The right to control data sharing is the cornerstone of digital privacy regulation.
Almost all key pieces of data privacy and security legislation, from the EU General Data Protection Regulation to the California Privacy Rights Act, include special provisions that allow consumers to control what data they share with digital vendors and what vendors and subsequent third parties have access to this data.
The right to control data sharing is given to digital users through two key processes — consent capture and management. These processes gather all relevant consent data entered by consumers and communicate it to the publisher of a website, publishers, brands, and platforms, who then treat their user data accordingly.
While there are consumer choice tools like consent management platforms, YourAdChoices and Global Privacy Control that help organize and streamline these processes, they are far from foolproof. When ads are delivered programmatically, consumer privacy depends on the signals passed between hundreds of different technology platforms. But one-third of the time, signals are passed in error, disrupting consumer choice, and violating data privacy principles.
To understand how consent choices can be mishandled, it is important first to understand how consumer consent is captured and analyzed, and what can cause these pipelines to rupture.
How is consent captured?
Consumer consent can be captured through several technologies, frameworks and organizations that help reinforce the concept of consumer choice, i.e., that consumers should have ultimate control over their personal data and all online activity. There are three different places where users can control their consent preferences: On the brand site or publisher site via a consent management platform; in the browser, using universal opt-out tools; and in real-time at the digital ad level using self-regulatory programs.
Consent management platforms
A consent management platform is a software solution, proprietary software or a SaaS product, used by digital businesses to capture and act on user consent data.
CMPs are commonly used as third-party automated programming interfaces providing very specific regulatory services to publishers. CMPs aren’t mandatory under most federal or state privacy laws. In California, preliminary Consumer Privacy Rights Act rules question whether cookie banners and controls are sufficient. However, they are the most convenient way for publishers to fulfill their regulatory data privacy requirements.
The primary actions executed by a CMP include:
- Requesting, receiving and storing consumer consent information.
- Storing a list of preferred vendors and the information they gather.
- Updating the collected consent information based on user-triggered actions like manually changing preference settings or enabling GPC.
Here’s how the process works.
Consent capture
CMPs employ user-friendly tools like pop-up modals to ingest user consent data. These models are expected to be clear and aptly descriptive so users know which vendors request to access, track and target their digital footprint and how they can opt-out of the process. These modals also allow users to either manually select privacy preferences or opt for default options like “I accept cookies” and “I refuse cookies."
Storing information
CMPs store user consent information on cookies. These cookies are small text files stored in the user’s browser that help the CMP know when to suppress ad code on the page and related actions. For instance, if a user opts out of interest-based advertising, the IBA vendors will be suppressed. The user may instead be shown first party ads or contextual ads. Contextual ads are those related to the content being accessed by the users, rather than ads that are relevant to the previous actions of the users themselves.
CMPs also store all user consent information on a backend server. This is done for audit purposes, as well as to make it easier for users to access and review their privacy preferences at will.
Universal opt-out tools
Universal opt out tools like the GPC and the proposed Advanced Data Protection Control are technical specifications used to declare a user’s data privacy preferences. GPC is usually used as an in-built browser feature or an extension users can enable to set and communicate their privacy preferences to web publishers.
While it isn’t mandatory for browsers to be compatible with GPC, it is a core feature of several privacy-forward browsers like Firefox, Brave and DuckDuckGo, and is also supported by well-known publishers like The New York Times and The Washington Post.
GPC combines the consent choice mechanism of CMPs with the ease of use and accessibility of an ad blocker. With GPC, the user can set their privacy preference once and have it broadcast to every publisher they visit automatically.
This signal informs the website of the user’s preference to not be tracked. An advantage of browser- or device-based opt-out methods like GPC is that they’re required in legislation like the CPRA and the Colorado Privacy Act.
Self-regulatory platforms
Mechanisms like these gather in one place opt-out methods provided by participating companies. They offer one platform through which to opt out from the collection of web and app data for interest-based advertising by those companies.
One example, YourAdChoices is run by an industry group called the Digital Advertising Alliance. It is a nonprofit consortium of leading U.S.-based advertising and marketing businesses that operate under strict, self-imposed restrictions to protect consumer data and achieve better transparency.
The program allows users to manage their ad preferences via the YourAdChoices blue triangle icon appended to digital ads. A new industry initiative seeks to embed AdChoices directly into CMPs through a standard specification.
Other self-regulatory examples include the European Self-Regulatory Programme, and the Digital Advertising Alliance of Canada. It’s important to note that while some industry consortia, like the DAA, are technically reliable, California’s rule-making has suggested they may not be sufficient to support the California Consumer Privacy Act, soon to be augmented with the CPRA.
