The launch of GDPR in the EU and CCPA in the USA has been of concern for many of us that leverage digital data and make business decisions in the digital marketing and digital data collection field. And while GDPR was launched over a year ago, there are still companies that are catching up – fortunately, there is still time to prepare for the CCPA (effective January 1, 2020). But ignoring these bodies of legislation does not appear to be a great option either – did you hear about British Airways’ £183 million fine earlier this summer?
A Refresher – What are the GDPR and CCPA?
GDPR is the European Union’s General Data Protection Regulation, while CCPA is the California Consumer Privacy Act. Both pieces of legislation set a high bar on what personal data a company can collect, and how they can use and process that data.
Although beyond the scope of this article, it is important to note that while they are similar in spirit there are significant differences between them regarding what and how data is collected, as well as how it must be managed by an organization.
Consent Strategy Considerations
And now you may ask, what does ‘personal information’ mean? What type of data is ‘personal’? To that – we can offer no help – we are not lawyers! The legislation defines them, but only your internal digital business stakeholders & legal team can interpret what personal information means for your unique organization. Defining this for your organization will help you navigate properly applying GDPR/CCPA guidelines for employing consent.
Regardless, both bodies of legislation highlight the need to obtain consent, and here are some key considerations:
Implied vs. Explicit (Express) Consent
There are 2 types of consent; implied and explicit (also called express). The type of consent you require is set out in both pieces of legislation – your lawyer can help with understanding that process.
In an explicit consent situation, a person proactively indicates that they are agreeing to something (e.g. click an ‘accept’ button or something similar on a website banner) in order for their website interactions to be tracked.
In an implied consent situation, a person behaves in a way that indicates they are agreeing to something (e.g. receiving emails from you). You may use a website banner that is informational, letting consumers know that as they continue through your website experience (beyond that first page), they are giving you consent for their de-identified onsite behavior data to be recorded.
From a marketing perspective, the type of consent you employ will impact your data collection methods. For instance, in explicit consent situations, you may be able to obtain more useful data than in implied consent scenarios.
The Impact on Digital Experiences
Companies typically gain or suggest consent through the use of a website banner, and how this banner is implemented is more important than you might imagine! The creative implementation of your consent banner can really impact the consumer’s engagement and acceptance of your consent policy.
For the most favorable response, you may want to do some testing around your consent messaging, like using the call to action ‘Accept’ vs. ‘I agree’ in terms of getting users to agree to how you are going to use their data.
Visual cues are also key! We found in one particular split test, more users agreed to have their website activity tracked simply because a call to action button was visually different from other calls to action on a Home Page.
Outside of messaging and visual cues, another key consideration is whether to allow users to interact with a banner or pop-up. For instance, we have noticed that permitting users to close a banner or pop-up can decrease your ability to gain consent. (Your lawyers still may insist otherwise!).
Deploying a Consent Manager
There are a number of vendors that offer consent manager tools that can be integrated into your website and help with ensuring compliance within digital environments at a reasonable cost (e.g. OneTrust, CookieQ… heck your CMS may even have built-in compliance too).
One of the often-overlooked issues with consent managers is the amount of time it takes to deploy a consent manager tool on your website. This is highly dependent on the way you are currently collecting data.
Using a tag manager can help facilitate the appropriate launch of a consent tool; sometimes even nesting tag management containers, one within another, can be a method whereby consent can be managed at the ‘parent’ container level. However, this can have an impact on other related analytics programs, so be mindful that your consent launch and container set-up will need to be vetted with other tools (like personalization & testing).
Finally, when selecting a consent manager, be sure to vet your vendor selection with your legal team, and ensure all your data collection policies are properly enabled with whichever vendor you select.
It is generally recommended to expect some data loss. We have seen data loss, whether in explicit or implied scenarios, on the order of 30% or higher at the session-level (this, of course, is highly dependent on the factors listed above, especially the creative implementation).
This loss can be even higher for websites that don’t see a lot of mobile traffic. we have observed that mobile users are more likely to accept or move past a consent banner more quickly than desktop users, simply because the banner is so obvious on the small screen.
The ability to analyze digital media activities also needs to be considered. The consent model you choose may not only impact data loss at the session-level but at the landing page level as well.
For example, if you launch an implied consent model on a landing page that requires users to click through to subsequent pages in order to indicate consent, the landing page details of their session could be completely lost (i.e. if they do not click through).
Loss of visibility on landing page activity could have a more pointed and severe impact on your business if you have a high percentage of traffic coming from digital media, especially for acquisition. In this case, you may even want to consider the explicit model, just so – for that subset of consumers that do click ‘accept’ – at least their landing page information is captured.
These are just some of the core considerations around consent as you plan your compliance roll-out. In addition to the data collection implications, there are internal business communications you should map out as well – be sure to set data loss expectations with your digital data teams and internal stakeholders before putting your policy into production. Bring your strategy teams together to help ensure they understand how the loss of data will impact their individual remits within your business vertical.
Good luck, and may the data be with you! (Yes, I am a huge nerd)
Get more information on data privacy and what it will mean for the digital future at our annual Analytics Rising Conference – a free online event covering the hottest topics in the digital landscape.