Key Takeaways from “Making Privacy Consent Easier for Customers”:

  • The implementation of GDPR, CCPA, and other global privacy regulations have given rise to the consent banner.
  • The rise of the consent banner has resulted in “consent fatigue.”
  • Companies need to embrace the understanding that the consent request experience is a pivotal part of the customer experience. 
  • CDPs allow companies to streamline the consent experience across channels and cut out duplicate requests or missed preferences.
  •  The Global Privacy Control (GPC) specification aims to reduce consent fatigue and provide customers with more privacy control.

Privacy consent has taken over our websites and mobile apps, but not necessarily in the way the institutions responsible for our global privacy regulations had in mind. “We use cookies. Accept? Cancel?” Or other times, there is a long-winded legalese explanation that goes over the average customer’s head. Occasionally, a company has invested time, thought, and resources into creating a meaningful – nay, useful – customer experience out of the consent request.

The implementation of GDPR, CCPA, and other global privacy regulations aimed at protecting the rights and privacy of customer data has given rise to the consent banner. The consent banner’s purpose is to allow the website or mobile app owner to:

  • tell the visitor what information is being collected
  • explain how that information is intended to be used 
  • provide the visitor with the option to control what, if any, personal information the website owner can collect and use.

But the rise of the consent banner has resulted in “consent fatigue.” Privacy consent requests are so pervasive, but with little strategy or consistency, that customers are growing weary, playing “whack-a-mole” with constant requests for the permission to use their data. These requests offer little support in empowering customers to customize their permissions to their actual preferences. Companies often fail to recognize that the consent experience is part of the total customer experience. And worse yet, companies also fail to remember those defined customer preferences, resulting in repeated privacy consent requests.

A little one step forward, two steps back. 

But progress is progress, and there’s more on the horizon as companies and countries around the world seek to tackle privacy consent fatigue.

The Privacy Consent Experience 

The first thing all companies around the world need to embrace is the understanding that the consent request experience is a pivotal part of the customer experience. It happens at the beginning of customer engagement and can set the tone for the entire customer relationship.

In order to optimize the consent experience, companies should take these steps:

  1. Strategize a meaningful consent request – Don’t simply take the easy route, and don’t overcomplicate it either. Put yourself in your customer’s shoes and consider what kind of consent experience you (as you are a customer yourself) would prefer
  2. Use a Customer Data Platform to centralize customer data – Having a unified customer profile will allow you to streamline the consent experience across channels and cut out duplicate requests or missed preferences.
  3. Work with your tech, data, and marketing teams to bring the consent experience to life – Consent is a cross-departmental effort. Use a CDP to break down data silos and work together to align strategy, technology, and regulatory requirements into an optimal consent experience.
  4. Remember the consent experience is an ongoing effort – There are two sides to the consent experience coin. On one side, you need to make sure the process is streamlined, understandable, empowering and non-intrusive. On the other, you need to make it possible for customers to update their own consent preferences that may shift over time. Don’t overwhelm your customers with consent requests, and don’t bury them either.

The Global Privacy Control Specification

Reducing consent fatigue and providing customers with more privacy control is the aim of the Global Privacy Control (GPC) specification. Tealium’s Product Manager for Data Privacy, Caleb Jaquith, describes GPC like this:

“Global Privacy Control (GPC) is a proposed browser standard, designed to give users a cross-domain way to indicate that they do not consent to the sale of their data. That device-level opt-out means the user is spared all the individual opt-outs on each site.  

 

In many ways, it’s conceptually similar to the ‘Do Not Track’ option already offered by many browsers, which has historically been nearly completely ignored by website owners. A key difference, however, is it’s been made clear by the California Attorney General that sites are required to enforce it, which may mean that it can succeed where Do Not Track failed.

 

Support is limited so far, but it’s growing. Firefox added support behind a feature flag recently, and there are a number of plugins and extensions that can add the GPC signal to browsers without native support. Because the signal is a simple boolean, the most relevant and accepted application today is CCPA and similar regulations, though they hope to develop a similar standard for GDPR as well in the future.”

 

Caleb Jaquith, Tealium’s Product Manager for Data Privacy

GPC is intended to be good for the website visitors, a convenient way to “set it and forget it” approach to protecting privacy rights. But if you think respecting GPC signals is just a “nice to have” feature on your website, think again. The Attorney General of California, Rob Bonta, says that GPC signals must be honored. 

JDSupra has this recommendation on GPC from a recent blog posting.

“Ensure GPC signals are honored. While there remains some question as to the enforceability of the requirement to honor GPC signals, unless a company is prepared to litigate the issue, companies should ensure their websites are capable of receiving and honoring such global privacy control signals. As the Attorney General previously explained in implementing regulations, global privacy controls, such as browser plug-ins or privacy settings, device settings, or other mechanisms that communicate a consumer’s choice to opt-out of the sale of their personal information, should be treated as a valid opt-out request under the CCPA. Businesses should review their websites’ capabilities to ensure they can recognize and honor global privacy controls by opting consumers out of the sale of their personal information accordingly.”

 

From “Lessons Learned from the First CCPA Enforcement Action” by Procopio, Cory, Hargreaves & Savitch LLP

So, let’s all agree that consent is important, honoring consumers’ data preferences is the right thing to do, and it’s the law. With hundreds of privacy banners presented in an online session, GPC is a hugely convenient tool for the customer. But what happens when the customer uses different devices to access the web? How does the business honor consent preferences across multiple devices? That’s where the most trusted CDP in the world comes into play. Having a CDP that provides good data governance across the customer journey will help ensure privacy preferences are honored across all devices and that the consent request is a valuable experience in and of itself.

For more information on how Tealium can support your privacy consent and CX needs, schedule a free demo today.

Post Author

DJ Landreneau
DJ Landreneau is the Director of Data Privacy Strategy, Policy and Compliance at Tealium.

Sign Up for Our Blog

By submitting this form, you agree to Tealium's Terms of Use and Privacy Policy.
Back to Blog

Want a CDP that works with your tech stack?

Talk to a CDP expert and see if Tealium is the right fit to help drive ROI for your business.

Get a Demo