---

blog: Don Marti

---

Consent UX, €50 million mistakes, and new approaches

21 January 2019

In the news: The CNIL’s restricted committee imposes a financial penalty of 50 Million euros against GOOGLE LLC.

Phil Lee writes,

The complaints criticised Google for requiring users to “agree” to its privacy policy in order to use its services. While asking users to “agree” to a privacy policy is still common practice for many companies, privacy notices are too long and too complex to be something that users can realistically understand and “agree” to. Under GDPR consent needs to be freely given and specific, and must not be bundled - the user must be able to freely consent to specific activities on a case-by-case basis, e.g. consent to receive e-mails, or consent to use of their photograph within a promotional brochure etc. Privacy notices are still needed for transparency of course - but they should serve as just that: informational notices, not catch-all consent-gathering documents.

And from Thomas Baekdal on Twitter:

European regulators are paying attention to consent mangement UX, and the current approach, which is basically just click OK to make this annoying dialog go away (and consent to use of your data by 70 companies you've never heard of), is looking less and less likely to work.

Fortunately for reputable publishers, the regulatory pressure to clean up consent UX is likely to be a good thing for trusted sites. So this is great time to release the Global Consent Manager User Study. Global Consent Manager is a new approach to consent UX, made possible by IAB Europe's Transparency and Consent Framework.

The Framework standardises the presentation to users’ third-party data processing requests that require “informed” consent for data processing. The Framework enables “signaling” of user choice across the advertising supply chain. It is open-source, not-for-profit with consensus-based industry governance led by IAB Europe with significant support from industry parties and the IAB Tech Lab, which provides technical management of the open-source specifications and version control.

I'm a big supporter of the Transparency and Consent Framework, if you use it right. Consent UX is full of €50 million mistakes—but the consent data approach of the Transparency and Consent Framework can still be good if you put a decent UX on it. That's what Global Consent Manager aims to do.

Global Consent Manager applies the the same incremental approach that social and collaboration sites, such as LinkedIn and GitHub, use. LinkedIn doesn't ask you to build a complete profile and work history before you can use the site. Instead, you get to make an account and then get prompted to add more of your info as you use it. Global Consent Manager borrowed that idea, in a basic form. Instead of asking for consent for everybody to use your data everywhere before you even read the article, with Global Consent Manager you start off in a no consent state. A consent string with no consent is a valid consent string, and Global Consent Manager will auto-generate one for you on your first visit to a supported site.

Later, if you show that you're interested in the site, the site can ask for more consent. This approach gives a sustainable advantage to sites that users choose to trust, and limits the ability of sites whose traffic comes from deceptively obtained clicks to run saleable ads.

Results from the user research tend to indicate that users spend significantly more time on a news task when they get the Global Consent Manager experience, compared to the click OK to consent to everything default.

The standardization work for consent data, now being done at the Transparency and Consent Framework, really pays off if you put a sensible (more LinkedIn-like) UX on it.

Our next step is to extend server-side consent and data management, with a view to facilitating the needed data collection for publishers trusted by users to run high-value ads, without enabling data practices that fail to comply with regulations or with user norms. Please let me know if you're interested in participating or reviewing future data.