2019 to 2022: The Evolution of Consumer Consent and How to Adapt

By opening a dialogue with audiences about data collection and processing, as well as empowering them to decide how their data is used, marketers and publishers can enhance their relationships with consumers.

Editor’s Note: While this piece was originally written for the publishing audience, privacy legislation and consumer consent are still very important topics for marketers to navigate.

The EU’s General Data Protection Regulation (GDPR) laid the foundation for privacy legislation in 2018. One of its key aims was to give consumers more control over their personal information and make users understand they have a choice when it comes to providing consent to data collection and processing.

In the US, initial responses to the GDPR ranged from criticism to pay walls or completely blocking EU visitors from accessing content. While many companies made sure their legal teams were up to speed with the newly introduced regulation, multiple factors are now making US publishers sit up and further address data privacy, associated regulations, and the importance of consumer consent.

Google’s €50 million fine — issued by French regulator CNIL, for lack of valid consent in ad personalization — was one of the first to grab attention. Fines for data breaches might not have been as frequent as some expected, but regulators have had time to build cases and more large fines are expected to come, according to The Wall Street Journal.

In addition, US states are working to implement their own regulations. California’s Privacy Act (CCPA) is due to come into force in January 2020, Vermont’s new legislation is already in place, and a consumer privacy bill has been proposed in New York. The exact requirements of each regulation may differ from the GDPR — the CCPA relies on the user opting out rather than opting in, whereas opt-in is expected as part of the New York Privacy bill development. There may even be a federal regulation requiring opt-in on the horizon, with privacy advocates such as Apple CEO Tim Cook, as well as members of the Federal Trade Commission, calling for a stricter national privacy law.

Collecting user consent may not yet be a legal obligation, but publishers are realizing that it makes good business sense as consumers demand more control over their personal data. According to GlobalWebIndex, more than 70% of US consumers say they are both more aware of, and more concerned about how companies use their information than they were 12 months ago, while less than half feel they are in control of their personal data online.

By opening a dialogue with audiences about data collection and processing, as well as empowering them to decide how their data is used, publishers can enhance their relationship with consumers. Demonstrating transparency and responsible data use builds trust, but also educates users via one-to-one communications about the necessity of data to their business models and the inherent value exchange.

Publishers that go beyond the one-size-fits-all approach to create meaningful consent experiences right now will reap the rewards in the long term. The next two years will be critical for consent and there are a number of practical considerations to take into account when implementing consent programs.

Ensure Usability

The consent interface is often the first point of contact between publisher and consumer, so care needs to be taken in its design and functionality. Consent requests need to achieve the perfect balance between giving the user the details they need to make an informed choice and not alienating them with complex jargon they won’t understand or unnecessarily disrupting their user experience – all while ensuring legal compliance. Consent requests should be highly explicit, giving users the power to opt in or out of data collection for specific purposes or by particular companies. Ideally, publishers should test a variety of messaging formats to deliver the best possible experience.

Execute Consent Seamlessly

Once a user submits their consent preferences, publishers need to make sure they are integrated across the advertising supply chain. The IAB released its Transparency and Consent Framework (TCF) as a tool to help publishers and other participants in the digital advertising ecosystem comply with their obligations. The updated second version of the TCF increases the importance of consent by enabling users to object to data collection under legitimate interest, an alternative legal basis for data processing. It’s also important that consent preferences can be communicated across non-IAB vendors.  

Apply Preferences Across Devices

With consumers frequently switching between laptops, smartphones and TVs to consume content, it is best practice for publishers to share choices across multiple devices. The ability to connect user preferences to an authenticated profile and apply these everywhere the user interacts with a publisher’s content saves the user from having to supply consent every time they log in through a different device. An authenticated profile is a tool that allows users to manage their preferences across site, browser, and devices, and allows publishers to collect consent signals based on identity rather than cookies.

Publishers in the US who aren’t yet legally obliged to implement a consent program yet might be hesitant, with the fear it will be disruptive to their business or they will lose advertising revenue if their audiences fail to give permission. However, they need to consider that across the EU, the publishers that experienced the least disruption were those that adapted early and gave themselves plenty of time to get the consent process right.

By 2021, with GDPR well established, the CCPA in force, and other regulations underway, consent will be a user expectation if not a legal obligation. Publishers should start implementing consent programs now to build trusting relationships with their audiences, increase transparency around data processes, and put themselves in a good position to deal with the regulatory changes ahead.

7 Privacy UX Tips From a Privacy and Marketing Expert

There are all kinds of marketing awards, but how about one for privacy UX? How do you make your customers comfortable with your privacy user experience? It’s not just agencies — but ad tech and martech companies, data providers, analytics firms and even management consulting firms that are in the data-driven mix.

Do we need to have an award for a better Privacy UX?

With the Association of National Advertisers’ acquisition of the Data & Marketing Association last year came new ownership, too, of the International ECHO Awards. As a lover of data-driven marketing (and an ECHO Governor), it’s very exciting to see brands recognize the strategic role of data in driving more relevant consumer (and business) engagement, and the myriad ad and data partners that brands rely on to make this engagement happen.

It’s not just agencies — but ad tech and martech companies, data providers, analytics firms and even management consulting firms that are in the data-driven mix. These are the facilitators of today’s consumer intelligence that forms the basis for smarter and more efficient brand communication. Some folks even eschew the term “advertising” as we move into a world where branded and even non-branded content underlie data-inspired storytelling that are hallmarks of today’s forward-thinking campaigns.

