Unless you’ve been living under a rock, you will have encountered your fair share of consent banners over the past few years. A now ubiquitous feature of the internet, we tend to barely notice them - they are simply part of the furniture of our digital lives.

 

Since the introduction of the European General Data Protection Regulation (GDPR) and many of its successors, companies have been required to obtain consumer consent to lawfully process their data. 

 

However, the over-exposition to consent banners online for people, paired with a lack of sound Privacy UX practices from organizations, has led to the emergence of a phenomenon called “consent fatigue,” with potential implications on consumer rights as well as businesses’ revenue streams.

 

In this article, we explore the reasons behind consent fatigue and assess the evolving regulatory landscape in this area of privacy - before considering potential solutions for organizations and the industry at large. 

 

Summary

 

 

 

Why is consent so important?

 

When you visit a website, there’s a lot going on behind the scenes. With many sites either selling a product or service themselves or directly or indirectly linking in with third parties who do, businesses have a lot to gain by tracking visitor engagement. 

 

Understanding how users interact with a site and their broader browsing habits allows businesses to tailor their advertising to their audience to maximize revenue. Most achieve this by placing blocks of code, or “cookies,” onto a user’s browser to gather data analytics. 

 

This approach to tracking, while valuable for businesses in understanding user engagement, must be carefully and transparently managed to respect user privacy. It is crucial to empower users with control over their data, ensuring they have a clear understanding of how it's being used and the ability to make informed choices about their privacy.

 

Consent is designed to protect us

Thankfully for consumers, the GDPR (as well as its global counterparts) prevents businesses from gathering, storing, or using personal data without a lawful basis for doing so. Although consent is not technically the only way to satisfy this, other avenues (including legal obligation or legitimate interest) do not generally apply within a marketing or advertising context.

 

As of today, and despite some limitations, consent banners are the best and only way to collect informed consent effectively. They have thus become the default mechanism allowing companies to collect consumer data while staying on the right side of the law. 

 

To learn about the most common types of consent banners, head to our dedicated article on the topic:

 

Learn more about consent banner formats

 

What is consent fatigue, and why does it happen?

 

Didomi - What is consent fatigue matrix

 

While consent banners are the default approach to privacy, there are growing questions over their efficiency from both the consumer and business perspectives.

 

The problem is twofold, from the consumer side and the organization side.

 

Consumer side: Over-exposition to consent banners 

Over the last few years and ever since the advent of the GDPR, European Union users have been repeatedly exposed to consent requests. 

 

While consent banners are designed to empower users with control over their personal data, the frequency of these consent requests can sometimes be overwhelming. This situation, although challenging, is a necessary part of maintaining user privacy and adhering to legal standards. It's a balance between ensuring user autonomy and complying with privacy regulations.

 

There is also a concern about the reduction in mindful decision-making. 

 

With the multiplication and recurrence of consent banners, users might find themselves habitually clicking ‘accept’ without fully engaging with the details. While this response might suggest a certain level of consent fatigue, it's important to remember that these measures are in place to protect user privacy. 

 

Consent banners are the best tools we currently have to ensure transparency and control in the digital realm.

 

Organization side: Poor Privacy UX practices 

The responsibility lies on organizations that must implement exemplary Privacy UX practices to communicate transparently with their users.

 

Privacy UX is a subset of User Experience focused on building privacy-first experiences that create lasting relationships between brands and their users and, in turn, generate revenue for organizations.

 

A graph representing two axises: Degree of Compliance with data privacy laws" and "positive user experience". The bottom left corner indicates "no data protection strategy", the top left, which represent a high degree of compliance but poor user experience, is called "Data privacy only. Its opposite on the bottom right is called "Ignore privacy in the UX". Finally, the top right corner is "Unify Privacy UX with data privacy compliance". An arrow annoted as "business opportunity" goes through the graph from the bottom left to the right corner, representing the fact that businesses benefit from both UX and compliance.

 

One of the focuses of Privacy UX has long been dark patterns, deceitful design elements that seek to manipulate users into making uninformed choices. 

 

Despite increased scrutiny, these often illegal UX practices are still commonplace online, negatively impacting user perception and reinforcing negative bias towards consent collection mechanisms. At the start of 2023, the European Commission reported that almost half of major online shops operating in the EU used manipulative tactics to maximize data yields.

 

These two issues - over-exposition and poor Privacy UX - are the root cause of consent fatigue. But what are some of the changes and industry initiatives that could help get past it? 

 

Looking into the future: What is the future of consent fatigue

 

While it is clear that global lawmakers are aware of the problem and are moving towards tighter regulation, the privacy community remains far from clear on the answer to consent fatigue. With data protection academics and industry stakeholders all offering a wide range of perspectives on the matter, four general approaches to the problem emerge.

 

1) Tightening the net

The first (and most obvious) solution to consent fatigue is the one outlined by regulators - simply filling in the gray zones with more granular legislation.

 

With a precedent already set by the updated CPRA, we are already taking steps toward developing laws that reflect the realities of modern threats to consumer choice and autonomy.

