• Regulations

Colorado Attorney General Phil Weiser on Data Privacy

As we all know, Colorado is among those states leading the country in terms of thinking about consumer data and data privacy. The Colorado Privacy Act (CPA) is one of the leading laws blazing a trail for all of us around how states and how consumer data should be protected here in the U.S. As such, Colorado is one of the three main states that virtually every company in the country is trying to think about.

To provide some insight on what to expect from Colorado, the Day-One Keynote of the 2022 Summer Spokes Privacy Technology Conference featured Colorado Attorney General Phil Weiser.

The following are excerpts from Mr. Weiser’s comments. They have been lightly edited and quotation marks omitted for ease of readability.

Who is Philip J. Weiser?

I have been a student, a practitioner, a teacher, and scholar on the regulation of emerging technologies… I’ve been involved as a federal official, as a state official, as someone who has worked on issues from the public policy side. My true north is how do we best serve and protect consumers in the midst of technological change. Privacy is obviously a core part of this effort… I now serve as Colorado Attorney General.

After I clerked for a couple years, I went to work for Joel Klein, who was the head of the anti-trust division at the US Department of Justice (DOJ) at the time. This was at the dawn of the Internet age. It was 1996, the telecommunications act of 1996; efforts to allow commercialization of Internet technologies; and the Microsoft case involving the browser wars; and the advent of broadband.

It is in this era I was involved as a federal official and as a state official. As someone who has worked on these issues from-to the public policy side – and my true north is how do we best serve and protect consumers in the midst of this technological change – privacy is obviously a core part of this effort.

In 2009 I rejoined the federal government after a decade in academia, so I worked for Joel Klein for a couple of years and then was in the telecommunications program at the University of Colorado, whose law school founded a Center of Law Technology Entrepreneurship known as the Silicon Flatiron Center; worked as a head of the Colorado Innovation Council; worked on Obama’s transition for the Federal Trade Commission (FTC); then went to work for the DOJ; then the White House to work on issues around technology competition, innovation; and afterwards, back to Colorado where I served as  the dean of the law school for five years.

I now serve as Colorado Attorney General.

How the rubber meets the road

Technology is a core part of what I focused on, and when I ran for Attorney General the consumer protection mission and the impact of changing technology was on my mind.

As soon as I got in, we had this question about Colorado passing its own data privacy law. I’ve referred to this as a ‘second best solution.’ In the best of all worlds Congress would adopt a federal privacy law. I had worked on an effort that many – Danny Weitzner most notably – helped champion in the Obama White House: A privacy Bill of Rights concept.

The tools we have now include data security laws in Colorado which includes data breaches as well as requirements for companies to take reasonable precautions to make sure your data is protected. And now this data privacy law that we’re in the midst of implementing. We’re currently in a consultative period. We will have some public sessions coming up, and then we’re going to put out a formal rulemaking this fall.

How do we ensure the rubber hits the road in the right way and we’re actually protecting consumers?

Part of the core effort is to make sure consumers know what their rights are, have a sense of when they’re not being honored, and can let us know. How do we tell businesses what their obligations are, what they need to do, and create enough space for that compliance to happen?

This is a complicated puzzle…it’s going to take time.

We want to be thoughtful. We want to make sure that we’re focusing on what really matters. And we will make sure that we’re not being overly prescriptive in assuming there’s only one way to do something.

What can companies anticipate from the Colorado Privacy Act?

We need to allow a period for compliance and make sure we give businesses the information and tools to get into compliance and we’re not going to play games or gotcha…We’re really trying to get it right. We want to work with you.

Stage One: Over the course of the summer months, it is a more informal engagement process. If you are an actor in this ecosystem and you’re asking, what do I need to know or how do I get engaged, we have set-up a website with a comment forum to give you more visibility and a chance to be heard.

Stage Two: We will put out a call for comments with specifics for people to comment against. For example, a universal opt-out mechanism is something that’s going to get a lot of attention that we’re going to be wrestling with. Another one we want to hear from people about is the concept of  ‘dark patterns.’

This is ‘the fall process.’ The law calls on us to complete a rulemaking by May of 2023 and our vision is to finish it well in advance of that.

Stage Three: There will be an implementation period. We know that compliance is not going to necessarily happen immediately. We need to allow a period for compliance and make sure we give businesses the information and tools needed to get into compliance.

I’m interested in making sure that the enforcement we do is towards those bad actors who are willfully non-complying. The people were really trying to get it right, we want to work with you. We’re not going to play games or gotcha.

Harmonizing the States Privacy Laws

I have a lot of thoughts on harmonizing with the other states that are thinking about this. The key concept is interoperability or compatibility. If our law is interoperable and compatible with California’s, and we’ve given people tools so they can readily comply with both, then we have succeeded.

If, by contrast, our law is incompatible with some other states laws…Then we have made life impossible for companies who can’t comply with one or the other, but not both. (An extreme example would be a specific form of technology to implement certain requirements.)

It’s on us to make sure that we work with our fellow states. That we are thoughtful about how we enable sound compliance. I believe we can do that.

We need to be able to build trust and protect consumers, but also not stop development of new products that can benefit consumers and what the consumers want.

I do have a general awareness that we as enforcers need to be careful about being overly prescriptive. It’s not that I would be averse to ever seeing a need for a technological standard, but even many technological standards will leave implementation choices so that you’re not endorsing specific technologies. There’s a lot of work to be done in this area and we’d love people’s feedback on.

A federal data privacy framework is needed

What would be best is if the ideas that are getting generated through this process – the experimentation at the state level – find their way into national legislation.

There has been a cost to a lack of federal leadership in data privacy. The U.S. Government developing fair information privacy practices 1970s was the leader in data privacy. That leadership has been ceded over the last 20 years…and now we are part of an increasingly smaller list of countries that have not developed their own data privacy frameworks.

We need a federal privacy framework, and it is important that we do things based on rigor, based on careful analysis, and not be overly prescriptive from the standpoint of preventing technological development and innovation.

This brings me back to my point about the ‘second best.’ The second best we have in the U.S. is the States. But because Colorado, California, and others will have an alternative to GDPR it can enable dialogue and learning.

What would be best is if the ideas that are getting generated through this process…find their way into national legislation.

Avoid dark patterns and use privacy laws to build trust with customers

Every company knows that one of its core value propositions is trust: do customers trust you? Do your business partners trust you? Do your regulators trust you? When you engage in behavior that is unworthy of trust, that can do great damage to your brand. Think really carefully about how you approach this issue.

First advice: you’re hearing more about design thinking and user-centered design. Companies that ask ‘how does this look to the customer?’ will avoid behavior that is going to get you in trouble.

In the dark-patterns conversation, the basic point is if companies are really trying to give users awareness about their data, give them visibility on what data they have, and help them make informed choices, they are going to be more readily able to comply.

Where’s the company’s that ask the opposite question – who want to trick their users, to use data in ways that they don’t really understand and hope that they don’t notice – you’re playing a dangerous game. And it’s not only a dangerous game visa vie compliance enforcement consequences. It can do great damage to your brand.

My second piece of advice: Constant vigilance. When collecting, storing, and managing data, we’re vulnerable to all sorts of risks. No company should comfort themselves with check-box compliance. You need to develop ways in which you’re constantly vigilant and giving customers awareness because there’s a lot of room for error and mistakes.

Looking to learn more about the Colorado Privacy Act?
Contact WireWheel today and let us help you through your compliance journey.

Listen to the session audio

  • Privacy
  • Regulations

Privacy Operations in Practice: Practical Tips

I’m trying to be as proactive as possible rather than reactive. A cross-functional approach makes it possible for a small team to be proactive. For example, our dedicated customer experience team is a key stakeholder in our privacy operations. They’re the frontline of defense. The ones who are dealing with customers who may be raising privacy issues.

—Kelly Peterson Miranda, Grindr

Whether you’re a small company or large – well into your privacy journey or just setting out – establishing privacy in practice presents complex and dynamic technical and cultural challenges that are made more demanding as additional state regulations that significantly impact consent, advertising, and notice rapidly approach.

To offer practical guidance, Grindr’s director of global business and regulatory affairs, Kelly Peterson Miranda, and Melanie Ensign, CEO & Founder of Discernible sat down with WireWheel’s senior engagement manager, Sheridan Clemens, at this year’s Summer Spokes Conference to discuss Privacy Operations in Practice.

A cross-functional approach to privacy operations

“Grindr has a dedicated privacy team led by our Chief Privacy Officer (CPO),” says Miranda. A stakeholder in legal and an advisor to the privacy team as she interacts with the regulators. “But I am also focused on creating a proactive strategy for handling upcoming compliance obligations.” Grindr is a small company of about 160 people, so privacy is decidedly a cross-functional approach.

Using a cross-functional approach to implement privacy in practice makes it possible for a small team to be proactive. “For example, we have a dedicated customer experience team,” she says. “They’re the frontline of defense. The ones who are dealing with customers who may be raising privacy issues.”

We’re seeing even those companies that have dedicated privacy engineers putting a lot more resources into teaching and evangelizing so that everybody becomes a privacy engineer in some regard. Even if it’s not in your title you are working on a privacy project. You’re thinking about privacy.

—Melanie Ensign, Discernable

“What we’ve seen at Discernable – we have traditional big tech clients that have very large privacy engineering teams and clients doing things similar to what Grindr is doing, such as teaching privacy to software engineers, SRE engineers, INFR engineers, and the other technical folks that own and operate all of the systems on which we need to apply and deploy privacy controls.

That said, “we’re seeing even those companies that have dedicated privacy engineers, putting a lot more resources into teaching and evangelizing so that everybody becomes a privacy engineer in some regard. Even if it’s not in your title you are working on a privacy project. You are thinking about privacy.

Managing the tension between privacy engineering and privacy operations

We need to be realistic. That tension will probably always exist. There’s only so much bandwidth. You have the core products or services that you’re trying to deliver, and then you have the compliance obligations.

Oftentimes it comes down to people who sit outside of a legal, privacy, or the compliance function who need to know ‘What do we have to do? What are the black letter law requirements?

—Kelly Peterson Miranda, Grindr

“The message we need to get across internally – and this is a long game – is that we are at a point, right now (especially domestically for those in the U.S.) that solely focusing on black letter law compliance obligations is only going to put you in debt for the long term: you’re always going to be playing catch-up and you’re always going to be playing a high-risk game,”

“You have to meet the engineers where they’re at and explain, yes, the law says X and my advice to you is that we need to do X+Y to enhance it because we are essentially future-proofing,” urges Miranda. “It will pay dividends in the long run. And we, as compliance professionals, have to do a better job of storytelling about the why behind the work we’re doing rather than simply stating, ‘it’s the law.’”

Organizational benefits of privacy operations

There is no company in the world that’s going to get credit for just operating at the legal minimum. You do not build a reputation and you do not build benefit of the doubt by constantly hitting bare minimum.

