Is your company getting consent management wrong?

It is difficult to get consent right.

Even well-intentioned organizations that are committed to earning customer trust and ensuring compliance with all applicable laws can struggle. There are so many different and shifting sets of requirements, complicated technologies, evolving consumer and regulator expectations, and changing business needs. This means that consent becomes a complex moving target even for privacy-sensitive companies.

That said, there are some common pitfalls around which rigorous privacy offices can establish regular controls and reviews to help prevent – or at least quickly identify and reverse –consent compliance challenges.

Some common problems lie in the front-end experience with the data subject related to explaining and collecting consents through websites and apps. The following is a brief review of some of these pitfalls, with tips on how to catch and fix or prevent them.

The front-end experience: Websites and apps

Zero cookie load

Some jurisdictions require explicit, opt-in consent for some types of cookies. This means that the organization should receive that consent before the user’s browser receives any applicable cookies. Sometimes called “zero cookie load,” a compliant website in an opt-in country will prevent any cookies from loading until the website visitor grants consent. However, due to a variety of technical reasons, including website performance, it is common for websites to load cookies when the webpage loads in the browser – before consent occurs.

The fix: A savvy organization will ask the web technical teams whether cookies load before the user has a chance to consent (or not) through the cookie banner and address any gaps.

Inaccurate Cookie Categorization

For a cookie consent mechanism to function correctly, a human being must consider each cookie or other tracker – in particular, how the organization is using it – and place it in the right category. That way, the tool can apply “necessary” rules to “necessary” cookies, “functional” or “performance” rules to those cookies, and “advertising” rules to “advertising” cookies. Though many licensed consent mechanism platforms provide some educated suggestions about the nature of a common cookie/tracker, only the company itself knows exactly what that cookie does. Sometimes, that job falls to the digital marketing or website team. Other times, that task falls to the privacy team.

The fix: It takes the expertise of both sides to accurately assign categories, so either the teams need to work together or both teams will need to contribute to a strong work tool. Joint regular reviews of cookie/tracker assignments are also helpful.

Hidden Trackers

To work properly, cookie consent tools must receive information about each relevant cookie/tracker and its category, so that it can apply the right rules to it. However, apps and websites change over time, with website owners adding and removing cookies/trackers frequently. Also, when considering cookie consent, some organizations forget about non-cookie trackers, such as invisible gifs.

The fix: Establish a regular process for scanning applicable websites and apps, searching not only for new cookies to categorize and handle, but also for other types of trackers.

Hidden data sharing through SDKs

Software Development Kits, or SDKs, are a collection of tools, libraries, and other resources that companies provide to help developers build and manage apps, websites, Internet of Things (IoT) applications, and games. SDKs can be enormously helpful to developers, but they also represent a security and privacy risk. Specifically, related to consent, SDKs can cause data to flow to a third party without the organization knowing – and since the organization does not know about the data flow, it does not craft the right notice and consent with the end user.

The fix: Educating development teams on the risks of SDKs can go a long way to help those teams evaluate possible privacy and security risks associated with any SDKs they contemplate using. Strong contracts with the SDK provider can also help mitigate risk.

Dark Pattern Experiences

Even well-intentioned companies can create experiences that regulators define as “dark patterns.” Though each jurisdiction may define “dark patterns” differently, at the most basic level a dark pattern is a design practice that “can trick or manipulate consumers into buying products and services or giving up their privacy.” Enforcement actions make it clear that a dark pattern can be as simple as designing a subtle difference between the affirmative consent experience and the negative one.

The fix: There are many reasons to regularly review all consent experiences end-to-end: consistency of the experience, compliance of the consent itself, complete and compliant notice….and dark patterns. A smart company will establish a regular, cross-functional review of all consent experiences and include a careful discussion of dark patterns as part of that process.

Excessive data collection

If not careful, organizations can collect personal data like a fishing boat collects fish – they throw out a net and bring in whatever they can get. Given that most jurisdictions enforce a “minimum necessary” rule, a wiser solution is to be surgical about which data the company needs.

The fix: With a cross functional team, craft a data strategy and from there, a set of internal rules about what data the company collects and how. When collecting data online, collect only the data needed to support the direct activity and company goals, and make clear to the data subject which data fields are required, and which are optional (and how the company will use optional fields).

“Forced” Consents

Most online consumers have experienced some version of forced consents – those experiences in which they must agree to a data use to receive some basic service, benefit, or information. Though some jurisdictions allow companies to provide incentives for providing personal information, there are more rules around these practices, and some general prohibitions, in the global privacy arena.

The fix: Similar to guarding against dark patterns, a regular consent experience review will bubble up areas in which a consumer must say “yes” in order to proceed, so that a cross functional team can determine whether that experience is a matter of incentive or a matter of forcing the consumer, and regardless, whether the experience complies with best practices and laws.

Confusing consent mazes

Often consent experiences evolve over time and as company needs change. Also, diverse groups in the organization may collect and use slightly different slices of provided personal information, and so each may create their own consent experience tailored to their own needs. This can create a confusing, Frankenstein process that the customer must go through just to accomplish a simple purpose.

To take a simple example: an online retailer may collect information it uses to fulfil an order and gets consent for using the information and also for marketing, but in order for the user to receive a 10% first-time-order coupon, the user is prompted to provide an email address and give consent for marketing. This same customer may also have to give consent in advance for receiving a survey and give consent for cookies when they first entered the website. If the end-to-end experience looks jumbled, has unclear language, or seems to the consumer that it just places obstacles between them and their end goal, the consent process becomes another reason for the customer to leave. Multiple consents may be necessary, but they can also be confusing and frustrating to a consumer who really just wants to order a plant online.

The fix: Like the above, schedule a regular end-to-end review of all consent experiences with an eye to simplicity, clarity, and consistency.