Teams need to present consent options to users in terms they can understand, and striking the balance between clarity and thoroughness is key for strong privacy ops. Here’s how your team can get there.
Understanding Informed Consent In Data Privacy
The cornerstone of user consent is that it is informed consent. If a user cannot understand what they are consenting to, the consent ceases to be valid in the eyes of data regulators around the world. In addition to putting your business at risk for significant fines, consent violations undermine the trustworthiness of your brand. As both users and regulators raise their expectations for respectful data practices, teams’ consent processes must be built on informed consent. Therein lies a key challenge for modern data privacy. Teams must present consent options to users in a way that balances thorough detail with understandable terms. If consent options are overly vague, users cannot make informed decisions about their data. On the other hand, technical jargon can overwhelm users and again stand in the way of informed consent.
Consent management is about meeting users where they are at. For evidence of this, just look at last month’s new guidelines in California requiring businesses to cut out unnecessary steps in their consent processes. It can be daunting to strike this balance, but we are here to help. In this article, we walk through an example of an effective consent request.
User Consent Walkthrough And Examples
To showcase effective user consent management, let’s consider a hypothetical company called Cloud Co. Because it has lots of users in California, Cloud Co. needs to comply with the California Consumer Privacy Act (CCPA). Among the CCPA’s requirements is a “Do Not Sell My Personal Information” feature for users to opt out of personal data sales. To request users’ consent, Cloud Co. does the following:
- Provides a straightforward name for this data use case, to clearly indicate that this consent option applies to “Data Sales”
- Offers a basic toggle for controlling consent options of “Yes” and “No”
- Describes this data use case in user-friendly terms
- Identifies the specific fields of personal information collected
Let’s zoom in on each of those. There are key learnings for teams looking to comply with CCPA, GDPR, or any of the growing number of privacy regulations worldwide.
Straightforward Name for Data Use Case
A data use case, called a data processing activity under GDPR, is your team’s business purpose for handling a user’s personal information. A clear name for each data use case helps users understand the reason you seek their consent. Strive for plain names instead of obscure ones; your users will appreciate your transparency. For CCPA compliance, “Data Sales” sums up the data use case for Cloud Co. much more succinctly than “Pixel Tracking For Targeted Third-Party Advertising” does. Both are descriptive, but only the former is suited for Cloud Co.’s everyday users. The latter raises more questions than it answers. Cloud Co.’s other data use cases might have names like “Payment Processing” or “Analytics.”
Basic Toggle for Consent Choices
Unlike the others, this build relies more on graphics than text. But it is a crucial part of users’ privacy experience. Users should see an unambiguous toggle for “Yes” and “No” consent options, with one toggle for each relevant data use case.
The clarity/thoroughness balance is most important in the description, where users will seek additional information without being overwhelmed. Cloud Co. knows that the CCPA defines data sales to include not only selling but also transferring personal information to a third party for monetary purposes. They make this point clear in their description:
Although Cloud Co. does not sell your personal information, from time to time we may use some of your personal information for advertising performance analysis and audience modeling for ongoing advertising, which may be interpreted as Data Sales under the California Consumer Privacy Act (CCPA). You can opt out of this here and we will ensure your data is no longer used for these purposes.
Observe that the description references technical concepts like advertising performance analysis. However, it references them using non-technical terms.
One of the thorniest issues in modern data privacy is the trade-off between understandable consent requests and fully comprehensive consent requests that provide all of the technical details. It’s an issue scholars have debated, and we’ve discussed it, too. In short, we follow the best practice of providing clear descriptions using terms that a non-technical audience can understand.
Specific Fields of Information Collected
Finally, users should get a basic run-down of the kinds of personal information involved in this data use case. Cloud Co.’s “Data Sales” might include fields like e-mail address, behavior (for instance, which pages a user visits), IP address, and location.
Putting it all together, a user sees something like the following:
Implementing Consent Management That Users Understand
At the end of the day, your consent management process should be as straightforward as possible for users. They should be able to easily understand two key points:
- Why you request their consent
- How you would use their data if they consent
This emphasis on clarity, though, should also keep in mind that users should be able to review the relevant details. To strike this balance, be thorough in the coverage of data use cases while using non-technical terms.
Consent is only valid when it’s informed consent. Similarly, a consent management platform is only effective when it actually implements users’ consent choices into your data operations. If you’re looking for guidance on how to make effective consent management a reality for your team, drop us a line.