—Melanie Ensign, Discernable

“And privacy is not solely a legal decision,” continues Ensign. “There’s other types of risk that are involved, and sometimes, those other types of risk may be more compelling to the business than the legal risk.”

“In a communications role, I’m spending all day worrying about reputation and public perception. Prior to founding Discernable, I was leading security, privacy, and engineering communications at Uber where we viewed legal requirements as the floor, not the ceiling.”

“You need to bring your cross-functional partners together to talk about the different types of risks that exist and what future proofing looks like for the organization,” suggests Ensign. “Then you can go to the business and say, ‘Here is the legal risk. Here’s the reputation risk. The financial, market, and competitive risks.'”

“But nobody wants to be at a disadvantage, and it seems everybody’s waiting around not advancing privacy because they worry if they’re not exploiting people on the marketing side, their competitors still are,” observes Ensign.

Approaching risk cross-functionally, you can go to leadership “with a 360-degree view of the risk and present recommendations to protect the business for the long term. And Kelly’s a hundred percent right. It’s about the long game and not giving the business whiplash every six months when a new privacy law comes into effect.” And as Miranda points out, “reputational risk can speak loudest to the business and especially to the C-Suite.”

“Everyone in the world sends a message to their customers saying, ‘we take privacy seriously,’” continues Miranda, “so you need to double check with your comms and marketing team about what statements were made in the past and if the move we’re getting ready to make is antithetical to that? If it is,, your competitors will call you out on it.”

“The question is not just are we breaking any laws, but also, are we breaking customer trust?”

“The other function that I recommend that folks check in with is your sales teams,” suggests Ensign, “which also provides an opportunity to communicate how privacy investments are directly impacting the bottom line.”

Getting budget and scaling up

With CPRA going into effect in mere months, and Colorado and Virginia following, privacy teams will need both budget and scale to cope. Doing this, particularly in resource-constrained environments can be difficult. So what the approach?

Teach existing functions how to improve their own workflows rather than trying to build a separate privacy silo that’s not part of anybody else’s existing performance reviews or performance ladder.

—Melanie Ensign, Discernable

“If you’re on a small team, don’t try to create everything from scratch,” continues Ensign. “In my experience, investment in time and energy is better spent building relationships.” Get support from engineering, marketing, operations, et al. “You’ll get more bang for your buck. When you’re small, you can’t do it by yourself. And when you’re big, you’re just wasting resources.”

Technology is a critical factor as well. “Less reliance on manual processes, and more reliance on automation, that’s either built in house or through a third party is key,” stresses Miranda. “If you’re manually fulfilling your compliance obligations, that’s good intentions, not best practice. Process and tools are the way to scale your privacy operations. Understand the tipping point of when a centralized privacy function may not work anymore.”

Measuring privacy compliance success

We’re seeing a push towards transparency overall. How compliance obligations help support the bottom line and the view of privacy as an asset to, rather than a deficit to doing business.

—Kelly Peterson Miranda, Grindr

There are numerous metrics related to meeting legal requirements: the number of DSARS or number of deletion requests being processed. The timeliness of the response. How many high-risk processing activities are undertaken and for which you’ve put in sufficient controls. Number of DPAs. How many privacy incidents and their time to resolution.

Beyond that, there are a myriad of additional and equally important such as training notes Miranda, such as how much, when, and what kind of training are you offering? Number/value increase of deals privacy helps to close and DSO rates? Is there a positive impact on reputation?

Metrics are going to mean different things to different companies, depending on the context. DSAR spikes are a negative thing if you are going through a crisis [like a cyber breach]. But being able to respond quickly [and effectively] is a win you may want to communicate publicly.

—Kelly Peterson Miranda, Grindr

Importantly, “when you’re dealing with consent, you need to look at it as a measure of the trustworthiness of your company, says Miranda. I think you also need to look at, for example, the consent rates for different things or perhaps help articles related to privacy: how many views are you getting?

“Tell a total story: the wide birth of things that a privacy function can actually do.” Some of it will be shared with C-suite, some company wide. “But also look for stories to tell publicly with metrics that help endear  trust.”

“We’re seeing a shift to where customers are demanding more information about privacy and security as they evaluate whether they’re going to do business with an entity,” says Miranda. “This means marketing and sales needs to know more so they have the privacy fluency needed to close the deal.”

In short, privacy needs to be a compelling story internally (told in the context of what is important to your partners in sales, marketing, engineering, government affairs, the C-suite) and externally to customers and regulators.

Compelling stories need good storytellers.

Listen to the session audio

  • Privacy
  • Regulations

Consent and Advertising in 2023

Looking back, the Global Data Privacy Regulation (GDPR) really set the bar for notice, choice, and consent and unbeknownst at the time, it gave us a look into the future of how privacy legislation would evolve. Years later, California provided the first interpretation of what privacy law was going to look like in the United States at the state level. Evolving from the California Consumer Privacy Act (CCPA) to the California Privacy Rights Act (CPRA), now four States have followed: Virginia, Colorado, Connecticut, and Utah, with several others in discussion.

Today, organizations are mobilizing to devise consent management and notice strategies – the common themes across all the legislation – across multiple channels, brands, and devices from phones to smart TVs and connected appliances.

Joining WireWheel CPO Rick Buck at the SPOKES Privacy Technology Conference (held June 22-23) to discuss Consent and Advertising in 2023 are Jennifer Harkins Garone, Sr. Director, Privacy at Carnival Corp.; IAB and IAB Tech Lab EVP and General Counsel, Michael Hahn; and Gary Kibel, a Davis + Gilbert LLP Partner.

This seasoned group of privacy experts have seen the concepts of notice, choice, and consent go from non-existent to becoming a front and center issue.

A lot to unpack

With all these new laws, all the different state laws, and the lack of a federal law in the U.S., it is very challenging because definitions in the laws do not line up and obligations in the laws do not line up. This leads to the big question: what sort of solutions should you implement?

—Gary Kibel, Davis + Gilbert LLP

Table showing the Consent and Advertising laws in 2023 regarding opt in and opt out

“Do you implement a state-by-state solution, or a one-size-fits-all solution based on the strictest standards brought together from multiple jurisdictions?” asks Kibel. “You can’t simply say I’m going to follow the one strictest state, because there are unique differences.”

“Some of the laws have definitions of sensitive personal information (PI), which do not line up exactly the same,” notes Kibel. “The most impactful is that Virginia, Colorado, and Connecticut require an opt-in to process ‘sensitive personal information,’ California’s CPRA and Utah require an opt-out.”

Importantly, most of the sensitive personal information definitions include precise geolocation. While Apple now requires apps to ask permission to collect your location information, “this is not a common practice on the web where IP addresses and precise GEO information is collected without an express opt-in. This is one of the unique things that’s going to change in 2023,” advises Kibel.

This requires some big decisions: as it is not a requirement in every state, will it affect a pop-up for Virginia, Colorado, and Connecticut only, or is it going to do it for everyone regardless?

The weeds of the law

Consider just a small sampling of consumer rights across the States, the complexity of implementing consent in terms of policy and technical implementation becomes clear:

  • The privacy laws have opt-out rights for targeted advertising, but the states define them differently (California calls it cross-context behavioral advertising).
  • The California Privacy Rights Act (CPRA) extends the California Consumer Privacy Act’s (CCPA) right to opt-out of sale to include sharing and limiting the use and disclosure of sensitive PI. “The CPRA requires there to be a new link which has the words ‘limit the use of my sensitive personal information,’” notes Kibel.
  • Other laws take a similar approach with a right to opt out of targeted advertising, sale, and profiling, with some requiring opt-in for use of sensitive personal information.

Once we dig into the weeds of the law, there are other disconnects even between the same concepts. The CPRA treats sale of data to a third party for monetary or other valuable consideration, while in Virginia it is only ‘monetary consideration’, which again necessitates deciding “how to apply this right differently to consumers in different locations.

—Gary Kibel, Davis + Gilbert LLP

It is a lot to unpack. To help navigate the ever-changing privacy law landscape, WireWheel has created a Privacy Law Comparison Matrix.

The network-based approach to consent

“Do you need to obtain consent on the publisher or advertiser’s page? Or can you obtain consent on a single page in a broader network that bands together,” asks IAB’s Michael Hahn.

To look at an issue like this, we have to start with ‘what’s the basic standard?’ And while there are undoubtedly nuances in what it means to consent, for those thinking about this in a multi-state approach, you’re going to end up with what is typically the most rigorous version of consent to apply it everywhere.

—Michael Hahn, IAB

That most “rigorous version of consent” is the GDPR version, says Hahn, and one which also appears in some of the State laws. The CPRA adds that “a business must adhere to the following principles when designing its consent method, and any method that fails to meet these requirements may be considered a dark pattern and does not constitute valid consent” (Cal. Proposed Regs. § 7004(b)). The principals include:

  • Easy to understand
  • Symmetry in choice
  • Avoid language of interactive elements that are confusing, and
  • Avoid manipulative language or choice architectures

Infographic showing to define Consent and Advertising in 2023

Does a network-based approach to consent work?

“When referring to a network-based opt-in approach”, says Hahn, “what we’re really talking about is providing consent to a large number of, let’s say publishers and ad tech companies to undertake cross-site tracking. In other words, you are being asked to opt-in to cross-site tracking for the network participants. However, when tested against the CPRA consent standard this network-based approach falls short.”

It’s tough to imagine making a strong argument to a regulator that when I go to publisher number one as a consumer, that I was sufficiently informed about what could be a large number of other publishers in the network…that providing this bulk consent is for a narrowly defined particular purpose.

—Michael Hahn, IAB

And indeed, the CPRA states that any opt-in link applies only to the business with which the consumer intends to interact (Cal. Civ. Code § 1798.185(a)(20)).

While the concept of multiple independent or joined controllers exist in state law, “generally speaking, state laws encumber the entity with whom the consumer has a direct relationship with a broad set of direct responsibilities and distinguishes them from third parties: a concept that that does not exist in Europe,” notes Hahn.

Hahn also notes that the draft regulations have an entirely new concept: “The business needs to either a) disclose the third parties to whom they have sold personal information and such third parties control the collection of the information, or b) provide information about their business practices.”

“I don’t know what the second half of that means,” confesses Hahn, “but whatever it does mean it suggests to me that it’s impossible to fulfill that requirement” in a network-based approach.

Operationalizing privacy law requirements

When asked if the ‘do not share’ prohibition under CPRA is tantamount to the right to opt out of behavioral targeted advertising, two or three years ago, most of us would have said no, they’re different. But the state AG has started to say they’re the same because with a lot of the behavioral and targeted advertising that is done through cookies (such as with Facebook) somebody is exchanging money in order to get that.

—Jennifer Harkins Garone, Carnival Corp.

