsets, legends, and persistent labels that name the affected channel, purpose, topic, source, and scope. | Group preferences with headings and fieldsets for event type, delivery channel, device, and frequency. | Use labelled tables or grids with column headers for principal, source, role, capability, status, and actions. | Expose gate status, proposed action, target, payload summary, risk, approver rule, timeout, and current run state as text. |
| Common misuse | Treating continued use, scrolling, closing, or inactivity as consent. | Accept-only banners. | Using one master preference switch for communication, privacy, cookies, topics, and required messages. | Offering one master notification switch for a complex collaboration product. | Showing only direct users while group or inherited access remains active. | Showing Approve without the exact action, payload, target, risk, or resume consequence. |