Ramat Gan - Israel

+972 (03) 790-1700

London - United Kingdom

+44 20 8089 7891

Paris - France

+33 7 55 54 86 87

Istanbul - Turkey

+90 212 401 29 92

Meaningful consent – part 2: Dark patterns, and consent string best practices

Ryan Rakover, November 17, 2021


Privacy publisher takeaways 

  • Be aware of the data laws that relate to your country and business regions of operation (consult with legal counsel)
  • Offer your users the correct consent options, protections, and awareness.
  • Make sure your privacy page is up-to-date
meaningful consent, user, consent options, notice, cookie form

Recap

This is part 2 of a two-part piece examining meaningful consent and its importance in the industry today. In the first part, I discussed what meaningful consent is, how it can be requested and given, and what it means to put the user first. With this foundation in place, Part 2 will discuss why meaningful consent is so important and how you can offer meaningful consent to your users.

The foundation of Data Privacy (GDPR, CCPA, CPA, VPA, etc) is established between domains and users –  through clear meaningful user consent for all data collection. Through this transparency, and in time, greater standardization can help clarify publishers’ offerings to users in clear actionable terms. Time and time again we see examples of cookie toasts that are using methods to have the user not consider the choices that are being made.  The IAB has promoted the successful adoption of the IAB Tech Lab, TCF for greater transparency and accountability in the industry. Recently the  IAB has suggested that the current marketplace of CMPs is potentially being used to obtain consent rather than managing meaningful consent.  

Dark patterns

The use of dark patterns is a method in which a user is manipulated into doing things they did not intend to do. User behavior has been conditioned through policy update notifications and the like that have moved the user into a muscle memory reaction response. The use of dark patterns to obtain consent is common to see in the marketplace with user choice being manipulated. 

Predictive patterns, pre-ticked/selected options, or preferences are all forms of suggesting to the user that is in violation of GDPR. GDPR requires user consent to be freely given, specific, informed, unambiguous, and given through a clear action.  A meaningful consent experience should deliver user understanding while preventing information overload.

website cookies, GDPR, consent, cookie, consent string, dark patterns

The second area of focus from the IAB has been from complaints that have been received regarding another side of consent, “the consent string”. The consent string receives information regarding which providers have received the user consent and for what purpose they are allowed to use the user’s data. This point in the chain is seen to have a high vulnerability for manipulation by data traders and it is not uncommon that when observed by ad fraud investigators user choices don’t match up to actual ad tech activity.

This violation of user rights is under focus now as a growing number of complaints have been filed. The detection of this misuse is possible because of the IAB standard TCF standard framework for encoding and passing user consent. We are seeing that options and choices for users have to first be in place, but then they must be tracked, monitored and violators of data trust will face enforcement.  

The patchwork road in the US to data privacy continues with the state of Colorado passing; The Colorado Privacy Act or the CPA. It is the first statute to explicitly prohibit obtaining consumer consent through the use of dark patterns. Massachusetts has recently proposed a new data law. Massachusetts has chosen to focus not just on the process on which consent is given but also what they refer to as the “duty of care”.

This added level will provide clear duties that include: confidentiality, care, and loyalty on bigger businesses that collect and use data. The bill also highlights the need to empower the Massachusetts Information Privacy Commission (MIPA) with the authority to investigate and enforce privacy statutes.  As the US continues with the state by state strategy to data privacy rights and laws that will one day be joined with a Federal law ensuring that consent is not obtained but meaningful given, as well as the “duty of care: that represents more responsibility and transparency. Both bills bring added value and promote clear user awareness, choice, protection. 

US law, GDPR, consent, cookie, consent string

The feud between Facebook and Apple

As the industry continues to explore different ways to prioritize user awareness, rights, and enforcement there is a need for clear standardization. The current state of data awareness on a user level is growing and standards can help ensure that the right message and choices are reaching everyone. However, in order to protect the ecosystem, careful audits of the user consent processes must be put into place as they are the only way to ensure users’ rights and publishers’ responsibilities are clearly defined and enforceable. 

The current feud between Facebook and Apple continues to highlight this discussion of user choice and its effects. Facebook continues to push the view that Apple, allowing for user choice(s), has negatively affected the digital ad business. Apple’s App Tracking Transparency update has been met with mixed reviews, after all for most users it was the Apple updates that made us numb to the process of giving consent. However, user choices should not be feared, hidden, or pressured but instead be upfront and dependable.

The feud between Facebook and Apple, GDPR, consent, cookie

References

IAB Europe suspends consent management firms as global privacy authorities signal tougher action, Digiday.com

Roundtable of G7 data protection and privacy authorities, G7 communiqué, ICO.org.uk 

It’s all about the first impression. How the CMP UI should look in TCF v2.0., iabeurope.eu

Ad trackers continue to collect Europeans’ data without consent under the GDPR, say ad data detectives, Digiday.com 

IAB Europe suspends consent management firms as global privacy authorities signal tougher action, Digiday.com 

The rise of dark web design: how sites manipulate you into clicking, theconversation.com

Is data privacy a thing of the past in a digital world?, weforum.org 

United States: Data Privacy’s Patchwork Expands, mondaq.com

EDPB Establishes Cookie Banner Taskforce, Which Will Also Look Into Dark Patterns and Deceptive Designs, the National Law Review

Facebook Says Apple’s Privacy Changes Hurt Digital Ad Measurement, WSJ.com 

Massachusetts has a chance to clean up our national privacy disaster, bostonglobe.com