Data Governance & Privacy
June 26, 2024
Privacy consent has taken over our websites and mobile apps, but not necessarily in the way the institutions responsible for our global privacy regulations had in mind. “We use cookies. Accept? Cancel?” Or other times, there is a long-winded legalese explanation that goes over the average customer’s head. Occasionally, a company has invested time, thought, and resources into creating a meaningful – nay, useful – customer experience out of the consent request.
The implementation of GDPR, CCPA, and other global privacy regulations aimed at protecting the rights and privacy of customer data has given rise to the consent banner. The consent banner’s purpose is to allow the website or mobile app owner to:
But the rise of the consent banner has resulted in “consent fatigue.” Privacy consent requests are so pervasive, but with little strategy or consistency, that customers are growing weary, playing “whack-a-mole” with constant requests for the permission to use their data. These requests offer little support in empowering customers to customize their permissions to their actual preferences. Companies often fail to recognize that the consent experience is part of the total customer experience. And worse yet, companies also fail to remember those defined customer preferences, resulting in repeated privacy consent requests.
A little one step forward, two steps back.
But progress is progress, and there’s more on the horizon as companies and countries around the world seek to tackle privacy consent fatigue.
The first thing all companies around the world need to embrace is the understanding that the consent request experience is a pivotal part of the customer experience. It happens at the beginning of customer engagement and can set the tone for the entire customer relationship.
Reducing consent fatigue and providing customers with more privacy control is the aim of the Global Privacy Control (GPC) specification. Tealium’s Product Manager for Data Privacy, Caleb Jaquith, describes GPC like this:
“Global Privacy Control (GPC) is a proposed browser standard, designed to give users a cross-domain way to indicate that they do not consent to the sale of their data. That device-level opt-out means the user is spared all the individual opt-outs on each site.
In many ways, it’s conceptually similar to the ‘Do Not Track’ option already offered by many browsers, which has historically been nearly completely ignored by website owners. A key difference, however, is it’s been made clear by the California Attorney General that sites are required to enforce it, which may mean that it can succeed where Do Not Track failed.
Support is limited so far, but it’s growing. Firefox added support behind a feature flag recently, and there are a number of plugins and extensions that can add the GPC signal to browsers without native support. Because the signal is a simple boolean, the most relevant and accepted application today is CCPA and similar regulations, though they hope to develop a similar standard for GDPR as well in the future.”
Caleb Jaquith, Tealium’s Product Manager for Data Privacy
GPC is intended to be good for the website visitors, a convenient way to “set it and forget it” approach to protecting privacy rights. But if you think respecting GPC signals is just a “nice to have” feature on your website, think again. The Attorney General of California, Rob Bonta, says that GPC signals must be honored.
JDSupra has this recommendation on GPC from a recent blog posting.
“Ensure GPC signals are honored. While there remains some question as to the enforceability of the requirement to honor GPC signals, unless a company is prepared to litigate the issue, companies should ensure their websites are capable of receiving and honoring such global privacy control signals. As the Attorney General previously explained in implementing regulations, global privacy controls, such as browser plug-ins or privacy settings, device settings, or other mechanisms that communicate a consumer’s choice to opt-out of the sale of their personal information, should be treated as a valid opt-out request under the CCPA. Businesses should review their websites’ capabilities to ensure they can recognize and honor global privacy controls by opting consumers out of the sale of their personal information accordingly.”
From “Lessons Learned from the First CCPA Enforcement Action” by Procopio, Cory, Hargreaves & Savitch LLP
So, let’s all agree that consent is important, honoring consumers’ data preferences is the right thing to do, and it’s the law. With hundreds of privacy banners presented in an online session, GPC is a hugely convenient tool for the customer. But what happens when the customer uses different devices to access the web? How does the business honor consent preferences across multiple devices? That’s where the most trusted CDP in the world comes into play. Having a CDP that provides good data governance across the customer journey will help ensure privacy preferences are honored across all devices and that the consent request is a valuable experience in and of itself.
For more information on how Tealium can support your privacy consent and CX needs, schedule a free demo today.