The question becomes “If my company website has a Facebook cookie who is then selling that information, how does somebody who is running a program handle it?”

For Garone, the answer is “you have to apply the ePrivacy Directive to everybody. Or apply California to everybody. And it is going to be available on January 1, 2023, as opposed to 2025, because if you iterate, it costs a lot of money. Heck, if you don’t iterate it can cost a lot of money, so it is a very challenging decision.”

You have to look to technology. “In one part of our business we have a homegrown tool and we started to find it costs too much in money and lead-time to make the necessary changes with the constant parade of new laws. So, we’re looking at what the right technology stack is for us to manage it,” says Garone.

If the cookie banner is your opt-out vehicle, how do you make that work together with do not share? How do you bring do not share into your cookie and tags? It’s taking us a while to figure out because of all the nuances.

One of the ways we can make it easier on ourselves is getting the right technology.

There are still a lot of questions around the new privacy laws

You have senior executives who have goals to meet. They want to do targeted advertising. You need to have conversations with them and there are a lot of questions to ask, says Garone:

Who are you sharing data with? Under what definition? What is the agreement that you have if somebody says, I don’t want to process sensitive information? What are the contracts with third parties telling you? Are you making so much on targeted advertising that it is worth a potential fine? Can you cure in 30 days if necessary and what would be your plan to cure? Do you even have an internal process to get those regulatory letters to the right people?

In the end, operationalizing privacy, whether it is multi-state, single state, or globally, comes down to the basics. Questions need to be answered, competing requirements resolved, and decisions made.

“I was looking at an agreement with a third party,” relates Garone, “that we’re buying information from for prospecting. Going through the list of data elements…I found one was latitude and longitude. Why are we asking for precise geolocation? What are you going to do with that that you are not already getting? You’re going to have to protect it like you protect a credit card number. So it was struck.”

There are a lot of new common-denominator obligations:

Notice at point of collection. Updating privacy notices. Third-party due diligence for those with whom you share data. Contracting those third parties so they uphold your data the same way you’re obligated to. The ability to provide and honor rights – not only effectuate those rights and collect consent – but to pass those signals throughout the ecosystem.

All that is really hard to do.

—Rick Buck, WireWheel

Listen to the session audio

  • Marketing
  • Privacy

Preference Management and Customer Experience

For any organization operating in the current data privacy climate, managing consumer consent is just one piece of the puzzle. In order to maximize transparency and build consumer trust, it is critical to consider how to manage and adhere to the preferences that consumers have communicated.

Companies impacted by the emergence of recent data privacy laws understand that a proactive approach to transparency can be beneficial, since building consumer relationships on trust drives customer loyalty and impacts buying decisions. Additionally, companies today are incorporating personalization into their marketing tactics to maximize consumer engagement and support sales. Teams that are unable to embrace preference management in their customer experience strategy risk losing market share to competitors that do.

Introducing Customer Experience

What is customer experience?

Customer experience is how customers view their direct and indirect interactions with companies. Direct interactions include anything customers actively do to purchase and use a product or service. Indirect interactions are unintentional encounters with companies. For instance, seeing an ad for a product before playing a YouTube video is an indirect interaction.

Everything companies offer—advertising, products, customer service, and more – contribute to the customer experience.

Why is customer experience important?

Organizations care about customer experience because it can be the “X factor” that drives tremendous revenue and growth potential. A recent Zippia survey found that companies that provide a superior customer experience can find their revenue increase by up to 15%.

Top Preference Management Factors that Influence Customer Experience


It is critical to create streamlined preference management experiences that allow consumers to quickly and easily find and manage their preferences. Complex user experiences can result in user frustration and abandonment. Over time, negative user experiences can turn into negative brand sentiment. Eliminating high-friction scenarios can improve the overall user experience.


Continued advancements in technology have allowed consumers to grow accustomed to having options. One of those options includes communication preferences. It is important to understand where, when, and how often your consumers want to hear from your brand.

If a consumer indicates that they prefer communicating through text message but your brand continues sending unwanted emails, your organization is wasting resources and alienating potential or existing customers. When consumer preferences are effectively managed and respected, organizations have the ability to maximize engagement with their audience. In turn, satisfied consumers may be more likely to buy.

Response Time & Consistency

Users expect to see digital updates reflected immediately. In order to ensure that communication preference updates can be made in real-time, a system must be in place to automatically store, update, and delete data. When a consumer changes their preferences, a preference management system should be able to accurately reflect those updates across the entire organization’s preference management system. Inconsistencies and lag time can lead to negative user experiences.


Preference management is something that all brands should seriously consider if they want to increase positive engagement with consumers. Managing consumer consents and preferences is difficult, but it doesn’t have to be as daunting a task as it may seem. To tackle this challenge, many organizations use a consent and preference management platform to help with both consent management and preference management.

Looking for a solution to help manage consumer consent and preferences? Schedule a demo to learn more about WireWheel’s Trust Access and Consent Center.

  • Privacy

Multi-State Legislation Operational Readiness

I lean to the side of operations because the relationship between the privacy office and the business is critical. We look at these laws and we want to ensure that we can operationalize them for the business.

—Lisa Barksdale, Zillow

Beginning January 2023, three comprehensive state laws go into effect: California (expanding on previous privacy regulation), Colorado, and Virginia. And right behind that, Connecticut, and Utah.

The plenary session of the SPOKES Privacy Technology Conference (held June 22-23) – Multi-State Legislation: An Operational Readiness Discussion – brings together expert privacy practitioners who are experienced in crossing the legal, business, and technology divides necessary to translate what the law says into privacy programs that work in practice.

Lisa Barksdale, Director of Privacy at Zillow, Tara Jones, Yahoo! Legal Services Senior Manager, Global Privacy, and Katie Pimental, AGC, Global Privacy, Yahoo! joined WireWheel Founder and CEO Justin Antonipillai for this widely requested discussion.

The Challenge of Multichannel Consent 

It is necessary to think about a central source of truth and the ability to update downstream to your critical systems to understand what [consent] status is at any given time so that you can market in an ethical and legal way. A complicated set of challenges.

—Justin Antonipillai, WireWheel

The three major laws and most of the follow-on laws coming have two critical components that are the highest priority: 1) All of the new legal choices that brands and publishers have to make available to consumers across every channel and 2) the state law requirements concerning privacy risk assessments and filing requirements.

While the initial focus of privacy regulation emanating from Europe was cookie consent (resulting in the proliferation of website banners), in the years that followed, California required companies that sold data to provide a clear opt-out choice. And technically, you couldn’t finish that job just in the browser. The opt-out signal must update your databases.

Now in California Colorado and Virginia, you have a whole slew of opt-out choices including, for example, targeted advertising and under Colorado law, profile creation. Adding to the complexity is the proliferation of IOT advertising channels such as Smart TVs and connected cars further necessitating a “central source of truth” to understand consumer consent status at any given time across all channels.

Privacy assessments, while not new for many, now include California’s requirement to actually file assessments to the CPRA on a regular basis. And recent proposed California regulation includes assessing third parties with whom you share data.

Ultimately, it comes down to the choices and legal frameworks that have to be put in place, and how you think about the critical assessments and privacy systems you need to have.

Solving the Challenge of Multi-Channel Consent 

Leveraging GDPR Experience

You’re going to have to understand what information you are collecting, processing, and storing (and where and how you are storing it) to ensure your mechanisms for consent, notice, and transparency actually reflect what your systems are doing.

—Katie Pimental, Yahoo!

“Yahoo is very fortunate in that a lot of the framework processes and technologies that we were required to build out for GDPR, we are now able to leverage for what we’re seeing come down in CPRA and other States when it comes to consent,” says Pimental.

She recommends looking at what your organization has already done. “Odds are you already have either a third-party or homegrown consent framework and mechanisms within your website for GDPR consent.

“One thing to keep in mind,” cautions Pimental, “is the notion of sensitive personal information and its nuances within each of the States. You’re going to have to…understand what information are you collecting, processing, and storing – and where and how you are storing it – to ensure that your mechanisms for consent, notice, and transparency actually reflect what your systems are doing. There’s a lot of third parties out there that can assist with that.”

The U.S. has always traditionally been an opt-out regime where the default is always to opt-in. Now, the CPRA and the regs are bringing the opt-in concept to the U.S. for the first time in areas like online behavioral advertising.

—Katie Pimental, Yahoo!

“We didn’t have the legal or statutory obligations to provide these types of options to users,” notes Pimental. “It’s interesting because the technology hasn’t quite caught up with what the statutes are requiring today” which has resulted in some of these statutes’ start dates and requirements being pushed back. “We definitely need to keep our ears to the ground in terms of how the laws are coming online, she advises.”

Managing Privacy Policy

While it is painstaking, the most efficient way to look at what needs updating and what changes to the privacy policy need to be made is to literally go line-by-line and State-by-State: [so it is] absolutely clear and transparent and the consumer can understand how and what we’re doing with their data.

—Tara Jones, Yahoo!

Jones notes that “unlike other pieces of the various regulations coming out, privacy policy notification and transparency is not a one size fits all. You can’t use “the most common denominator.”

This makes for a significant management challenge. And while it is painstaking, the most efficient way is to go line-by-line, state-by-state she offers.

“And then there is a completely separate operations team that manages the updates and sends all of it out for translation,” explains Jones. “It is painstaking, but this ensures that it is absolutely clear and transparent. This is not just a one- or two-person job, the whole team is involved in what is a multi-level process”.

Managing Consent

We need to just start looking at where we can be at the top of the funnel from a consent perspective – how many clicks does that represent? At what points do we need to add additional consents? And not just plug the holes.

—Lisa Barksdale, Zillow

“It’s challenging because there are so many different pathways for the user experience,” continues Barksdale. “You always want to think about the impact to the user…about how we achieve a more centralized way of establishing preferences and consents, while avoiding what could be perceived as dark patterns.”

She notes that the consumer is smarter today and “having consent choices at every point of data capture is becoming a nuisance to them. To counter this, we need to just start looking at where we can be at the top of the funnel from a consent perspective. How many clicks does that represent and at what points do we need to continue to add consent capture?

“If we just look to plug the holes, it’s not going to be good for the consumer and it’s definitely not going to be good for adoption rates – particularly as additional regulations come along.

From opt-out to opt-in? 

What really caught my eye, and I’m not the only one, is that draft regulations in California have language about reasonable and proportional use of data, consistent with the perspective of the consumer. If it isn’t, the proposed language suggests that in those areas you might have to enable somebody to opt-in instead of opting out.

—Justin Antonipillai, WireWheel

As consumers are indeed much savvier, they now have “expected uses” of their data. “The question then becomes, what’s expected?” opines Pimental. “Is a free website expected to have advertising? Is advertising expected to result in the sale and share your data?

We are really on the cusp of a fundamental shift in how we have to notify consumers to get consent.”