By the way, the call for entries for this year’s ECHO Awards (to be presented March 2020 as ANA moves what was the DMA conference from this Fall to next Spring) is happening soon — though the entry portal is now open. Let me know if you’d like an invite to the launch party in New York (Wednesday, May 22, in the afternoon).

An Important Part of Brand-Consumer Dialogue — Privacy Notices

One category that won’t be part of this year’s ECHOs is related to privacy-specific communication from brands.

You’ve seen it. I’ve seen it. Again and again — all over our smartphone and laptops … communications asking for our consent for cookies, for newsletters, for device recognition, for terms and conditions — all in an effort to help enable data collection to serve the brand-consumer value exchange and subsequent dialogue.

Some of this is mandated from Europe’s General Data Protection Regulation, with halo impact in other nations and markets. Others are anticipating such notice requirements from California’s forthcoming privacy and advertising law. Still others are simply adopting heightened transparency (and choice) as part of self-regulatory and best practices regimes, where no laws may yet exist.

All of this devoted to one objective: getting a consumer (or business individual) to say “yes” to data collection about them, their devices and digital behaviors, in an effort to serve them better.

This week, during the International Association of Privacy Professionals’ Global Privacy Summit 2019 in Washington, DC, one expert — Darren Guarnaccia, Chief Product Officer, Crownpeak — offered some research insights from some 17 million preference experiences that Crownpeak has helped to facilitate on behalf of its brands. These experiences are focused on Europe in light of GDPR, but the findings offer good counsel to any brand that is thinking through its privacy UX.

Some Privacy Communications Concepts to Test

Here are just a few of the tips Guarnaccia reported:

  • Privacy Notices are Not Just a Matter of Compliance: Yes, they may be legally required in some jurisdictions – but more vitally, they should be treated with the same discipline and care of any other branded communication. Because the ultimate goal is to earn trust — going beyond compliance and permission. As a result, the whens, wheres and hows of such notices are vital to test and perfect.
  • Avoiding Legal Penalty Is Table Stakes — We Ought to Design Such Notices for Higher Purpose: To extend the previous point on consumer trust, there’s a higher price to pay if a privacy notice simply meets a legal expectation, and nothing more. Many consumers have gone “stealth” — using ad blockers and going incognito on browsers. We must remind, convince or persuade consumers of the value a brand seeks to offer in exchange for permissions and consents for data collection, analysis and application. Are we extending such notice in plain language at the right time?
  • Brand’ the Privacy Communication: This may seem obvious — but it’s often overlooked. Does the privacy notice look like it’s coming from the brand — or from somewhere else (such as a browser or ad tech partner)? In gaining consent, it’s always superior for the notice to be owned, cared and looked after by the brand itself — even if a third-party (such as an ad tech provider) is facilitating the notice. Does the creative of the notice match the colors, fonts and point sizes of the brand content behind it? By extending brand requirements to such communication, a brand is taking “ownership” of the data collection, consent and trust-building directly — as it should, in the eyes of the user.
  • Earn Before You Ask: Oftentimes, the consumer is presented with a cookie or related privacy notice upon entering a brand’s digital property — first page, upon entry. Test giving consumers a more anonymized experience for the few page visits, and then present a notice — “Are You Enjoying What You’re Seeing?” where a data collection permission is then sought. This allows the consumer to indeed value what’s on offer in information on the site.
  • Give Consumers Both an ‘Accept’ and a ‘Decline’ Choice or Button: Many sites offer only an “accept” button, leaving the consumer with an impression that they can “take it or leave it,” with no sense of real control. Test offering both an accept or decline offer — just seeing the word “decline” reminds consumers they are in control — and the actual decision to “decline” becomes more apparent for those consumers who indeed wish to be stealth.
  • Test Progressive Consent: Not every Website (or app) may need immediate access to user data for all purposes of consumer engagement. For data minimization purposes, perhaps ask visitors permission to collect only basic information (say, for contact, site optimization or customer recognition purposes) first. Then, only when necessary for utility, ask permissions for location data or other data categories, alongside the rationale for such collection and consent, as those needs arise. Asking for everything, upfront, all at once, can be a real turnoff — especially if a user is “new” to a brand. Consumers love — and frankly, need to know — the context for the permissions they give (or deny).
  • Test Privacy Notices by Market: Did you know users in the United Kingdom, for example, are 1.4 times more likely to give consent than those in France and Germany? How notices are worded and rationales explained — how transparency is conveyed — can have a big impact between markets, so it’s best to test notices by individual market (and language) to optimize consent rates. In short, national cultures and language nuance matter, too, in privacy communication.


In summary, there’s more payback than just permission. Consent rates in Europe can go as high as 60 to 70 percent — and hurtling over cookie walls at 80 to 90 percent — when privacy communications are optimized. Crownpeak offered far more tips (and real-market examples) in its session — about search engine optimization, personalization, analytics disclosures and other related topics. But there’s also lifetime value, and indeed consumer trust in the balance. We have an entirely new area for many marketers to test, working with their counsel and technology colleagues.

Who knows? Maybe the best such privacy-focused campaigns could still win a 2020 ECHO — based on compelling strategy, creative and results toward an earn-their-trust purpose. Is there a courageous brand ready to show us how? After all, this is one area where we all benefit from ways to raise consumer trust in advertising by sharing successful case studies. We shall see.