In the Privacy Soapbox, we give the stage to privacy professionals, guest writers, and opinionated industry members to share their unique points of view, stories, and insights about data privacy. Authors contribute to these articles in their personal capacity. The views expressed are their own and do not necessarily represent the views of Didomi.

 

Do you have something to share and want to take over the privacy soapbox? Get in touch at blog@didomi.io.

 

Note: This article was originally published on September 14, 2023, on the Yes We Trust blog.

 

I am Thomas Adhumeau, and my journey into the world of data and privacy began in a law firm where I first started my career as an attorney. Later, I transitioned into working for data tech companies. This shift fortuitously aligned with the advent of the General Data Protection Regulation (GDPR), allowing me to cultivate an expertise in privacy in a very complex industry. 

 

Over the last 15 years, I have witnessed significant evolutions in the industry.

 

In this article, I want to explore the current state of consent, define consent fatigue, and present some of the emerging technologies to solve that issue before making the case for a new industry standard.

 

What is consent fatigue, and why is it a thing? 

 

Consent fatigue is a well-documented phenomenon in the European Union that has progressively emerged in recent years, particularly in response to the increasing number of online services and websites that require users to provide consent for various data processing activities. It has become more prominent with the implementation of data protection regulations like the General Data Protection Regulation (GDPR).

 

The GDPR requires organizations to have a lawful base for processing user data. That base is more often than not consent, which is collected usingconsent banners,” pop-ups that appear on the screen and prompt users to go over the data collection intent from the website they’re browsing and decide whether they accept it or not.

 

Consent banners are an effective means of presenting information to users about data collection practices. However, given the volume of notices on many websites, users sometimes skim or bypass them, treating them more as administrative tasks than as vital information.

This sentiment has been echoed by figures in the regulatory world, including by the Chair of the Federal Trade Commission during the 2022 IAPP Global Privacy Summit:

 

“We need to reassess the frameworks we presently use to assess unlawful conduct. Specifically, I am concerned that present market realities may render the “notice and consent” paradigm outdated and insufficient. Many have noted the ways that this framework seems to fall short, given both the overwhelming nature of privacy policies—and the fact that they may very well be beside the point.

 

When faced with technologies that are increasingly critical for navigating modern life, users often lack a real set of alternatives and cannot reasonably forego using these tools.”

 

- Lina M. Khan, Chair of the Federal Trade Commission (FTC)

 

At Didomi, we are aware of this dissonance between the solutions that are currently available and the debate surrounding the future of Privacy UX. As a Consent Management Platform (CMP) provider, we have access to valuable, proprietary data that allows us to look forward to what the privacy landscape will look like tomorrow.

 

 While we recognize the prevalent sentiment, our perspective is that, as of now, there isn't a more meaningful alternative to consent banners when it comes to effectively informing users and gathering their consent and preferences. However, we remain committed to innovation. At Didomi, we are proactively investigating and experimenting with fresh concepts that could significantly enhance the online user journey, ensuring both transparency and user-friendliness.

 

What could be the alternative to consent banners? Let’s look at some of the current innovations in this field. 

 

New technologies are emerging to face consent fatigue

 

We are currently seeing many solutions emerge from all across the tech industry, aiming to face the challenges of consent fatigue and solve the current issues related to consent banners.

 

In-browser solutions, either through frameworks such as Global Privacy Controls (GPC), offer a way for consumers to set their preferences automatically.

 

In essence, the idea is great: Users can set their preferences related to data collection once in their browser, and the technology does the rest, by communicating these preferences to every single website the person visits. That communication occurs in the backend, and users are thus less exposed to consent banners - while their choices are respected.

In practice, however, it’s not so simple.

 

The lack of standardization makes the idea very impractical. When user choices can reach a high level of complexity, how can we ensure that they are accurately respected and carried over without a clear framework to refer to? 

 

From one website to another and one service to the next, the categories of purposes for data collection, third-party vendors, and the overall set of choices might be vastly different.

 

Then, how can the technology effectively and accurately enforce user choices? Is that consent still valid?

 

Take, for instance, the use of personal data for "analytics" purposes. While one website might label it as "site performance," another could call it "user behavior measurement," and yet another might refer to it as "visitor insights." This disparity in language makes it nearly impossible for technology to consistently and accurately communicate a user's preferences across different websites or apps, further complicating the validity of the consent provided.

 

An industry standard might be the solution.

 

Towards a new industry standard?

 

The Transparency and Consent Framework (TCF) is an initiative established by IAB Europe, designed to assist publishers, technology vendors, agencies, and advertisers in meeting the requirements of the GDPR and ePrivacy Directive when it comes to collecting and processing user data for advertising and related purposes.

 

This piece isn't about debating the merits or shortcomings of the TCF; rather, it aims to highlight the value of its standardized approach to data collection purposes. The primary strength of the TCF lies in its standardization of the consent communication process. Regardless of the website you visit, the purposes for collecting data remain consistent.

 

Now, by leveraging this protocol and coupling it with browser extensions that collect user preferences, a profound shift emerges in how online consent could function. Imagine a digital ecosystem where users, just once, use a browser extension to define their advertising and data-sharing preferences. Given the TCF's standardized purposes for data collection, which are identical across all compliant websites, this singular user action is all that's needed. When users navigate a website, their pre-defined preferences can be instantaneously communicated to the website owner and the associated AdTech vendors.

 

This seamless integration is made possible because of the uniform language of the TCF. The browser extension and the website, irrespective of its nature or content, recognize and understand this language, ensuring a smooth communication of user preferences. Such an arrangement drastically reduces the problem of cookie banners and consent pop-ups users typically encounter. They're spared the repetitive chore of setting their preferences over and over again, as their choices are universally recognized and applied. In essence, the symbiotic relationship between the TCF's standardized approach and browser extensions could revolutionize the user experience, making the internet a place where user choice is not just respected but anticipated.

 

Now, envision a scenario where this methodology is extrapolated beyond just the advertising realm. After all, not every data collection practice revolves around advertising. Imagine if entities could catalog their data practices and then harmonize them through standardization. Institutions like the W3C could potentially oversee and regularly update this effort.

 

However, implementing such a broad standard is undoubtedly a mammoth task, and its feasibility remains questionable. A more immediate solution might be to expand the scope of the TCF to encompass advertisers directly. Here, the case of AdTech giant Criteo, which faced a hefty €40M fine in France, serves as a poignant reminder. Extending the TCF to advertisers wouldn't just be a win for users; it would provide advertisers and AdTech service providers with a clearer framework, ensuring that user consent is consistently and correctly obtained, something that's currently missing from the landscape.

 

While it might seem counterintuitive for me to discuss this given that my company, Didomi, specializes in providing consent banners, let me explain the rationale behind my stance. As of now, unless there's a global initiative, preferably steered by institutions like the W3C, and unless there's a unanimous decision across the board to standardize data collection purposes, cookie banners are here to stay. However, our vision at Didomi isn't just limited to the present. We are actively looking to the future and anticipating shifts in the industry.

 

Our ultimate goal is to advocate for and aid in fostering a better privacy experience for both users and website owners. We are laying down the groundwork for a better, more user-centric version of the internet than we currently know.