Interestingly, Pimental, proposes that when considering what is reasonable and proportional, the GDPR provides a solid framework emanating from legitimate interest or contractual requirements. This, she suggests, may be a helpful perspective as a baseline for what may be “potentially reasonable and proportional within the new state laws.”

Ultimately, the evolution of consent and privacy assessment requirements is a complex set of legal and technological challenges. And as Barksdale suggests, “traditional concepts like ‘know your customer’ (KYC) are valuable. The more you know your customers, the easier decisions concerning navigation of consent will become.” And as Pimental notes, with regard to the technology implementations, there are many third parties available to help.

Key Takeaways

  1. Think about a central source of truth (your databases and systems) to capture and understand what the consent status is at any given time.
  2. Leverage what you may have already done under GDPR and compare that to what information and obligations are required under the state laws and ensure you are capturing that consent from an operations perspective.
  3. With privacy policies, there is no “most common denominator.” It’s painstaking to update privacy policies line-by-line for each State, but necessary if you want to ensure clarity and transparency for your consumer.
  4. Consider a top-of-the-funnel perspective for consent. How many clicks does that represent? At what points does consent capture need to be added? Don’t just look to plug the holes.
  5. Have a program centered around know-your-customer (KYC) and consent navigation will become easier.
  6. For those doing business in the EU, consider the GDPR framework around legitimate interest and contractual requirements as an internal measure when baselining what is reasonable and proportional.

Listen to the session audio

  • Privacy Law Update

Privacy Law Update: June 21, 2022

Stay up to date with this weekly release covering key developments on data privacy laws, technology, and other hot privacy topics!

Newsworthy Updates

UK Issues Response To Data Reform Consultation

The United Kingdom’s post-Brexit reform of its data protection laws took another step forward Friday with the government’s final response to its data consultation. Initially launched September 2021 under “Data: a new direction,” and opened to public comment for ten weeks, the final response features several incremental reforms, such as altering some accountability provisions including the removal of a data protection officer requirement, adding an opt-out model for a wide swath of online tracking, and updates to the U.K. Information Commissioner’s Office.

EDPB Adopts Guidelines On Certification As A Tool For Transfers And An Art. 65 Dispute Resolution Binding Decision Regarding Accor

The EDPB adopted guidelines on certification as a tool for transfers. Art. 46(2)(f) GDPR introduces approved certification mechanisms as a new tool to transfer personal data to third countries in the absence of an adequacy agreement. The main purpose of these guidelines is to provide further clarification on the practical use of this transfer tool.

EDPB Deputy Chair Ventsislav Karadjov said: “These guidelines are ground-breaking, as they provide the very first practical guidance on certification as a tool for transfers – a new transfer tool introduced by the GDPR. The guidelines provide guidance on how this tool can be used in practice and how it can help maintain a high level of data protection when transferring personal data from the European Economic Area to third countries.”

Canada Introduces New Federal Privacy And AI Legislation

Canada took a step toward updating its privacy regime June 16, as Minister of Innovation, Science and Industry François-Philippe Champagne and Minister of Justice and Attorney General of Canada David Lametti introduced Bill C-27.  The Digital Charter Implementation Act, 2022 features three pieces of legislation: the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act.

The three-pronged legislation aims to strengthen Canada’s data privacy framework, primarily the Personal Information Protection and Electronic Documents Act, and create new regulations for the responsible development of AI, while continuing to implement Canada’s Digital Charter. The proposal would also introduce changes to how privacy is enforced in the nation.

IAB Eager To Work With Congress To Improve Federal Data Privacy Bill

The Interactive Advertising Bureau (IAB)’s Lartease Tiffith, Executive Vice President for Public Policy, released the following statement today in response to draft legislation in Congress creating a national data privacy framework, the American Data Privacy and Protection Act:

“We’re glad that Congress has finally produced a discussion draft for national privacy legislation that is bipartisan and bicameral, after years of hard work in the House and Senate to find a compromise. IAB and our members across the digital advertising industry support many of its provisions, and we’re eager to help improve the bill, not only to protect Americans’ consumer privacy, but also to create jobs and help strengthen the economy. We’re concerned about the impact on small businesses and internet users, who enjoy many free products and services thanks to data-driven digital advertising. Data is crucial to almost every business in today’s global economy. Rather than repeat mistakes that have harmed innovation and growth overseas, national privacy legislation here in the U.S. must maintain our country’s technological leadership and competitive advantage. IAB is working hard with our partners to produce the best result.”

Privacy Legislation

California: We continue to await the launch of formal rulemaking on the proposed CPRA regulations which will likely trigger a 45-day public comment period. We encourage anyone interested in timely updates on the CPRA rulemaking process to sign up for the Agency’s email list here.

Separately, AB 2273 the ‘Age Appropriate Design Code Act’ and AB 2408 the ‘Social Media Platform Duty to Children Act’ are on the agenda for a June 28 Senate Judiciary Committee hearing.

District of Columbia: B 24-0588 the ‘Stop Discrimination by Algorithms Act’ has been scheduled for a public hearing on September 22, 2022. This legislation was originally introduced in December 2021 at the request of Attorney General Karl Racine. The bill seeks to: (1) prohibit organizations from using discriminatory algorithms to make decisions about key areas of life opportunity, (2) require algorithmic audits for discriminatory patterns, and (3) require companies to publish easy-to-understand disclosures about their algorithms and permit individual correction if an adverse action is based on an algorithmic eligibility determination.

Future proof your privacy program with WireWheel’s Trust Access and Consent Center and WireWheel’s Privacy Operations Manager.

Request Demo
  • Marketing
  • Privacy

Consent & Preference Management for Marketing

With the arrival of several new data privacy regulations, marketers all over the globe are racing to get up to speed with how best to manage consumer consents and preferences. Enabling consumers to manage consents and preferences is both a legal and commercial obligation, however, this can run counter to your own marketing and sales efforts.

How does consent and preference management affect marketing campaigns? Is there a way for marketing teams to identify data privacy concerns and overcome them?

The short answer to all of the questions around consent and preference management is that solutions exist to keep companies compliant, brands visible, and consumers in control of their personal information. A longer answer requires understanding what marketing teams strive to accomplish and how their work relates to data privacy.

Marketing Challenges and Data Privacy

Consumers demand more from their content. Whether they want education, information, or entertainment, traditional media is being left behind. Marketers have to keep up and give consumers what they want. Consumers typically don’t want to be shown ads that don’t speak to them. They want personal experiences they can connect and resonate with; experiences that are more likely to boost a brand’s visibility and convert prospects into paying customers.

How can companies discover consumers’ preferences? By finding out what they want by collecting information about their tastes.

With data privacy laws quickly emerging across the globe, and the growing expectation of individual privacy as civil liberty, consumer data collection has also become a large challenge.

Organizations must inform website visitors about what information including what they want to collect, the reason for collecting, and how long they will store the data. Additionally, consumers must be given the option to deny permission and to dictate the channel and frequency of marketing communications. Marketing teams can no longer simply acquire consumer information without permission. They must comply with regulations and respect consumer privacy rights through transparent consent and disclosure.

Data privacy laws along with the depreciation of cookie technologies may hinder marketing efforts from a data analysis standpoint, and without all of the consumer data to drive market insights, organizations may struggle to develop and sell their products and services. The key is to acquire consumer data while practicing effective consent and preference management by balancing the need for collecting data and respecting individual privacy rights.

Marketing Considerations for Consent & Preference Management

The law is one primary aspect marketing teams should take into consideration when approaching consumer data privacy and consent and preference management. Companies can be fined for non-compliance with privacy regulations designed to protect people’s rights.

Another significant aspect is consumer demand. What do people want? The growing trend among consumers is that they want to maintain their privacy, control their information, and receive relevant content.

Consent and preference management can allow marketing teams to serve the interests of their companies, follow regulations, and give consumers what they want. It is unethical to collect data from unsuspecting consumers without their consent or minimally an easy-to-understand notice about the data being collected. Amazingly, many marketing teams don’t take advantage of the benefits that come with using a preference management system. Whatever preferences that customers submit have the potential to provide marketing teams with an additional layer of data that could help uncover new market segments for revenue growth.

Benefits of Consent and Preference Management for Marketers

Consent and preference management gives marketing teams a prime opportunity to focus on consumers. Giving customers the power to grant consent, as well as provide their own preferences can create a bond between a brand and a potential paying client. Trust can build loyalty, which can result in repeat business.

Personalizing marketing messages zeroes in on what consumers want. When served with content that resonates with their interests, consumers tend to have a more positive experience. Additionally, the organizations that do this are also viewed as more genuine and caring towards customer needs. By respecting their consent and abiding by their preferences, it demonstrates that the consumers have been heard. Personalization can deliver a first-rate customer experience that forges a connection between brands and their target audience.

Succeed with Consent and Preference Management

Marketing teams should be doing everything they can to leverage these requirements as a competitive advantage. Marketers should work with data privacy, legal, and IT professionals to build, employ, and maintain a privacy program that includes consent and preference management. Collaboration can lay the groundwork for a system that delivers compliance and consumer insights.

A consent management platform can help ensure quick compliance while meeting a company’s business needs. Using such a platform can ease the burdens of consent and preference management. Marketing teams can use data that was legally obtained directly from consumers to improve the customer experience. When all of these factors work together, marketing teams can effectively engage with consumers and new prospects to generate even more revenue from sales.

  • Privacy Law Update

Privacy Law Update: June 13, 2022

Stay up to date with this weekly release covering key developments on data privacy laws, technology, and other hot privacy topics!

Newsworthy Updates

Understanding the American Data Privacy and Protection Act

On Friday, June 3, Representative Frank Pallone (D-NJ), Chairman of the House Energy & Commerce Committee, Representative Cathy McMorris Rodgers (R-WA), the committee’s Ranking Member, and Senator Roger Wicker (R-MS), Ranking Member of the Senate Commerce, Science and Transportation Committee, released to the public a draft discussion federal privacy bill.  The “American Data Privacy and Protection Act” (ADPPA) is a comprehensive bill that touches all facets of the privacy debate that has been ongoing in Congress for well over 20 years.  Some of the provisions in the discussion draft are bracketed, indicating those provisions are still under discussion and are not subject to agreement between the authors.  In their press release, the three authors thanked Consumer Protection and Commerce Subcommittee Chair, Jan Schakowsky (D-IL), and Ranking Member Gus Bilirakis (R-FL), as well as Members of the Senate Commerce Committee for their input and leadership on the discussion draft.  However, of note, Senator Maria Cantwell (D-WA), the Chair of the Senate Commerce Committee, is not an author of the bill.

The Genesis of ‘Privacy By Design’

The U.S. has never had a national data privacy law. That might be set to change with a new draft bill being debated in both chambers of Congress, with support from leaders in both parties.

