News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | The mismanagement of user consent data and its consequences Related reading: 2023 brings US state privacy law preparedness into focus

rss_feed

""

The right to control data sharing is the cornerstone of digital privacy regulation.

Almost all key pieces of data privacy and security legislation, from the EU General Data Protection Regulation to the California Privacy Rights Act, include special provisions that allow consumers to control what data they share with digital vendors and what vendors and subsequent third parties have access to this data.

The right to control data sharing is given to digital users through two key processes — consent capture and management. These processes gather all relevant consent data entered by consumers and communicate it to the publisher of a website, publishers, brands, and platforms, who then treat their user data accordingly.

While there are consumer choice tools like consent management platforms, YourAdChoices and Global Privacy Control that help organize and streamline these processes, they are far from foolproof. When ads are delivered programmatically, consumer privacy depends on the signals passed between hundreds of different technology platforms. But one-third of the time, signals are passed in error, disrupting consumer choice, and violating data privacy principles.

To understand how consent choices can be mishandled, it is important first to understand how consumer consent is captured and analyzed, and what can cause these pipelines to rupture.

How is consent captured?

Consumer consent can be captured through several technologies, frameworks and organizations that help reinforce the concept of consumer choice, i.e., that consumers should have ultimate control over their personal data and all online activity. There are three different places where users can control their consent preferences: On the brand site or publisher site via a consent management platform; in the browser, using universal opt-out tools; and in real-time at the digital ad level using self-regulatory programs.

Consent management platforms

A consent management platform is a software solution, proprietary software or a SaaS product, used by digital businesses to capture and act on user consent data.

CMPs are commonly used as third-party automated programming interfaces providing very specific regulatory services to publishers. CMPs aren’t mandatory under most federal or state privacy laws. In California, preliminary Consumer Privacy Rights Act rules question whether cookie banners and controls are sufficient. However, they are the most convenient way for publishers to fulfill their regulatory data privacy requirements.

The primary actions executed by a CMP include:

  • Requesting, receiving and storing consumer consent information.
  • Storing a list of preferred vendors and the information they gather.
  • Updating the collected consent information based on user-triggered actions like manually changing preference settings or enabling GPC.

Here’s how the process works.

Consent capture

CMPs employ user-friendly tools like pop-up modals to ingest user consent data. These models are expected to be clear and aptly descriptive so users know which vendors request to access, track and target their digital footprint and how they can opt-out of the process. These modals also allow users to either manually select privacy preferences or opt for default options like “I accept cookies” and “I refuse cookies."

Storing information

CMPs store user consent information on cookies. These cookies are small text files stored in the user’s browser that help the CMP know when to suppress ad code on the page and related actions. For instance, if a user opts out of interest-based advertising, the IBA vendors will be suppressed. The user may instead be shown first party ads or contextual ads. Contextual ads are those related to the content being accessed by the users, rather than ads that are relevant to the previous actions of the users themselves.

CMPs also store all user consent information on a backend server. This is done for audit purposes, as well as to make it easier for users to access and review their privacy preferences at will.

Universal opt-out tools

Universal opt out tools like the GPC and the proposed Advanced Data Protection Control are technical specifications used to declare a user’s data privacy preferences. GPC is usually used as an in-built browser feature or an extension users can enable to set and communicate their privacy preferences to web publishers.

While it isn’t mandatory for browsers to be compatible with GPC, it is a core feature of several privacy-forward browsers like Firefox, Brave and DuckDuckGo, and is also supported by well-known publishers like The New York Times and The Washington Post.

GPC combines the consent choice mechanism of CMPs with the ease of use and accessibility of an ad blocker. With GPC, the user can set their privacy preference once and have it broadcast to every publisher they visit automatically.

This signal informs the website of the user’s preference to not be tracked. An advantage of browser- or device-based opt-out methods like GPC is that they’re required in legislation like the CPRA and the Colorado Privacy Act.

Self-regulatory platforms

Mechanisms like these gather in one place opt-out methods provided by participating companies. They offer one platform through which to opt out from the collection of web and app data for interest-based advertising by those companies.

One example, YourAdChoices is run by an industry group called the Digital Advertising Alliance. It is a nonprofit consortium of leading U.S.-based advertising and marketing businesses that operate under strict, self-imposed restrictions to protect consumer data and achieve better transparency.

The program allows users to manage their ad preferences via the YourAdChoices blue triangle icon appended to digital ads. A new industry initiative seeks to embed AdChoices directly into CMPs through a standard specification.

Other self-regulatory examples include the European Self-Regulatory Programme, and the Digital Advertising Alliance of Canada. It’s important to note that while some industry consortia, like the DAA, are technically reliable, California’s rule-making has suggested they may not be sufficient to support the California Consumer Privacy Act, soon to be augmented with the CPRA.

How consent choices are mishandled

As mentioned, consent capture and management tools like CMPs and the GPC are not foolproof. A rupture in the delivery pipelines can lead to user consent choices and, in turn, private user data being mishandled. This can lead to a serious violation of user privacy which can lead to strict legislative action being taken against the publishers.