How consent choices are mishandled
As mentioned, consent capture and management tools like CMPs and the GPC are not foolproof. A rupture in the delivery pipelines can lead to user consent choices and, in turn, private user data being mishandled. This can lead to a serious violation of user privacy which can lead to strict legislative action being taken against the publishers.
Multinational beauty brand Sephora was fined USD1.2 million by California authorities over allegations of severe CCPA violations. The investigation found that Sephora was supplying user information (collected through tracking technology like cookies) to third-party advertisers who used it to run retargeted ad campaigns without user consent.
Sephora allegedly ran afoul of the clause that allowed them to "share" user information but not sell it. Under the CCPA, sharing user information for monetary or other valuable consideration constitutes a sale. Sephora failed to satisfactorily explain how its third-party advertiser activity didn’t qualify as a sale of user data, which landed it in legal trouble.
Aside from legal loopholes, failed signal delivery is a major reason for the mismanagement of consent choices by publishers and advertisers on the internet.
Failed communication of consent signals
When an impression is available on a website, its publisher’s ad server sends a request communicating this to various supply side platforms and exchanges. SSPs allow publishers to maximize revenue based on the ad space available on their website.
SSPs transact with demand side platforms, which are platforms advertisers use to control their advertising campaigns. DSPs make monetary bids for ad slots based on the information known about the viewer contained in the bid request. The bid signifies how much an advertiser is willing to spend on each customer. When a DSP wins an auction, they send requests for creatives to the ad server, which is then dynamically loaded on the ad slot.
Data exchanged throughout this complex process contains user consent information that allows advertisers and publishers to determine whether they have the appropriate user consent needed to run IBA. This information is passed in the form of cookies or signals (in the case of the GPC) that help inform all CMPs and servers involved in the supply chain. This effectively creates hundreds of opportunities for signal failure, where data can be mishandled or leaked during any stage of the chain.
Like all electronic communication, the signals exchanged during this entire process are prone to leakage and failed deliveries, which can lead to a violation of the user’s data privacy rights. Let’s understand this better with the help of a first-hand example.
Consent mismanagement investigation
In this secret shopper example, we set up three consumer personas: a control, an opted-in CCPA visitor, and an opted-out CCPA visitor. It’s worth noting we have chosen the CCPA regulation as the benchmark because of its comprehensiveness and recent precedent in the Sephora case mentioned before.
All three of our secret shoppers completed the required consent workflow to get their consent choices registered with the publisher/CMP profile. These shoppers were then made to browse the web like any other consumer.
Our investigation showed the opt-out persona was still receiving IBA, violating its CCPA rights. The most probable reason for this would be the loss of signals containing the consent information at some point in the delivery flow. The publisher’s ad server was, in fact, not passing the required 1YYN string of an opt-out customer.
This resulted in the secret shopper’s personal information being used to run IBA even after the opt out.
Delivery signals can likely fail because of three main reasons:
- Improper CMP integration with the publisher website. Several publishers only conduct an initial assessment to ensure that their chosen CMP works with their platform. This approach ignores the fact that any changes or updates in the site can lead to changes in its underlying mechanisms, which can end up becoming incompatible with the CMP.
- The site is using methods that aren’t universally adopted throughout the digital ad ecosystem, so signals are dropped during the ad request.
- Code patches and other updates by vendors accidentally break or cause downstream issues. Simply put, whenever a platform is updated to enhance user experience or improve functionality, there are chances that this change will render the site incapable of proper signal reception.
Consequences of consent mismanagement
Stringent laws, like the CCPA, are now holding publishers accountable for consent mismanagement. Newer laws like the CPRA and Colorado’s privacy law now contain special provisions for handling especially sensitive user data and defining the terms of consent violation more clearly for swift legal action.
California privacy acts, for example, are written in a way that makes publishers accountable for consent mismanagement on an individual violation level as opposed to a campaign level. This means that the publishers will not be fined based on unethical advertising campaigns but based on the number of customers impacted by them. It also considers the net personal data shared by the publisher without user consent.
If monetary penalties and loss of consumer trust were not reasons enough to correct consent management errors, there's one more reason. We've discovered that revenue leakage and data leakage coincide. This is because opt-in errors occur just as frequently as opt-out errors. In other words, the most highly sought-after consumers may be lost when consent strings fail to transmit an opt-in, which directly impacts the effectiveness of an advertising campaign.
Whether it’s an opt-in or an opt-out, it’s critical businesses have a system in place that audits consent capture and ensures consumer preferences are honored throughout your digital campaigns. Getting this right helps reach and maintain a positive relationship with your most loyal customers. Getting it wrong can not only lead to fines, but lost revenue.