The American Data Privacy and Protection Act includes requirements that any organization that “collects, processes, or transfers” information that can be linked to a particular individual follow the principles of “privacy by design.”  It’s a decades-old idea that the only way to ensure data privacy is to build it into applications in the earliest stages. It’s in Europe’s General Data Protection Regulation as well as Brazil’s national privacy law, among numerous other jurisdictions.  But applying that idea to continually evolving technology is likely to require some serious iterating, to use a Silicon Valley term.

Politico asked Ann Cavoukian, who coined the term and came up with seven “foundational principles” in 1997 when she was Ontario’s information and privacy commissioner, about the history — and the future — of the concept.

IAB Tech Lab Unveils Global Privacy Platform (GPP) To Consolidate Domestic And Global 

Following two years of collaboration with the industry and consultation processes with technical and legal experts across the globe, IAB Tech Lab, the digital advertising technical standards-setting body, announced the launch of the Global Privacy Platform. GPP is a product of IAB Tech Lab’s Project Rearc initiative. It is a single protocol designed to streamline transmitting privacy, consent, and consumer choice signals from sites and apps to ad tech providers, and integrates with existing privacy signals from Europe’s Transparency & Consent Framework and the CCPA in the United States.

Location, Location, Location: Does Localization Still Matter In Data Privacy Regulation?

Today’s data privacy laws refer to specific regions. The GDPR applies in the EU, CCPA is relevant in California and so on. But as data privacy becomes more of a global standard, it’s time to evaluate this course of action and ask whether or not current and future laws still refer only to the regions for which they were initially meant.

Privacy Legislation

California: The California Privacy Protection Agency held a board meeting on Wednesday, June 8th. Lisa Kim and Stacey Schesser from the California AG’s office gave a presentation on the draft proposed CPRA regulations to the board. The board then voted 4-0 to empower Executive Director Soltani to take ‘all steps necessary’ to initiate formal rulemaking proceedings on this first set of CPRA implementing regs. Expect a formal announcement, and the start of a 45-day public comment period, soon (though we understand that non-substantive, technical corrections to the proposed regulations will be adopted first).

During discussion of future agenda items, Boardmember Le requested a legal opinion on what information the Agency can share about enforcement deadlines (suggesting there is appetite on the board to postpone at least some aspects of formal CPRA enforcement, given the delay in promulgating regulations). Boardmember Thompson also requested further information on the process for amending the proposed regulations.

Prior to the meeting, the board released its draft Initial Statement of Reasons (‘ISOR’) for the proposed regulations. Notably, the ISOR determined the regulations would not have a significant adverse economic impact on businesses as businesses are already required to comply with the CCPA and CCPA regs and that any adverse economic impact would come from the Prop 24 ballot initiative, not these new regulations. The ISOR further states that opt-out signals do not need to be enabled by a consumer, but that “selection of privacy-by-design products or services is an affirmative step and sufficient to express the consumer’s intent to opt out…”

Separately, California’s AB 2273 to establish an ‘Age-Appropriate Design Code’ has been referred to the Senate Judiciary Committee, joining AB 2408 the ‘Social Media Platform Duty to Children Act’ which was referred to the Judiciary and Appropriations Committees last week. Senate hearings have yet to be scheduled on either of these bills.

Colorado: The Office of the Colorado Attorney General announced that the comment portal for submissions on the Colorado Privacy Act’s pre-rulemaking considerations will close on August 5th.

Massachusetts: Mintz Law reports that last week the Joint Committee on Health Care Financing voted to send H 4514, the House version of the ‘Massachusetts Information Privacy and Security Act’ (MIPSA) ‘to study’ (rather than advance it). While the Senate companion (S 2687) is still technically awaiting action following its passage through the Joint Committee on Advanced Information Technology, the Internet and Cybersecurity on February 1, it seems safe to predict that this bill has stalled out for the year. MIPSA contains distinct elements from the GDPR (bases for processing); CPRA (definitions and consumer rights); CPA (contractual requirements); VCDPA (enforcement); and ODPA (safe harbor for breach litigation). The Massachusetts formal session ends on July 31.

Future proof your privacy program with WireWheel’s Trust Access and Consent Center and WireWheel’s Privacy Operations Manager.

Request Demo
  • Regulations

The CPPA Issues First Draft Of CPRA Regulations – Part One

On Friday, May 27, 2022, on the brink of a holiday weekend, the California Privacy Protection Agency (CPPA) issued a preliminary draft of its proposed regulations implementing the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

General Overview

These are only the preliminary draft regulations. This is not the final language.

  • The CCPA’s June 8 meeting will likely provide more information on the rulemaking process.
  • The deadline for final CPRA regulations is still a moving target. Ashkan Soltani, CPPA Executive Director said in February the CPPA would go “somewhat past the July 1 rulemaking schedule” and the timetable for completion was tentatively expected “in Q3 or Q4.”
  • The CPPA will ultimately issue a Notice of Proposed Rulemaking to trigger the formal 45-day rulemaking process.
  • Consumers, the CPPA, and the California Attorney General’s Office all are empowered to take businesses, contractors, service providers, and third parties to task for perceived non-compliance with privacy obligations

The draft regulations:

  • Do not address all sections of the CPRA.  Additional regulations are still needed to address cybersecurity audits, risk assessments, and opting-out of automated decision-making technology.
  • Mandate the recognition of opt-out preference signals (i.e. GPC)
  • Do not address the technical specifications to accommodate GPC signals
  • Create new notice at collection requirements when a 1st parties like websites allow 3rd parties such as analytics providers to collect personal information
  • Add consent requirements to prevent dark patterns
  • Specify notice and permissible use requirements for the right to limit the use of sensitive personal information
  • Require businesses to confirm they’ve processed opt-out of sales/sharing and limitation of sensitive personal information requests
  • State that cookie management tools alone are not sufficient to honor opt-out and limitation requests
  • Need to align new requirements for data processing agreements with the current CPRA requirements
  • Require businesses to conduct due diligence on service providers, contractors, and 3rd parties processing personal information


Summary of The Draft Regulations

Restrictions on Collection and Use of Personal Information: Collection, use, retention, and sharing of a consumer’s personal information should be necessary and proportionate to the purposes for which it was collected or processed.  It should not be processed in a manner that is incompatible with those purposes.

Consent and Dark Patterns: When obtaining consent, businesses must

  • Use methods that are easy to understand
  • Provide for symmetry in choice
  • Avoid confusing language and elements
  • Avoid manipulative choice language

Privacy Policy: New requirements were added to:

  • Declare and provide appropriate notice if sensitive personal information is processed for purposes other than those authorized by the CPRA and the regulations
  • Provide information on the new rights under CPRA
  • Explain how opt-out preference signals are processed

Notice at Collection: In addition to existing CCPA requirements to notify about categories of personal information, purpose and use of collection, and if data is shared or sold, the draft regulations now require businesses to provide notice at or before the time of collection of personal information on:

  • Categories of sensitive information collected
  • Data retention for each category of personal information

There are new notice requirements for 1st and 3rd party data collectors

  • 1st parties allowing 3rd parties to collect data from consumers must list the names of all the 3rd parties collecting personal information
  • 3rd parties also controlling the collection of personal information should provide notice at collection on their homepage and provide the 1st party information about its business practices for the 1st party to include in its collection notice

Sensitive Personal Information: The CPRA currently allows businesses to process sensitive personal information for certain limited purposes.  The CPPA will rule on “other” purposes.  If a business processes sensitive personal information for other purposes, it must provide a notice and allow consumers to restrict processing to the permissible purposes through a conspicuous “Limit the Use of My Sensitive Personal Information” link.

Opt-Out of Sell/Share: In addition to the existing “Do Not Sell My Personal Information” links, the draft regulations require that links:

  • Are conspicuous
  • Have the immediate effect of opting the consumer out  OR
  • Lead the consumer to a webpage where they can learn and make choices.
  • A link is not required if opt-out preference signals are processed in a “frictionless” manner (Global Privacy Controls)

Alternative Opt-Out Link: To help simplify opt-out requests, instead of providing both an opt-out of sell/share link, and sensitive information use limitation link, a “ single, clearly labeled link on the business’ internet homepages” to effectuate both of these requests is permissible.  The link must:

  • Either must say “Your Privacy Choices” or “Your California Privacy Choices.”
  • Be conspicuous
  • Include the CCPA’s opt-out icon
  • Direct consumers to a website with certain information

Mandatory Opt-Out Preference Signals: The CPRA currently provides for the option of recognizing opt-out preference signals as valid consumer requests to opt out of the sale or sharing of personal information and to limit the use of sensitive personal information.  The draft regulations mandate businesses recognize these signals.

The CPPA believes the CPRA “does not give the business the choice between posting the opt-out links or honoring out-out preference signals.” They now distinguish between recognizing opt-out preference signals in a “frictionless” and “non-frictionless” manner. If a business provides the opt-out links, then it is allowed to honor opt-out preference signals in a “non-frictionless manner.” If a business processes opt-out preference signals in a frictionless manner, it does not need to provide the opt-out links.

A frictionless manner means: 

  • Not charging a fee or other valuable consideration, not changing the consumer’s experience with the product or service offered, and not displaying a notification, pop-up, text, graphic, animation, sound, video, or interstitial content in response to the opt-out preference signal
  • Including in its privacy policy that it recognizes opt-out preferences in a frictionless manner
  • Ensure the signal also effectuates opt-outs of any offline sales/shares

The draft regulations do not address the technical specifications for opt-out preference signals



Deletion Requests: The draft regulations require service providers and contractors to:

  • Notify the consumer the request has been honored
  • Permanently delete the information and
  • Notify their service providers and contractors to also delete the information

Correction Requests: The right to correction is a new right provided by the CPRA.  Businesses:

  • Are required to determine the accuracy of the personal information by considering “the totality of the circumstances relating to the contested personal information.”
  • May request that consumers provide documentation as needed
  • Must ensure accuracy of the information and that
  • Must ensure service providers and contractors also correct it

Opt-Out of Sale/Sharing Requests: The draft regulations state that a “notification or tool regarding cookies, such as a cookie banner or cookie controls, is not by itself an acceptable method for submitting requests to opt-out of sale/sharing because cookies concern the collection of personal information and not the sale or sharing of personal information.“

  • Acceptable methods for submitting requests to opt-out of sale/sharing must address the sale and sharing of personal information
  • Businesses are required to confirm the request has been honored
  • Businesses may display ‘Consumer Opted Out of Sale/Sharing’ or through a toggle or radio button on their website that the consumer opted out of the sale of their personal information.

