Data underpins today’s digital media economy, and consumer consent should be the sine qua non of trading in targeted advertising.

With the EU General Data Protection Regulation in full force, and its ripple effect across the U.S. boosted by the California Consumer Privacy Act, many advertisers and publishers are still guilty of "magical thinking." They assume consumers are fully aware of an online exchange where their data is part of a transaction from which they receive personalized advertising in return for access to digital content.  

The regulation is clearly putting concepts of control, transparency, and accountability front and center. It is prefiguring a “choice architecture” where consumers have more control over data and are empowered to make “meaningful choices” — freely and as an expression of their wishes.

The industry must now consider three things:

1. The operating models required to prosper in a market with less consent and so less data.
2. The manner in which consumers approach consent choices and the outcomes they expect from these choices.
3. How businesses can earn sufficient trust to deliver the volume of consent and data to underpin their newly engineered operational models.

The story so far

As recently noted by Unruly’s programmatic chief, GDPR implementation hasn’t left us “living in a Mad Max-like apocalyptic world where the Lumascape has imploded.” Even so, the initial impact of GDPR enforcement was dramatic, with some ad tech providers making the decision to withdraw services from Europe and a number of U.S. websites blocking EU traffic. News publications such as the New York Daily Times, the Los Angeles Times, and the Chicago Tribune are still blocked in most European countries five months on. 

But aside from these events, the conversation around GDPR and consent is largely about tech and tools. The IAB launched a consent framework to streamline the compliance process and help websites, ad tech providers, and advertisers explain their data practices as well as request, record, and manage consent. The framework allows consent choices to be transmitted throughout the digital supply chain, increasing accountability across both desktop and mobile. There are already a number of IAB-compliant consent management platforms available, although Google has stalled on implementing the framework and attempted to delegate responsibility to publishers by labelling them as co-controllers that must gain consent.     

The industry must think not only about consent mechanisms but the way it presents itself — and its data practices — to consumers. This should become central to the responsibilities of the marketing department.

In all this talk of technology, however, the industry is overlooking the vital elements of real people making real choices. The presence of the right tick box is evidence of compliance; but is no guarantee that a user will actually tick it. A recent Smartpipe consent study reveals that when transparency about purposes and the full number of vendors in the data supply chain is delivered, only one in 10 would give their permission for data to be used for personalized advertising. The industry must think not only about consent mechanisms but the way it presents itself – and its data practices – to consumers. This should become central to the responsibilities of the marketing department.

Moving forward with consent means moving forward with trust

Building trust is a core objective of the GDPR. The outcome of the consent mechanics that businesses put in place is influenced by the amount of prior trust between the consumer and the business and will also have a direct impact on the levels of trust earned going forward.

Consumers are far more likely to give consent to big name brands they know, with the consent study revealing Facebook and Google came out on top in every scenario, gaining higher levels of consent than less well-known vendors — a minimum of 28 percent and a maximum of 54 percent — despite recent issues such as the Cambridge Analytica scandal.

To build trust and recognition, companies can start by agreeing to a social contract where they commit to respecting their audience at each and every touchpoint, listening to their needs, and responding accordingly. Obtaining consent shouldn’t be a one-off event but a continuous process of reassessment, ensuring data practices are reasonable and transparent, ultimately establishing and maintaining fair terms for business.

Obtaining consent shouldn’t be a one-off event but a continuous process of reassessment, ensuring data practices are reasonable and transparent, ultimately establishing and maintaining fair terms for business.

In addition to a clear social contract that outlines commitments, companies can also reassure consumers by investing in techniques that enhance privacy and data security. For instance, the consent study shows data protection messaging from trusted businesses such as phone operators and banks, which stress the use of innovative privacy-enhancing technology, see extremely high consent rates of up to 83 percent.

An example of the techniques companies can adopt to reassure consumers about the safety of their data is to employ privacy-enhancing technologies that allow data to be used without identifying the individual. So the traditional persistent identifiers used in the digital ecosystem are replaced by temporary, single-use tokens. These make useful information externally available for various purposes without personal data leaving the first-party data network. For example, a mobile network operator could share useful customer data for the purposes of digital advertising without this data ever leaving its network and without compromising the security of customers.

The GDPR has shifted the balance of power in the digital world, with consumers gaining the confidence to control their data. Consent is the key to unlocking the use of data, and as a first step, publishers, ad tech providers, and advertisers must provide well-designed consent experiences and privacy dashboards. But, for these investments to translate into sustainable competitive advantage, they need to look beyond mechanics and the “value exchange,” ensuring users get perceived fairness and respect alongside the provision of on/off toggles.

Persuading consumers to opt in, dissuading them from opting out: consent really is what it’s all about. This trust-driven process starts before and continues after the presentation of a simple tick box. 

photo credit: checked_tick via photopin (license)