Evolution of Consent and Preference Management
The U.S. is really moving away from just that little cookie banner at the bottom to trying to think through all of the different choices you have to effectuate consent.
It’s raising very complex user experience questions.
—Justin Antonipillai, WireWheel
The granularity of evolving consent requirements, differences in definition and requirements across state laws, the added complexities of managing consent across multiple channels, and other factors have certainly placed a heavy burden on the adtech industry, publishers, and brands.
Now, increasing attention is being paid regarding the burden consent and preference management is placing on consumers and the deleterious impact to the user experience.
To discuss the evolution of consent and preference management, how we got here, and where it is going, WireWheel Founder and CEO Justin Antonipillai moderated a discussion at the 2022 Summer Spokes Technology Conference (held June 22-23).
Joining Justin to discuss Consent and Preference Management Across the Globe were BBB National Programs Senior VP, Privacy Initiatives Dona Fraser, and Ruth Boardman Co-Head of the Privacy Practice at Bird & Bird. Boardman is currently on the board of directors of the IAPP, and a member of the UK government’s Export Council, advising it on data transfers.
The evolution of request for consent
The pre-GDPR Cookie Banner was “an overlay and just an invitation to click OK. Very unobtrusive,” begins Boardman:
“But they are changing. They are getting bigger and giving more choice. This banner [illustrated below] has a choice of accepting all cookies or accepting only essential cookies.”
“This next example is a good illustration of an approach which came in with GDPR, but which is increasingly being challenged:
“The idea here is that you have a brief overlay on the homepage. Then, if you click through, you bring up the more detailed information where there’s a list of the particular purposes and third parties.
“The choice is to ‘accept’ or ‘manage cookies.’ To say yes to everything or to go into more options (including saying no.)” And as Boardman observes, the use of color and the complicated process to exercise more control, nudges the user towards accepting everything (what could be called a dark pattern).
While quite common when GDPR became applicable in 2018, it is increasingly being challenged.
One requirement of the GDPR is that it should be as easy to withhold or withdraw consent [Article 7] as it is to give consent. Pressure from privacy activists and from data protection authorities is that this kind of user interface – requiring multiple steps to exercise choice – is arguably unfair, because you’re playing on the subconscious to nudge into accepting.
—Ruth Boardman, Bird & Bird
How these changes played out can be seen in the before and after illustrated below. You can see that Google has moved off ‘agree or customize’ to ‘accept or reject all.’ Notably, the options “are mutually positioned, the same color, and the same size,” notes Boardman. You also have ‘more options’ to exercise more sophisticated control.
The drivers of consent evolution
The evolution of consent management has been a combination of a number of factors:
- Most importantly, it’s the law. “It’s a combination of legislation and the ePrivacy Directive” which says that using cookies or cookie-equivalent technologies – in fact, whenever information is stored or retrieved – you need consent unless it is for essential purposes. There is also a requirement for consent, actually dating back to 2011 reminds Boardman, if you’re doing (in broad terms) cross-site targeting. However, what consent means was altered with the GDPR and “that’s what’s driving this evolution.”
- This legislation has been coupled with regulatory guidance from supervisory authorities including the ICO (UK), CNIL (France), DSK (Germany), AEPD (Spain), and others. All “requiring much more transparency and much more granular user control.”
- There have also been a series of cases – some going to the CJEU (e.g., Planet 49) – as well as a series of complaints by the “lobby group” nyob founded by Max Schrems that has been really influential.
- Industry guidelines, in particular the IAB transparency and consent framework (TCF) developed by the adtech industry designed to allow adtech participants to prove they meet GDPR obligations by demonstrating consent.
Why cookie banners look the way they do
The reason the evolving appearance of cookie overlays look the way they do are a function of the detailed GDPR consent requirements, says Boardman. Namely:
- Consent must be specific and informed. “The individual needs to know the particular purposes for which they are giving consent at a detailed level,” such as distinguishing between cookies for analytics or targeted advertising.
Boardman notes that “the TCF goes even further and breaks it down into consent for targeting to display content versus targeting to customize ads versus consent in order to carry out measurements or attribution purposes, for example.”
- The identity of every party relying on consent must be specified. This is why there are multiple screens to reference your partners and linking to a list that typically includes hundreds of parties.