Limit Use and Disclosure of Sensitive Personal Information Requests: The limitation on the use and disclosure of sensitive personal information is another new right provided by the CPRA. Businesses must:

  • Provide at least two methods for exercising this right
  • Comply with the request within 15 business days
  • Notify service providers, contractors, and 3rd parties
  • Provide a means for the consumer can confirm that their request was honored

The regulations identify seven permissible purposes for processing sensitive personal information without having to provide the right to limit. These include:

  • Performing services or providing goods an average consumer would reasonably expect
  • Detecting certain types of security incidents
  • Ensuring the physical safety of individuals

Contracts for Service Providers and Contractors: The draft language introduces new requirements for service provider and contractor contracts that may need better alignment with the existing statutory requirements.

The purpose of contracts is to restrict service providers and contractors from processing personal information for any other purpose from those in the contract and permitted by the law. Contract language should among others include the following provisions:

  • Require compliance with all applicable provisions of the CPRA
  • Provide the same level of privacy protection as applicable to the businesses
  • Cooperate with the business for handling consumer rights requests
  • Provide reasonable data security provisions
  • Notify the business within 5 business days if the service provider or contractor determines it cannot meet its obligations
  • Provide the business the right to take reasonable steps to stop and remediate any unauthorized use of personal information by the service provider/contractor
  • Due diligence is required for service providers and contractors processing personal information

Service providers and contractors may:

  • Use and combine customer personal information “to detect data security incidents or protect against malicious, deceptive, fraudulent or illegal activity.”
  • Use customer data to comply with other laws, lawful process, to defend claims, if the data is de-identified or aggregated, or does not include California personal information.


CPPA Audits and Enforcement

  • The CCPA is permitted to perform audits in three situations:
    • To investigate possible violations of the law
    • The subject’s collection or processing activities present significant risk to consumer privacy or security
    • The subject has a history of noncompliance with the law “or any other privacy protection law.”
  • There are no provisions requiring consumers to file sworn complaints.
  • The rules provide that there is “probable cause” of a privacy violation if “the evidence supports a reasonable belief that the CCPA has been violated.”
  • The CPPA can find a violation through a probable cause hearing if it provides notice by service of process or registered mail with return receipt to the company “at least 30 days prior to the Agency’s consideration of the alleged violation.”
  • Businesses have a right to an in-person proceeding only if it requests the proceeding be made public. Otherwise, the proceeding may be conducted by telephone or video closed to the public.
  • Participants are limited to the company representative, legal counsel, and CPPA enforcement staff.
  • The CPPA serves as prosecutor and arbiter.
  • The draft rules do not define how the agency preserves its neutrality in its later role
  • The CPPA then issues a written decision and notifies the company electronically or by mail
  • The draft rules provide that this determination “is final and not subject to appeal.”
  • Violations can result in an administrative fine of up to $2500 for each violation, and up to $7500 for each intentional violation or if the violation involves minors.
  • Multiple parties involved can be held jointly and severally liable.
  • There is no process to challenge judgments

Notably, this is the first draft of the regulations and they will likely evolve and be joined by other regulations in the coming weeks. California is clearly drawing a line in the sand on its stance on privacy compliance.  We will continue to monitor this subject as it progresses and provide additional updates.

  • Privacy Law Update

Privacy Law Update: June 6, 2022

Stay up to date with this weekly release covering key developments on data privacy laws, technology, and other hot privacy topics!

Newsworthy Updates

US lawmakers closing in on bipartisan privacy framework

For the first time in years, members of U.S. Congress have found common ground on comprehensive federal privacy legislation and a bipartisan framework may be in reach. Politico reported members of the U.S. Senate and House are circulating a draft bill that includes bipartisan compromise on the two biggest stumbling blocks between parties, federal preemption and the private right of action. The draft from Senate Committee on Commerce, Science, and Transportation Ranking Member Roger Wicker, R-Miss., and House Committee on Energy and Commerce leaders Frank Pallone, D-N.J., and Cathy McMorris Rodgers, R-Wash., speaks to previously reported momentum between chambers and parties, but the proposal also hasn’t yet garnered the support of Senate Commerce Committee Chair Maria Cantwell, D-Wash., arguably the most important legislator working on federal privacy legislation.

IAB Tech Lab Unveils Global Privacy Platform (GPP) To Consolidate Domestic And Global

Privacy Signals For Digital Advertising

Following two years of collaboration with the industry, and consultation processes with technical and legal experts across the globe, IAB Tech Lab, the digital advertising technical standards-setting body, is proud to announce the launch of the Global Privacy Platform (GPP). GPP is one of the products of IAB Tech Lab’s Project Rearc initiative. It is a single protocol designed to streamline transmitting privacy, consent, and consumer choice signals from sites and apps to ad tech providers, and integrates with existing privacy signals from Europe’s Transparency & Consent Framework and CCPA in the U.S.

Duck Duck Go Passing Data to Microsoft

An external auditor reported on a “secret data flow list” that enables the sharing of data with Microsoft for third-party advertising. The audit describes how DuckDuckGo’s web browser did not block data transfers to ad platforms owned by Microsoft—LinkedIn and Bing—when the auditor was on a site that was not a Microsoft property. The audit is nuanced, and I think the auditor’s commentary is the best way to simply relay the findings. One main take-away is this: DuckDuckGo intentionally left certain third-party trackers unimpeded while many users thought the product would be blocking those trackers.

Metaverse Privacy Concerns: Are We Thinking About Our Data?

The metaverse is no longer a concept—it’s here. And as it gains more traction from tech companies like Microsoft, Facebook and Nvidia, and retailers like Nike and Ralph Lauren, we need to start talking about the potential privacy implications that occur when our real and virtual lives become increasingly blurred.

Privacy Legislation

California: The California Privacy Protection Agency has released an initial set of draft implementing regulations for the California Privacy Rights Act. The Agency has yet to enter formal rulemaking procedures on this draft and we will be closely watching a June 8 Agency board meeting for potential announcements of next steps in the process. There is plenty to dig into in these proposed regs, so be sure to check out expert analyses from our friends at Frankfurt Kurnit, Hogan Lovells, & Kelley Drye.

Separately, we expect to closely follow Assembly-members Wicks (D) and Cunninghams’ (R) pair of child online privacy, safety and design bills as they move from the California Assembly over to the Senate. AB 2408 the ‘Social Media Platform Duty to Children Act’ has been referred to the Judiciary and Appropriations committees while AB 2273 to establish an ‘Age-Appropriate Design Code’ has yet to formally receive its committee assignments.

Louisiana: The ‘Louisiana Consumer Privacy Act’ (HB 987) was withdrawn from a potential House vote by sponsor Daryl Deshotel (R) on Tuesday, May 31. Deshotel said that he wouldn’t run a bill without 100% business buy-in and that his bill only got 85% of the way there. Nevertheless Deshotel got a final set of amendments adopted to help set the bill up for next year including: (1) replacing the “sexual orientation” sensitive data category with “an individual’s sex,” (2) narrowing the right to portability to only cover information provided by the consumer in the previous 12 months, and (3) narrowing the right to delete to personal data previously provided by the consumer. We are moving HB 987 to the failed bills list.

New York: New York’s legislative session ended on June 2 without passing comprehensive privacy legislation. However, on May 31, S6701, the ‘New York Privacy Act’ from Senator Thomas (D) was significantly amended to bring the bill into greater alignment with the VA-CO legislative model. Core changes include:

  • Limiting the definition of “biometric data” to information that “allows or confirms unique identification of a natural person”
  • Adding relatively standard definitions of “decisions that produce legal or similarly significant effects”; “precise geolocation”; and “sensitive data” and amending the definitions of “profiling” and “targeted advertising”
  • Amending the transparency notice requirement to remove “the identity of each third party” recipient and replacing it with the disclosure of “categories of third party” recipients.
  • Narrowing the opt-in consent requirement to “sensitive personal data” rather than just “personal data.”
  • Creating a right to opt-out of data sales, targeted advertising, and significant profiling, that may be exercised through user-enabled privacy controls.
  • Reducing the restrictions on the use and retention of personal data to clearly permit internal business operations and compliance with legal obligations.

Future proof your privacy program with WireWheel’s Trust Access and Consent Center and WireWheel’s Privacy Operations Manager.

Request Demo
  • Marketing
  • Privacy

Best Consent & Preference Management Platform Features

Managing your consumers’ consent and preferences can be complex, but it doesn’t have to be a strain on your team. Consent management platforms help organizations comply with local and global data privacy regulations. Using a platform to streamline the process can ensure you remain compliant in the face of new and changing legislation while expediting data collection.

Those searching for a solution find that the best consent and preference management platforms not only streamline privacy operations, but also support marketing, sales, and customer engagement. This helps organizations to comply with privacy laws without exhausting organizational resources like time and money.

In this post, we’ll review what to consider when searching for a consent and preference management solution:

  • Who can benefit from a consent and preference platform?
  • What are the essential features to look for in a solution?
  • Build vs Buy: Considerations between building and buying a solution

Who Can Benefit From a Consent and Preference Management Platform?

Any organization that is handling consumer data should consider a consent and preference management platform to track user consent and preferences and personalize customer experience. There are some organizations in particular that would benefit greatly from the streamlined services a consent and preference management platform offers.

Organizations that do any of the following should consider a platform in order to reduce risk associated with non-compliance:

  • Use website visitors personal information to personalize ads, content, and marketing campaigns
  • Use personal data to provide users with special access (i.e., form submissions)
  • Collect data from consumers in certain geographical areas (i.e., Europe or California)

Organizations that don’t use a consent and preference management platform (CMP) are also at higher risk of losing consumer trust, which can significantly impact business revenue.

Essential Features of a Consent and Preference Management Platform

An effective consent and preference management platform simplifies the collection and governance of consumer requests. It should facilitate the process of informing consumers about the type(s) of data being collected and the intended use. It should also allow consumers to easily grant or deny the organization permission to collect their information and enable consumers to modify their preferences including cookies and other tracking technologies.

The best consent and preference management platforms allow organizations to:

  • Simplify the data collection process
  • Customize consent windows
  • Collect consents and permit consent and preference adjustments
  • Store a record of collected data

Simplify the data collection process

CMPs streamline privacy operations by providing brands and consumers with an easy to use interface for communicating consents and preferences. A consent and preference management platform also allows companies to stay compliant as global privacy legislation continues to evolve. Organizations can continue to collect data while putting the onus of compliance on the CMP and the privacy experts specialized in each regulation.

Customize consent windows

Consumers can access websites from anywhere in the world and depending on their location, the data privacy requirements might be different. Many data privacy laws and requirements have the same foundation, but there are still many differences between them. For this reason, it’s important that a CMP supports the creation of customized consent and preference portals and privacy experiences. A customized consent window provides the user with a relevant and simplified consent and preference experience.

Collect consents and permit consent and preference adjustments

Allowing consumers to provide their consent by opting in or out enables your organization to achieve data privacy compliance. Additionally, users are given increased control with the ability to request, edit, and revoke any consent or data containing personal information which your company has stored. This gives consumers (and prospects) an improved attitude towards your brand, and helps to build trust.

