Teams need to present consent options to users in terms they can understand, and striking the balance between clarity and thoroughness is key for strong privacy ops. Here’s how your team can get there.
Teams need to present consent options to users in terms they can understand, and striking the balance between clarity and thoroughness is key for strong privacy ops. Here’s how your team can get there.
The cornerstone of user consent is that it is informed consent. If a user cannot understand what they are consenting to, the consent ceases to be valid in the eyes of data regulators around the world. In addition to putting your business at risk for significant fines, consent violations undermine the trustworthiness of your brand. As both users and regulators raise their expectations for respectful data practices, teams’ consent processes must be built on informed consent. Therein lies a key challenge for modern data privacy. Teams must present consent options to users in a way that balances thorough detail with understandable terms. If consent options are overly vague, users cannot make informed decisions about their data. On the other hand, technical jargon can overwhelm users and again stand in the way of informed consent.
Consent management is about meeting users where they are at. For evidence of this, just look at last month’s new guidelines in California requiring businesses to cut out unnecessary steps in their consent processes. It can be daunting to strike this balance, but we are here to help. In this article, we walk through an example of an effective consent request.
To showcase effective user consent management, let’s consider a hypothetical company called Cloud Co. Because it has lots of users in California, Cloud Co. needs to comply with the California Consumer Privacy Act (CCPA). Among the CCPA’s requirements is a “Do Not Sell My Personal Information” feature for users to opt out of personal data sales. To request users’ consent, Cloud Co. does the following:
Let’s zoom in on each of those. There are key learnings for teams looking to comply with CCPA, GDPR, or any of the growing number of privacy regulations worldwide.
A data use case, called a data processing activity under GDPR, is your team’s business purpose for handling a user’s personal information. A clear name for each data use case helps users understand the reason you seek their consent. Strive for plain names instead of obscure ones; your users will appreciate your transparency. For CCPA compliance, “Data Sales” sums up the data use case for Cloud Co. much more succinctly than “Pixel Tracking For Targeted Third-Party Advertising” does. Both are descriptive, but only the former is suited for Cloud Co.’s everyday users. The latter raises more questions than it answers. Cloud Co.’s other data use cases might have names like “Payment Processing” or “Analytics.”
Unlike the others, this build relies more on graphics than text. But it is a crucial part of users’ privacy experience. Users should see an unambiguous toggle for “Yes” and “No” consent options, with one toggle for each relevant data use case.
The clarity/thoroughness balance is most important in the description, where users will seek additional information without being overwhelmed. Cloud Co. knows that the CCPA defines data sales to include not only selling but also transferring personal information to a third party for monetary purposes. They make this point clear in their description:
Although Cloud Co. does not sell your personal information, from time to time we may use some of your personal information for advertising performance analysis and audience modeling for ongoing advertising, which may be interpreted as Data Sales under the California Consumer Privacy Act (CCPA). You can opt out of this here and we will ensure your data is no longer used for these purposes.
Observe that the description references technical concepts like advertising performance analysis. However, it references them using non-technical terms.
One of the thorniest issues in modern data privacy is the trade-off between understandable consent requests and fully comprehensive consent requests that provide all of the technical details. It’s an issue scholars have debated, and we’ve discussed it, too. In short, we follow the best practice of providing clear descriptions using terms that a non-technical audience can understand.
An important supplement to these descriptions is an easily accessible privacy contact at your business, listed alongside your team’s Privacy Policy. That way, users who want to know more about your data use cases have a go-to contact for more information.
Finally, users should get a basic run-down of the kinds of personal information involved in this data use case. Cloud Co.’s “Data Sales” might include fields like e-mail address, behavior (for instance, which pages a user visits), IP address, and location.
Putting it all together, a user sees something like the following:
At the end of the day, your consent management process should be as straightforward as possible for users. They should be able to easily understand two key points:
This emphasis on clarity, though, should also keep in mind that users should be able to review the relevant details. To strike this balance, be thorough in the coverage of data use cases while using non-technical terms.
Consent is only valid when it’s informed consent. Similarly, a consent management platform is only effective when it actually implements users’ consent choices into your data operations. If you’re looking for guidance on how to make effective consent management a reality for your team, drop us a line.
Ethyca announces fundraise, doubles annual revenue with new enterprise clients, and reveals new brand.
Today we’re announcing faster and more powerful Data Privacy and AI Governance support
See new feature releases enhancing user experience, adding new integrations and support for IAB GPP
Learn more about the privacy and data governance enhancements in Fides 2.27 here.
Read Ethyca’s CEO Cillian Kieran describe why and how an open data governance ontology enables companies to comply with data privacy regulations and frameworks.
Ethyca sponsored the Unpacking Privacy Engineering for Lawyers webinar for the Interactive Advertising Bureau (IAB) on December 14, 2023. Our CEO Cillian Kieran moderated the event and ran a practical discussion about how lawyers and engineers can work together to solve the technical challenges of privacy compliance. Read a summary of the webinar here.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!
Speak with UsStay informed with the latest in privacy compliance. Get expert insights, updates on evolving regulations, and tips on automating data protection with Ethyca’s trusted solutions.