- The “consent has to be demonstrable and unambiguous” and requires “clear affirmative action.” A key driver for the move away from the simple banner reading, “’by continuing to use this site…’ which infers consent which does not provide demonstrable proof. And lastly,
- Consent has to be freely given and revokable without detriment specific to different processing operations; service cannot be dependent on consent; it must be as easy to withdraw as it is to give consent; and it must be separate from other terms.
“Revokable without detriment impacts the ability to have cookie and pay walls,” says Boardman. “There are currently cases pending and on their way to the Court of Justice, looking at if you try and have paywall how much can you charge per month per user before this starts to be a detriment.”
Tough on adtech, tough on consumers too
This has an implication for user experience that can be equally burdensome. There is a burden by not having granular choice, but having granular choice also is a burden to the data subject because the consumer has to look at a lot of information.
Breaking down individual choices and processing in that granular way means that consumers must interact multiple times before they get to what they want to do.
—Justin Antonipillai, WireWheel
“It does impose a burden on the user. But my experience has been that when organizations try to raise that argument… and ask for consent in a lighter touch global way…it doesn’t get a very sympathetic hearing,” opines Boardman. “The response is ‘maybe you shouldn’t do as much intrusive processing’…and to push the challenge back to industry.”
The proposals recently published in the UK pick up on this, says Boardman and “as a first step, proposes that you don’t need to ask for consent for analytics cookies but this is coupled with the requirement that consent won’t be taken out unless and until various well-developed technologies allow users to have that degree of control.
“The difficulty with the current approach is that it has clearly been designed to meet the obligations to prove consent in a way which is very granular,” and it is clearly designed for this purpose and not the user. “That’s the challenge.”
“There seem to be a fair number of assumptions that consumers understand all of this,” opines Fraser. So, we’re putting all these choices in front of them presuming they know what any and all of this actually means.
For me, if it’s a choice about having advertising targeted to me that may actually be a distraction…it’s why I’m on the site in the first place. People process things very differently.
Even for those of us who understand it is overwhelming sometimes to the point where ‘did I just opt-out or what did I just opt-in to. And more importantly, how do I know my choices are even being honored?
—Dona Fraser, BBB National Programs
The consent and preference infrastructure
Antonipillai proffers that you have to think about technology that allows you to bring in consent and preference signals from multiple channels: not just web or mobile APP, but connected TVs, cars, and IoT devices.
This means having a way that you can look at a single universal consent and preference solution.
And not only capture those consent signals but prove it and have the record keeping behind it. One benefit from the consumer experience perspective is that by unifying the signal, you gain the ability to move beyond one channel and having to capture it over and over again and begin alleviating the burden on consumers.
But it takes more than just a cookie tool, it takes a central platform to actually look at the choices across your channels and brands.
If the notion is that consent can lead to better customer data information, isn’t that what companies want so they can build that relationship? Build consumer trust?”
But, having that first-party user data – and being able to use it to the best of your ability to build that relationship – also means knowing you have a greater responsibility with that data.
—Dona Fraser, BBB National Programs
It’s still about trust
Fraser notes that most of the companies BBB National Programs deals with are international companies who are trying to create a streamlined process, not just for their users, but for their internal backend systems as well.
If they’re trying to create one website, one mobile APP, that’s doing it all everywhere, knowing that they have to comply with a myriad laws, it’s a huge challenge and a burden. But that said, your organization’s privacy program commitment to privacy and data ethics is the larger question.
If your organization is not first committed to dealing with this on a day-to-day ethics level with transparency, the consent management process isn’t going to work. It’s not going to have the veracity that users need in order to share their data willingly.
The challenge that we are still going to see is explaining to consumers why they’re opting in.
— Dona Fraser, BBB National Programs
“The fact that you just want to browse a website and are faced with these questions and procedures can be an overwhelming experience,” continues Fraser, and “technology may offer a way for us to streamline this, but state laws are going to force our hand. “The problem is the cost of doing business,” she says.
“BBB National Programs tends to work with small to medium sized companies and they don’t necessarily have the resource for dealing with this. They struggle to go beyond just checking the compliance box and look to manage customer relations in another way, but I don’t think companies can separate that anymore.”