Store a record of collected data

Organizations must identify and record details regarding their data collection practices. This means you must be able to show among other requirements, what data you are collecting, the reason for collecting it, and the source of that data. CMPs help to keep a record of this information like names of consumers, email addresses, the dates and times when consent was received or revoked, and what exactly the consumer has consented to. It provides a clear indication of whether consent was given, and the legal basis for data collection at any point in history.

WireWheel’s Essential Consent Management Platform

As the demand to give consumers more control over their data grows, so does the need for a solution that makes managing consent and preferences easier for both consumers and companies. WireWheel’s consent management platform can help your company comply with consumers’ requests and privacy regulations today and into the future.

  • Marketing
  • Privacy

Benefits of a Consent & Preference Management Platform (CMP)

Consent and preference management are vital in the data privacy field as they allow companies to acquire data fairly and transparently, while also giving consumers better control of their personal information.

Consent management is the process of requesting and obtaining consumers’ permission to collect, process, and store their data.

Preference management is the process that enables consumers to voluntarily give their information and customize the method and frequency of brand communications they want to receive, whether they be emails, website pop-ups, or other experiences.

Why Consent and Preference Management are Important for Organizations and Businesses

Effective customer service has always been the focus of successful companies. Consent and preference management not only allow companies to comply with privacy regulations, but also create the necessary framework to deliver consumer-centric experiences that increase brand trust, marketing opportunities, and revenue.

Consumers are more protective of their information today. They want to be confident that the company they give their data to will use it with the best intentions. They also want to dictate what data can be collected. Giving consumers control is one more step towards enhancing customer service.

While the inherent risks of privacy program management are ever increasing, teams must find the right path when navigating through the regulations and user expectations of data privacy. Fortunately, the benefits can be mutual for both organizations and consumers.

Challenges of Consent and Preference Management

The pressures from regulations, consumers, and business interests can make it difficult for companies to effectively and efficiently collect and use data. To successfully navigate the data privacy landscape, a company must adhere to legal and ethical obligations, while also balancing what is best for their business and their customers.

All of the pressures are sometimes at odds with one another. Regulations and consumer demand might run counter to a company’s desire for comprehensive customer data so they can optimize marketing to grow their brand’s visibility and revenue.

Compounding the stress of this new world are new and changing regulations. Although policies may be in flux, compliance must remain constant. Staying up-to-date requires vigilance and the ability to adapt to new standards.

There are a number of reasons that organizations might struggle with consent and preference management. Common obstacles include:

  • Data Privacy Knowledge – Before you can build a solution, you need to fully understand the problem to address it. Not many people are data privacy experts. It’s relatively new, and the landscape is expected to fluctuate even more as new legislation is introduced/passed.
  • Technical Expertise – It’s important to have team members that are also technically savvy. Without this, it is very difficult to identify and track what types of data are being stored or processed. Building a technical solution for consent and preference management also requires an investment in designing, building, testing, and launching a solution that meets applicable privacy law requirements.
  • Data Silos – When consumers opt-in or out of marketing communications, they expect organizations to honor those wishes. A large conglomeration with multiple teams can easily overlook consumer preferences if they lack an integrated system that enables all of their communications according to those preferences.

Benefits of a Consent and Preference Management Platform

Consent and preference management presents several challenges, all of which can be handled effectively with technology that accelerates compliance and advances privacy programs. Here are some benefits that come with leveraging a consent and preference management platform:

Assured Privacy Compliance

One of the primary benefits of using a consent and preference management platform is that it supports your organization with achieving privacy compliance. This is a primary driver for many teams because it helps to avoid fines from noncompliance, as well as preventing PR disasters that could ruin a company’s reputation.

Augmenting Your Team of Experts

Not many people are privacy professionals or savvy enough to manage and track changes in data privacy laws and regulations. Privacy is a global issue that needs to be addressed from a holistic perspective. There is no need for organizations to reinvent the wheel when there are existing consent and preference management solutions that were built by privacy experts, and a designated engineering team.

Revenue & Sales

An added trickle-down benefit of consent and preference management is more revenue. When consumers trust a brand, it improves how they are perceived by the public. While it’s much harder to become a paragon for data privacy activism, becoming just the opposite is too easy. It takes just one data privacy incident to give the impression of untrustworthiness. This can make a large, lasting impact for companies like lost sales, and budget cuts to fund marketing campaigns to offset any public mistrust.

Market & User Insights

Companies can also leverage user preferences to perform market and user research. All of this user data collection began in hopes of uncovering insights that would boost revenue in the first place. Why should preferences be treated any differently? Companies could potentially use this data to uncover more patterns in user preferences and behaviors without the need for overstepping boundaries. This could be something as simple as gauging consumer preferences around which methods of communication, what types of information, and how often consumers are being served. Companies are using these consent and preference insights to gain an edge over competitors who are slow to embrace the shifting data privacy movement.

Taking into account all of these insights informs teams to build better, sound strategies that improve consumer engagement.

Overcome Consent and Preference Management Challenges

As the demand for data privacy compliance grows, organizations must answer the challenges preventing their teams from effectively managing consents and preferences. Leveraging a consent and preference management platform provides teams with another option to accelerate privacy compliance, lower risk, and build better customer relationships that support sales.

  • Privacy Law Update

Privacy Law Update: May 31, 2022

Stay up to date with this weekly release covering key developments on data privacy laws, technology, and other hot privacy topics!

Newsworthy Updates

Trends in Data Privacy Regulation: Dark Patterns

Have you tried to unsubscribe from a recurring service and given up? Have you opted to “accept all” cookies on a website to access the content without an annoying banner covering half of the page? Nearly all web users have encountered some form of what is commonly known in the data privacy community as a “dark pattern”: an interface designed to nudge user behavior toward choices he or she might not normally make if the options were presented differently. Although businesses and their web or app designers may feel tempted to explore employing these methods, the increased regulatory focus on dark patterns makes it more important than ever to consider the avoidance of dark patterns as a legal obligation, not just a best practice.

Twitter Agrees with DOJ and FTC to Pay $150 Million Civil Penalty and to Implement Comprehensive Compliance Program to Resolve Alleged Data Privacy Violations

The Department of Justice, together with the Federal Trade Commission (FTC), announced a settlement that, if approved by a federal court, will require Twitter Inc. to pay $150 million in civil penalties and implement robust compliance measures to protect users’ data privacy. The settlement will resolve allegations that Twitter violated the FTC Act and an administrative order issued by the FTC in March 2011 by misrepresenting how it would make use of users’ nonpublic contact information.

European Commission Publishes Q&A on SCCs for Data Transfers

The European Commission published a Q&A on standard contractual clauses for data transfers under the EU General Data Protection Regulation. On Dec. 27, a new set of SCCs for international data transfers will replace existing SCCs. The Q&A offers practical guidance on the use of SCCs and assists stakeholders in compliance efforts, the Commission said, adding the document is “intended to be a ‘dynamic’ source of information and will be updated as new questions arise.”

EU MEPs Visit US to Discuss Trans-Atlantic Data Privacy Framework; NOYB Issues Open Letter

A delegation of several members on the European Parliament’s Civil Liberties Committee will visit Washington, D.C., May 23 to 26. Led by Chairman Juan Fernando Lopez Aguilar, the delegation plans to discuss possibilities for the new EU-U.S. Trans-Atlantic Data Privacy Framework.

Google Offers Updates on Privacy Sandbox for Android

Google released updates on its Privacy Sandbox for Android, which is on track for a beta release by the end of 2022. The lead third-party cookie alternative being trialed in the sandbox, “Topics,” was made available for a developer trial in April. Google will preview the “First Locally-Executed Decision over Groups Experiment” and “Attribution Reporting” concepts in May or June. On the beta release, Google said, “key components” of the sandbox “will be distributed as mainline modules” to Android devices in order to allow for improvements “in a seamless way.”

Privacy Legislation

California: The California Privacy Protection Agency (CPPA) held a board meeting on Thursday, May 26. The ‘New Rules Subcommittee’ (board members Le and de la Torre) announced that it is planning to release an initial rulemaking package covering (1) the Agency’s audit authority and (2) administrative enforcement processes. The Subcommittee will continue to work on a separate rulemaking package covering (1) cybersecurity audits, (2) privacy risk assessments, and (3) automated decision-making. Furthermore, Maureen Mahoney, formerly of Consumer Reports, was announced as the CPPA’s new Director of Policy. Separately, video from the CPPA’s May 4-6 public stakeholder sessions is now available online here.

We continue to track various privacy-related bills in California. Today is the last day for bills to move out of their chamber of origin. Two significant bills sponsored by Reps Wicks (D) and Cunningham (R) have advanced:

  • AB 2273 would establish an ‘Age-Appropriate Design Code’ requiring online products and services likely to be accessed by children (under 18 years old) to implement various default limits on data collection & use, profiling, etc. On May 26 the bill passed the State Assembly by a 66-0 vote.

  • AB 2408 the ‘Social Media Platform Duty to Children Act’ would prohibit social media platforms from ‘addicting’ child users and authorize private lawsuits with civil penalties up to $25,000 per violation ($250,000 per knowing violation). On May 23 the bill passed the State Assembly by a 51-0 vote. Senate amendments are reportedly possible.

Numerous privacy bills are set to fail to pass their chamber of origin including SB 1189 (biometric data), AB 1651 (workplace privacy), AB 2871; AB 2891; SB 1454 (extending the CPRA employee data carve-outs), SB 1059 (data brokers), and AB 2486 (establishing a CPPA office for the protection of children).

Louisiana: The ‘Louisiana Consumer Privacy Act’ (HB 987) introduced by Rep. Daryl Deshotel (R) received its second hearing in the House and Governmental Affairs Committee on May 17, advancing on a 9-2 vote. While scheduled for floor time in the House multiple times over the past week, the bill has been deferred to Tuesday May 31 for a potential chamber vote.

While initially closely following the Utah Consumer Privacy Act, Deshotel has amended the bill to add correction rights, expand deletion rights, create risk assessment requirements; remove all carveouts for pseudonymous data, and expand responsibilities for biometric data. Louisiana’s legislative session adjourns on June 6.

Pennsylvania: HB 2202 originally introduced in December 2021 by Rep Mecuri (R) with 23 Republican and 7 Democratic cosponsors received an informational hearing in the House Consumer Affairs Committee on Wednesday May 25. No action was taken and no formal announcement for next steps was made, but the Chair appeared interested in remaining engaged on the bill and considering additional exemptions. This is a fairly unique privacy bill containing elements of both the CCPA and CPA, it lacks a definition of “sensitive data” and would require recognition of opt-out signals. The Pennsylvania legislative session adjourns on November 30.

Future proof your privacy program with WireWheel’s Trust Access and Consent Center and WireWheel’s Privacy Operations Manager.