Multinational beauty brand Sephora was fined USD1.2 million by California authorities over allegations of severe CCPA violations. The investigation found that Sephora was supplying user information (collected through tracking technology like cookies) to third-party advertisers who used it to run retargeted ad campaigns without user consent.

Sephora allegedly ran afoul of the clause that allowed them to "share" user information but not sell it. Under the CCPA, sharing user information for monetary or other valuable consideration constitutes a sale. Sephora failed to satisfactorily explain how its third-party advertiser activity didn’t qualify as a sale of user data, which landed it in legal trouble.

Aside from legal loopholes, failed signal delivery is a major reason for the mismanagement of consent choices by publishers and advertisers on the internet.

Failed communication of consent signals

When an impression is available on a website, its publisher’s ad server sends a request communicating this to various supply side platforms and exchanges. SSPs allow publishers to maximize revenue based on the ad space available on their website.

SSPs transact with demand side platforms, which are platforms advertisers use to control their advertising campaigns. DSPs make monetary bids for ad slots based on the information known about the viewer contained in the bid request. The bid signifies how much an advertiser is willing to spend on each customer. When a DSP wins an auction, they send requests for creatives to the ad server, which is then dynamically loaded on the ad slot.

Data exchanged throughout this complex process contains user consent information that allows advertisers and publishers to determine whether they have the appropriate user consent needed to run IBA. This information is passed in the form of cookies or signals (in the case of the GPC) that help inform all CMPs and servers involved in the supply chain. This effectively creates hundreds of opportunities for signal failure, where data can be mishandled or leaked during any stage of the chain.

Like all electronic communication, the signals exchanged during this entire process are prone to leakage and failed deliveries, which can lead to a violation of the user’s data privacy rights. Let’s understand this better with the help of a first-hand example.

Consent mismanagement investigation

In this secret shopper example, we set up three consumer personas: a control, an opted-in CCPA visitor, and an opted-out CCPA visitor. It’s worth noting we have chosen the CCPA regulation as the benchmark because of its comprehensiveness and recent precedent in the Sephora case mentioned before.

All three of our secret shoppers completed the required consent workflow to get their consent choices registered with the publisher/CMP profile. These shoppers were then made to browse the web like any other consumer.

Our investigation showed the opt-out persona was still receiving IBA, violating its CCPA rights. The most probable reason for this would be the loss of signals containing the consent information at some point in the delivery flow. The publisher’s ad server was, in fact, not passing the required 1YYN string of an opt-out customer.

This resulted in the secret shopper’s personal information being used to run IBA even after the opt out.

Delivery signals can likely fail because of three main reasons:

  • Improper CMP integration with the publisher website. Several publishers only conduct an initial assessment to ensure that their chosen CMP works with their platform. This approach ignores the fact that any changes or updates in the site can lead to changes in its underlying mechanisms, which can end up becoming incompatible with the CMP.
  • The site is using methods that aren’t universally adopted throughout the digital ad ecosystem, so signals are dropped during the ad request.
  • Code patches and other updates by vendors accidentally break or cause downstream issues. Simply put, whenever a platform is updated to enhance user experience or improve functionality, there are chances that this change will render the site incapable of proper signal reception.

Consequences of consent mismanagement

Stringent laws, like the CCPA, are now holding publishers accountable for consent mismanagement. Newer laws like the CPRA and Colorado’s privacy law now contain special provisions for handling especially sensitive user data and defining the terms of consent violation more clearly for swift legal action.

California privacy acts, for example, are written in a way that makes publishers accountable for consent mismanagement on an individual violation level as opposed to a campaign level. This means that the publishers will not be fined based on unethical advertising campaigns but based on the number of customers impacted by them. It also considers the net personal data shared by the publisher without user consent.

If monetary penalties and loss of consumer trust were not reasons enough to correct consent management errors, there's one more reason. We've discovered that revenue leakage and data leakage coincide. This is because opt-in errors occur just as frequently as opt-out errors. In other words, the most highly sought-after consumers may be lost when consent strings fail to transmit an opt-in, which directly impacts the effectiveness of an advertising campaign.

Whether it’s an opt-in or an opt-out, it’s critical businesses have a system in place that audits consent capture and ensures consumer preferences are honored throughout your digital campaigns. Getting this right helps reach and maintain a positive relationship with your most loyal customers. Getting it wrong can not only lead to fines, but lost revenue. 


Approved
CDPO, CDPO/BR, CDPO/FR, CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT, LGPD
Credits: 1

Submit for CPEs

Author
Headshot Dan Frechtling IAPP Member Contributor
Tags
Marketing/Retail
U.S.
Big Data
Privacy Law
Privacy Operations Management
Comments

If you want to comment on this post, you need to login.

Related Stories
The Sephora case: Do not sell – But are you selling?
2
Businesses barely had time to recover from a hectic privacy summer, with U.S. privacy legislation making progress on the Hill and the U.S. Federal Trade Commission’s launch of a sweeping rulemaking initiative, when California Attorney General Rob Bonta dropped a bombshell: The first enforcement sett...
Read More queue Save This
Related Stories
Tags
Marketing/Retail
U.S.
Big Data
Privacy Law
Privacy Operations Management
Recent Comments