Whose Job Is It to Explain Why Consumers Should Consent to Share Data?
Everybody is talking about user consent and privacy.
Days after Swedish regulators fined Spotify more than $5 million for violating the European Union’s General Data Protection Regulation (GDPR) and failing to inform consumers how their data was being used, and months after Meta saw an even greater fine of $414 million for forcing its users to choose between consenting to data collection or losing access to the company’s social platforms, brands throughout the U.S. are looking at their own practices and questioning whether they could be next.
From the moment it went into effect in 2018, the GDPR has had a major impact on the way organizations around the globe handle consumer privacy. The focus on data privacy has even started to spill into other markets. In the U.S., regulators have made several changes and proposals to the country’s data initiatives that could impact targeted advertising in the coming years, including the Competition and Transparency in Digital Advertising Act (CTDA) and the American Data Privacy and Protection Act (ADPPA).
It’s not just businesses and regulators looking more closely at the topic of data privacy, though. In the five years since the GDPR was enacted, consumers have become increasingly interested in data collection and privacy — questioning not just how their data is being used, but why it’s being collected in the first place.
“Today, getting user consent is the focal point of discussion. Specifically, the industry has been focused on consent collection and management and ensuring that these systems operate efficiently. However, we have been ignoring the most important side of the consent discussion, which is to explain to people why they should give consent,” says Mathieu Roche, co-founder and CEO at ID5, an identity provider for digital advertising. “We can have the best consent management frameworks in place, but if we don’t explain, in simple terms, why people should consent to share their data and the value they get, we are not setting ourselves up for success.”
Survey after survey show that consumers care about the privacy of their personal data. According to the IAPP’s Privacy and Consumer Trust Report, 68% of consumers globally are either “somewhat” or “very concerned” about their privacy online.
The biggest question companies should be looking at now isn’t whether consumers are concerned about privacy — because clearly, they are — but whose job it is to explain the nuances of the issue to them.
Privacy notices and policies are the primary vehicles used to inform consumers about what data is collected, but most policies are dense, lengthy texts that people struggle to understand. Should individual companies be engaging in more straightforward discussions with users around topics like consent management? Should regulators or government agencies weigh in, as well?
As consumers become interested in how their data is used, Roche says companies must be more transparent about their data collection practices.
Introducing a Standard Framework
Given recent events, Roche says it’s likely the U.S. could implement a federal privacy law in the coming years, following in the footsteps of Europe’s GDPR. Although there are several patchwork laws in place currently, there has been progress in administering something more unified, such as the American Data Privacy and Protection Act (ADPPA). The ADPPA is the most advanced attempt to date, and if passed, it would create new protections for consumers and expand their control over how their personal information is used.
“A federal law would be positive for the U.S., as it would introduce a standard data protection framework and enable the market to cultivate a level playing field,” Roche says. “There have been arguments for and against the ADPPA in the U.S., but it provides valuable insight into where the future of data protection is heading.”
In the meantime, Roche expects to see more brands experiment with cookieless solutions in environments like Safari, while they wait for the complete phase-out of third-party cookies. He says privacy-focused ID providers are being built on top of consent and encryption mechanisms that guarantee consumer data is collected and shared with permission, and that the data associated with the ID can only be accessed by authorized parties.
“We expect that cookies will be used as long as they live. Therefore, the full potential of cookieless solutions will be evident once Chrome phases it out,” Roche says. “However, companies that have already started their cookieless transition journey and implemented and tested solutions will be better prepared to operate in the cookieless era.”