Request Demo
  • Marketing
  • Privacy

What Are Consent and Preference Management?

Consent management and preference management are closely aligned with each other. However, they are not the same. The terms are not interchangeable although the solutions to provide both are typically all-in-one platforms.

Consent and preference management are vital elements for promoting effective data privacy strategies that benefit both businesses and their customers.

What is consent management?

Consent management is a system that enables consumers to give or withdraw consent for the personal data they are willing to share with a company. Consent management helps ensure compliance by informing consumers about a company’s data collection and usage practices and honoring those choices.

What is preference management?

Preference management is a system for allowing consumers to choose how companies communicate with them. Preference management keeps consumers in control of the methods and frequency of communications as well as keeping companies compliant with regulations. Additionally, preference management can also include preferences about content. For instance, consumers can notify companies of their preferences on how often and where to receive communications including newsletters, updates about new products and services and marketing emails.

What are the key differences between consent management and preference management?

Consent management enables consumers to opt-in or out of communications. Preference management lets consumers pick how often companies contact them, the specific content, and the methods of contact.

What impacts do consent management and preference management have on a business?

Consent and preference management can keep companies compliant with current and emerging data privacy regulations, reducing the chances of being fined.

Companies that practice consent and preference management can create brand trust and credibility by letting their customers have a say in if, how, and when their personal data can be used. Companies can also improve their marketing efforts when customers request particular information about products and services.

What are the requirements around consent management?

Consent management should address:

  • what data is being collected;
  • how it is being used;
  • who is collecting;
  • And when the data expires

This information must be easily provided to consumers. The ability to deny permission to collect information must also be offered. Companies must also prove that their customers have consented.

What do privacy laws and regulations say about consent and preference management?

The EU General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) are the cornerstones of data privacy guidelines. Companies must denote and record where and when consent is required. They must identify who they are, what type of data they wish to acquire, and why they want the data. They must also grant consumers the right to withdraw consent at any time and provide the methods to do so.

In addition to the principles set forth by the GDPR, the CCPA empowers consumers to deny companies from selling their data to a third party.

What industries are affected by consent and preference management?

Any industry that wants to collect consumer data must employ consent and preference management strategies.

For example, publishers, who make their money by selling advertising, must disclose should fully disclose how they are collecting personal information, how it will be used, all while giving readers the option to opt-out.

Another example concerns retail businesses. Companies might provide their customers with product updates. To facilitate this, companies can collect search and purchase histories, information that their customers might not want to be disclosed.

How is consent and preference management being enforced right now?

The GDPR primarily affects the European Union, although it influences privacy laws around the world. Member States appoint a Data Protection Authority that oversees enforcement. Since its inception, the GDPR has seen a rise in effective privacy practices. The overall sum of fines is just over 1.6 billion euros.

CCPA enforcement falls to the California Office of the Attorney General. If this trend holds for the United States, then each state will be responsible for enforcement as they enact regulations. Since it came into effect, compliance has increased.

What types of trends are there in consent and preference management?

Accuracy and efficiency drive data privacy demands. The biggest trend in consent and preference management is the use of automated platforms to help guarantee compliance. A consent and preference management platform like the one WireWheel offers lets companies comply with global privacy laws by allowing their website visitors to control their cookie preferences. Since many companies serve a worldwide community, they must maintain compliance with every regulation where they do business otherwise they can face fines and other disciplinary actions. Consent and preference management platforms can make this task easier to complete, saving companies from punishment.

What trends are there regarding user expectations around consent and preference management?

A recent survey found that 71% of consumers want to manage their data. Nearly the same percentage would share their information if they maintained control over it. The vast majority demand the right to delete their data whenever they want.

These statistics show that the most powerful trend among users is their desire to control their data how and when they see fit. Their information belongs to them and they want to exercise their rights to govern what happens to it.

What solutions exist right now for consent management?

An automated consent and preference management platform can increase transparency, a critical component that consumers seek. Compliance can be accurately maintained, limiting the gaps within many data privacy management systems, especially those that are operated by understaffed companies and undertrained professionals. Mistakes can create opportunities for breaches and lawsuits. As more states and countries add regulations to protect data, a consent management platform can keep companies up-to-date and scale functionality easier than a piecemeal system.

What solutions currently exist for preference management?

An automated platform to aid in preference management is probably the most significant solution businesses can use to ensure compliance and prove to consumers that they respect their privacy decisions.

Companies can use a preference management platform to collect preferences with newsletter and email sign-up forms, website pop-ups, and subscription enrollment windows. It is also possible to use the information consumers give to them to deliver personalized content that the consumers ask for. This alone can drive customer loyalty.

A platform to manage preferences can also provide you with insights around what products and services consumers are most interested in. This can aid marketing efforts in finding the best direction for a brand. Companies can be more confident about how they do business.


Consent and preference management are no longer optional aspects of today’s business world. Laws and regulations like GDPR and CCPA have made their implementation mandatory, and even more states and countries continue to implement their own. Solutions can help companies overcome their data privacy programs’ shortcomings. They ease the burden of compliance, foster consumer trust, and provide better customer service.

  • Privacy
  • Privacy Tech

Innovating DSAR Fulfillment: A conversation with Microsoft

Many of the rights enumerated in the GDPR first came to the U.S. with the passage of California’s CCPA (January 2018) and the right to access data was one. The Data Subject Access Request (alternatively DSAR, SARS, and DSR) is how consumers exercise that right.

And while 29 states have introduced nearly 60 bills – many of which have failed, others still in committee – California to date has been joined by Utah (March 2022), Virginia (March 2021), Colorado (June 2021), and most recently Connecticut (April 2022). All have the right of access.

“But while they all have a lot in common – they’re all steeped in GDPR principles –  there are many things that make them unique,” reminds WireWheel’s CPO Buck, and this of course adds to the compliance challenges: responding to DSARs, and in particular the challenge of unstructured data, has proven to be a resource intensive and costly one.

Joining WireWheel CPO Rick Buck to discuss the operational challenges in responding to DSAR requests are Hammad Rajjoub, Director of Product Marketing, Microsoft Purview and Priva Ecosystem and Sheridan Clemens, WireWheel’s Senior Engagement Manager who provides a live demo of the WireWheel–Microsoft integrated solution.

The Challenge of Unstructured Data when Responding to DSARs

When data lives in [structured] environments it’s very easy to query and then go back and honor the subject requests. Where it gets complicated is in unstructured data.

—Rick Buck, WireWheel


Simply knowing what options to present to people when they come to you to exercise their rights, is perhaps the first challenge in DSAR fulfillment. It can be managed at the state level, or at the national level as an all-encompassing response that would likely be based on the most restrictive jurisdiction in which the organization operates.

But a key challenge is that data lives in a number of places. It resides in structured data environments as predefined, fixed formats which are easy to create rules around, control, and query. Even here though, understanding where all your data resides requires some leg work (think data mapping and asset inventory).

That said, where it gets really complicated is in unstructured data. Data that lives in places that are not predefined or in specific formats: The MS Word, PPT, PDF, spreadsheets, email, text, and chat, for example.

These are neither easy to query or to analyze. They don’t necessarily have manageable controls around how that data could be used, or where it goes. Importantly, unstructured data makes up about 80% of an organizations data. And when producing this data (which can often contain references to other data subjects) it must be redacted which further complicates DSAR fulfillment.

DSAR Fulfillment With WireWheel

And now in California, when the CPRA comes into effect in January 2022, DSAR rights are currently slated to  be expanded to include employees. And this gets a lot more complicated – especially in that it is highly likely that employee data not associated with the subject of the DSAR will become exposed as part of that query. Furthermore, emails and documents regarding an employee often contain information – such as commentary – that is out of the scope of the request. This information too must be redacted.

So, the challenge becomes: 

  1. Finding the relevant data (structure and unstructured)
  2. Removing (or redacting) the data that is irrelevant to the DSAR
  3. Producing that data in a safe and secure way
  4. Reporting in a readable format for the requestor (consumer or employee); and vitally
  5. Enabling the backend systems to honor any of the downstream implications (e.g., correct or delete).

In short, “it is a full lifecycle event” – whether tackled manually or through automation – notes Buck. And it is a WireWheel core competency.


Meeting the Challenge of Unstructured Data in DSAR Fulfillment

Privacy regulation applies to the entire data life cycle. From data collection to data storage to access to transfer through retention and diligence. It is a complex lifecycle and privacy applies to each and every one of those stages.

—Hammad Rajjoub



Rajjoub relates that research from ISACA “Privacy in Practice (2021), shows that

  • 10% of organizations have no privacy training.
  • Only 80% update their data map and flow regularly with 32% of those organizations doing so manually with email, spreadsheets, and in-person communication. And interestingly,
  • 97% haven’t fully automated DSAR management.

When working with their own customers (Priva is Microsoft’s privacy solution for unstructured data), Microsoft has identified these as key areas of opportunity. Particularly the need for scalability.

“And if you add attributes of confidentiality and identifying if the data is part of legal hold, the equation becomes that much more complex,” says Rajjoub. “We also learned from our customers [that they] find it very, very difficult to gain visibility into the personal data, especially for the unstructured data environments…this process is very complicated.”

Not having [DSAR fulfillment] automated at scale, organizations are spending a ton of money, time and resources…to respond to requests and that’s creating a lot of friction and challenges for our customers. And this is where the Microsoft perspective comes in.

—Hammad Rajjoub


The cost is significant:

  • $1,702.28 average cost per DSAR
  • 135.61 DSARs per month
  • $230,000+ per month on DSAR fulfillment on average

To meet these challenges, the WireWheel–Microsoft integration is focused on enabling organizations to automate the discovery of personal information and take immediate and necessary actions. Importantly, it also provides needed visibility into associated risks arising from such things as data hoarding and cross-border data transfers.

The goal is that when a DSAR is received, the relevant data within the Microsoft 365 environment (all that unstructured data) is automatically collected.

Most importantly, we want to meet our customers, where they are in their privacy journey….That’s why we have built our privacy subject right request APIs that enable Microsoft solution to integrate with our customers’ existing infrastructure.

—Hammad Rajjoub



“Our Microsoft Priva integration with WireWheel is important because now,” concludes Rajjoub, “our joint customers can respond to subject access requests in a unified manner across the entire digital state covering both structured and unstructured data provides a ton of value: an automated, unified, and customizable complete lifecycle DSAR response – at scale – from request verification to production of structured and unstructured data including redactions.”

During the session, WireWheel’s Senior Engagement Manager, Sheridan Clemens, provides a brief demo of the integrated solution where he takes the audience from the consumer or employee’s request initiated in WireWheel’s Trust Center and through the integrated workflow management.

To request a demo or proof of concept, please contact WireWheel here.

DSAR Fulfillment With WireWheel and Microsoft Priva