 

However, there are problems with this approach. To be effective, these laws must consider the realities of unconscious bias and the power of UX and AI to manipulate our choices. Unfortunately, many feel that this is like building a house on sand. A Pennsylvania study argues that informed consent at scale has become a myth that is “beyond repair—and could even be harmful to individuals and society.”  

 

It also remains to be seen whether upcoming legislation will be robust enough to rein in the tech industry, which is already pushing back. In June this year, the European Commission received an open letter from over 150 key commercial stakeholders warning against the anti-competitive and anti-innovation impact of the proposed AI Act

 

Striking the right balance between consumer and commercial rights will be key to the success or otherwise of new legal frameworks.

 

2) A softer approach

Some argue that, given the inherent complexity of the task at hand, the consent model itself is irreversibly broken and that education is the only real answer to consent fatigue. 

 

Proceeding on the basis that it is unrealistic to expect any meaningful level of agency or understanding from a pop-up, a front-end approach would presumably aim to instill clearer knowledge in the population about how companies use their data - with an emphasis on the consequences of getting it wrong. 

 

This could come from public service messaging connecting consent behavior with the rise of spam calls and emails. However, with the rise of sophisticated AI tools, this is extremely unlikely to be effective against almost impossible techniques to spot online.

 

3) Browser-based solutions

One of the most realistic options on the table is that of shifting towards browser-based, “one-stop-shop” solutions to consent.

 

The most recent European Commission discussion paper asks, “Can certain alternatives to tracking-based advertising models be chosen by consumers as a default option not requiring giving consent each time a new website is visited (or revisited), for example, in choosing settings on their browsers or by using some automated solution?”.

 

While the idea is great in theory, it quickly becomes tricky in practice. Our Chief Privacy Officer, Thomas Adhumeau, explained the challenges of this approach in an opinion piece titled “Cookies, consent fatigue, and industry standards: What's next in privacy for the AdTech industry?”:

 

The lack of standardization makes the idea very impractical: When user choices can reach a high level of complexity, how can we ensure that they are accurately respected and carried over without a clear framework to refer to? 

- Thomas Adhumeau, Chief Privacy Officer at Didomi (Source: Yes We Trust)

 

In the article, the CPO mentions the challenges associated with the idea, from carrying consent from one website or service to the next and to maintaining valid, informed consent. However, he uses it to introduce the idea of a potential framework to address the issue.

 

4) A new industry framework

In the footsteps of the Transparency and Consent Framework (TCF), the initiative from IAB Europe that has been able to assist publishers, technology vendors, agencies, and advertisers in meeting the requirements of the GDPR and ePrivacy Directive, a possible development to face consent fatigue could be the emergence of a new framework to enable the standardization of consent choices online.

 

This is the idea brought up by our CPO, Thomas Adhumeau:

 

“Imagine a digital ecosystem where users, just once, use a browser extension to define their advertising and data-sharing preferences. (...) The browser extension and the website, irrespective of its nature or content, recognize and understand this language, ensuring a smooth communication of user preferences. 


Such an arrangement drastically reduces the problem of cookie banners and consent pop-ups users typically encounter. They're spared the repetitive chore of setting their preferences over and over again, as their choices are universally recognized and applied.”

- Thomas Adhumeau, Chief Privacy Officer at Didomi (Source: Yes We Trust)

 

While enticing, such a project would require massive adoption throughout the data privacy and advertising industry, with the support of major organizations and institutions.

 

To read more about the idea, read our CPO’s open letter on the topic:

 

What's next for the AdTech industry?

 

What can organizations do today to reduce consent fatigue?

 

The problems facing the consent model are not unique to the world of privacy. They reflect a wider shift in the capacity of technology to influence human behavior - something that lawmakers face an uphill struggle to contain. Unless future approaches to consent can truly take human psychology into account, consumers, businesses, and regulators alike will continue to grapple with the consequences. 

 

To combat consent fatigue, companies need to take a sustainable approach that goes as far as possible to respect their customers' privacy preferences. While it is still possible to take advantage of regulatory gray zones - for now - it is likely that those taking a bare minimum approach will suffer in the long term as they risk losing customer trust for good. 

 

With that in mind, Didomi introduced earlier this year Global Privacy UX Solutions, its updated product offering, which consists of 3 core use cases, to help organizations build great experiences:

 

  • Multi-regulation consent management, to manage consent for privacy regulations around the world, streamlined across multiple user touchpoints.
  • Privacy governance, to monitor vendor and tracker activity across hundreds of websites, effortlessly and automatically staying compliant and reducing risk.
  • User privacy journeys, to reach out to customers beyond cookies, with the flexibility to compliantly manage user choices and requests at all stages of their journey.

 

These use cases are supercharged by integrations and connectors, security and access management, and premium services to ensure organizations have all the tools they need to build great experiences that serve their audience and build relationships based on trust.

 

To learn more, get in touch with our team:

 

Talk to an expert