william littman headshot Posted by William Littman June 15, 2020

A legal perspective on how to win the war against cookie consent fatigue

As we now enter the third year of the General Data Protection Regulation (GDPR) and approach the final implementation of the California Consumer Privacy Act (CCPA), it reminded me of a trip to the UK several months ago, where I was astounded by how difficult it was to perform simple everyday online tasks such as reading the news, researching a desired purchase of new headphones, or making dinner reservations. Consent banner after wearying consent banner greeted me on every website. Some of which provided me with no choice but to click “Accept” and many of which, my patience tested to the limit, caused me to bounce off the page. Then, it struck me: The sheer waste of a process that both fatigues the customer and is ineffective in purpose: How many people actually read those esoteric privacy statements to find out what they are consenting to? Who is deriving value? How did the online world become a “cookiepocalypse” of consent banners?

This frustration might strike some readers as odd. As an attorney with years of experience in privacy and having worked in-house at a previous company that specializes in cookie banners, I should be the first person to insist upon the efficacy of consent notices. Right? My ultimate responsibility is, after all, to protect the business and per the application of the GDPR to the ePrivacy Directive, no less than “affirmative” consent is required to serve non-essential cookies. In application, however, as we have seen in the EU [and now in the U.S. with the arrival of the California Consumer Privacy Act (CCPA)], the stifling of commerce caused by the negative impact to the user experience surely cannot be what was intended by the drafters of these regimes. Amplified across millions of user interactions every day, the cost of “consent fatigue” to both enterprises and their customers is enormous.

How did we get here?

In the dash to meet their legal obligations under the GDPR and CCPA, many companies have engaged in what I call “privacy theatre” – adopting basic consent models which meet requirements just enough to comply with the law and avoid fines. However, while tacking a standard cookie banner onto a website may seem like an instant fix, it comes at a real cost to business. The vast time, money, and resources that companies invest in their online properties to create the ideal user experience is undermined by intrusive cookie banners that offer consumers little value in the way of transparency or control. Indeed, web property revenues across the EU are down significantly over the past year and the legal community has been unable to devise a workable solution to this problem.

A second approach has been for companies to completely ignore the cookie banner requirement, reasoning that the cost of negative customer experiences outweighs the risk of non-compliance. This strategy also misses an important point: Privacy laws have been driven by rising consumer expectations. Brands that ignore the concerns of their customers do so at their peril, beyond the risk of fines.

Legal vs business: The lawyer’s dilemma

For in-house lawyers, this tension between the demands of legal and business presents a vexing scenario. Do we advise the business to address its legal obligations and risk revenue, or to flout the regulations, risking financial and reputational damages? It’s an irreconcilable dilemma. Or is it?

I posit that the legal community has approached the issue of cookie consent too narrowly and to the detriment of both legal and business interests. Cookie notices are not just a matter of compliance and should not be treated as the sole preserve of the legal team. Yes, they are legally required in some jurisdictions, but their ultimate goal is to earn trust.

For this to happen, customers need to be convinced of the integrity of the company and the value of what they are being offered in exchange for their data. This is where Privacy UX comes into play; this is about incorporating customer experience best practices and human-centered design into the privacy experience – making privacy an integrated part of the brand.

Creating consent experiences that actively build trust presents real economic opportunity. Customers are five times more likely to share data with a brand when they trust it. Apple has achieved success in no small part by making privacy and trust core tenets of its brand.

Tips for creating value in the privacy experience

What does privacy UX look like in practice? It means doing away with intrusive cookie banners and embedding consent as part of the user experience. So, instead of confronting customers with a one-size-fits-all consent banner as soon as they land on a website, companies need to earn trust and be able to demonstrate the value that will be delivered to the customer in return for their data.

Here are my seven key tips for building trust and creating value in the privacy experience:

  1. Treat privacy notices as more than compliance and as an opportunity to build brand
  2. Help consumers understand the value offered in exchange for data permission
  3. Design and brand the privacy notice
  4. Delay asking for consent by providing an anonymized experience for the first few page
  5. Provide a “Decline” button on the notice
  6. Try progressive consent by requesting information only as necessary
  7. Test notices by market and language

As an in-house lawyer, embracing these principles is your chance to add value and help your brand win, to build customer loyalty and drive revenue for your company.