Digital Consent Misunderstood, Must Be Reimagined, Says Hogan Lovells
While consent is a critical component of digital privacy, it's also "one of the most misunderstood," Scott Loughlin, a Hogan Lovells data protection lawyer, said in a video the firm posted Thursday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Yet consent's effectiveness is reduced because most companies don't understand how they're using data. In addition, legal requirements reduce the complex world of ad tech to a single button where users indicate their consent preferences. That said, companies are missing opportunities to gather useful data because of their approach to consent.
Most consent is managed through consent and preference management platforms (CMPs) and is experienced by online users as cookie banners, according to Max Anderson, co-founder and head of product development for Ketch, a consent software vendor, who appeared in the video.
CMPs are a technological mechanism that facilitate an online contract on data use terms between users and a business. They're a tool to accept or reject cookies, do-not-sell (DNS) and opt-outs, Loughlin said. But companies that use CMPs often don't understand what data their websites are collecting, who's collecting it and how it's used.
The "unfortunate fact" is that most companies have no idea what they're doing with data, nor what the best way is to implement all disclosures and choice, Anderson added.
Consent management isn't about cookies consent, Anderson stressed, adding that businesses should embrace the idea that their CMPs aren't limited to setting cookies.
Another issue is that ad tech, which is an extremely complicated ecosystem, is reduced, by law, to a single button for users to indicate their preferences on DNS or data-sharing, Loughlin said.
Similarly, for cookies and option/opt-outs, companies must characterize all tracking technologies on their sites as marketing, analytics, and so on, and compress them into a simple yes or no choice.
User experience is at the center of this issue, said Anderson. Organizations must make consent options user-friendly and not "contractual-sounding." Cookie banners are the "worst possible implementation." Digital experiences should be simple and contextual, but that approach hasn't happened with privacy, he said.
It's a challenge for organizations to envision another way of handling consent, Loughlin said. There's a danger of being innovative in this space, so companies try to stay within the pack.
Asked what a reimagined approach to consent might look like, Anderson said there's one school of thought that in the privacy arena, companies merely have to be compliant. But it's not just about compliance, he said, it's also about data, which is what drives business today.
Organizations should be asking how they can maximize the consent process to enable them to use more raw data to drive business outcomes, Anderson said. The cookie banner implementation pattern is "impossibly detrimental" to the use of data for business results.
Anderson advises clients to ask contextual questions around data use, which can clearly highlight the value exchange. Ask for permission at the moment when it's relevant, he stressed.
Asked how companies can best understand how to use CMP technology responsibly, Anderson said, "Trust but verify." It's easy to misconfigure these tools, and that's usually how organizations get caught, he said.
He recommended using validation/verification technologies to ensure that opt-outs and other choices work as promised, and to conduct checks consistently. In addition, he said, data professionals at companies must work more closely with tech teams to ensure consent mechanisms are compliant.