In this post, we explore why informed consent is so critical to addressing personal privacy. We also cover how to use it to drive more responsible marketing practices.

Even though it’s been nearly six years since California and the European Union (EU) enacted sweeping data privacy laws, many marketers still don’t understand what these laws could mean to them or the risks they face for noncompliance. Common questions we hear include:

• Do I have to use a privacy pop-up on my website?
• Can’t I just add event attendees to my email marketing list? 
• Should I purchase customer data from a broker to increase my reach?
• They’re already on our newsletter list. Can’t we use their data however we want?

Many of these questions revolve around a concept known as informed consent. Below, we’ll explore why informed consent is so important and how it can help you take a more ethical and responsible approach to managing personal data within your organization. 

What is Informed Consent?

For consent to be informed and specific, the data subject must at least be notified about the controller’s identity, what kind of data will be processed, how it will be used and the purpose of the processing operations as a safeguard against ‘function creep’. The data subject must also be informed about his or her right to withdraw consent anytime. The withdrawal must be as easy as giving consent.

— GDPR Info, Consent

Informed consent is commonly used in privacy-focused industries, like research and healthcare. It is also an important driver for legislation to help organizations respect data privacy and ownership and address spam in digital marketing and communications. 

The practice impacts many digital marketing practices beyond obvious components like website forms. This even includes how you use fonts.

Informed consent is typically driven by two primary functions:

1. Clearly explaining how you will use a potential subject’s data.
2. Obtaining explicit, unambiguous, and specific consent from the subject whose data you wish to use. 

Digital marketers must provide specific information before collecting any personal data through online campaigns or via your website, including:

• How, specifically, you will use the data requested.
• Clearly stating potential risks and benefits to data subjects when providing consent.
• Explaining alternatives if someone doesn’t want to provide consent.

Also, it is worth mentioning that informed consent is only one of several important components of data privacy. For GDPR, the EU’s privacy regulation, the other five include:

1. Processing personal data is necessary to satisfy a contract to which the data subject is a party.
2. You need to process the data to comply with a legal obligation.
3. You need to process the data to save somebody’s life.
4. Processing is necessary to perform a task in the public interest or to carry out some official function.
5. You have a legitimate interest to process someone’s personal data. This is the most flexible lawful basis, though the “fundamental rights and freedoms of the data subject” always override your interests, especially if it’s a child’s data.

Informed Consent Fines

Unfortunately, some organizations learn about informed consent the hard way. For example, Google was fined €50 million by France for breaching GDPR because their version of obtaining consent was neither informed nor unambiguous and specific. Unsurprisingly, even larger lawsuits have been brought against Facebook and other social media platforms as well. 

Even if you’re not a large tech company, privacy legislation still applies to you. These regulations are meant to provide clear guidance for organizations to follow. However, given its rapidly changing nature, data privacy—and, by default, informed consent—is also a moving target.

Data Privacy Legislation is Always Evolving

As noted above, these laws have a significant impact on U.S.-based organizations. Plus, IAPP’s privacy legislation tracker notes that 13 U.S. states have already enacted privacy laws with another 20 running active bills through the legislative process. Based on this, and several U.S. privacy law campaigns, Federal regulations could be right around the corner. 

What’s more, many of the tools marketers use now include data privacy features such as consent settings to comply with changing legislation. For example, Google Analytics 4 (GA4), which is used by millions of websites, recently updated its consent features. This changes the types of data you’re able to collect—observed versus modeled behavior, for example. 

Data Collection Practices That Put Marketers at Risk

A dominant web business model today is to amass as much data on individuals as possible and then use it or sell it — to target or persuade, reward or penalize. The internet has become a surveillance economy…“informed consent” — the principle companies use as permission to operate in this economy — is something of a charade. Most consumers are either unaware of the personal information they share online or, quite understandably, unable to determine the cost of sharing it — if not both.

— Harvard Business Review, Uninformed Consent

Staying up-to-date on always changing privacy criteria is time-consuming. Plus, web marketing ecosystems include many players—content creators, UX designers, web developers, project managers, search marketing professionals, IT teams, freelancers, agencies, and many others. Not all of these people are well-versed in data privacy practices.

Given all this, some tactics that could put your digital products or services at risk include:

• Not offering options to reject non-essential cookies when a person first lands on a site.
• Auto-adding email addresses and other personal data to marketing lists, or worse, selling those lists to data brokers.
• Using third party trackers to follow site visitors around the web without their consent.
• Not offering alternatives if a site or campaign visitor decides to deny consent.
• Pre-checked “opt-in” buttons on website forms (this doesn’t imply consent, according to privacy regulations). 
• Not removing user data when requested to do so.

To reduce risk and adopt a more sustainable approach to data that includes team training and good digital governance, consider the steps below. 

Informed Consent and Privacy by Design

Given all this, how do we strike a good balance between providing site visitors with what they need to make informed choices and an always increasing amount of nuanced information related to personal privacy?

The Privacy by Design framework enables designers and digital marketers to anticipate and prevent privacy issues as part of the design process while providing recommendations to manage these issues over time. In other words, privacy becomes a core function of a digital product or service, not an add-on.

With that in mind, use the steps below to consider informed consent when designing and managing websites and marketing campaigns.

1. Bind Consent to Purpose

First, be sure to clearly state how you intend to use requested data. In order for people to provide informed consent, your purpose for data collection must be unambiguous and specific.

• Defining purpose: Explain why you’re asking for personal data as specifically as you can in as few words as possible. Include links to privacy or cookie policies for those who want more information. 
• One consent, one purpose: Next, be explicit about the purpose for each data collection instance. In other words, if you’re asking for personal data to use in tech or customer support or to complete a transaction, don’t automatically add user data to your newsletter subscription list as well. Make these separate asks.

2. Clearly Explain Scope and Options

Next, describe how you intend to use collected data and what the alternatives to providing consent might be. For example: 

• Opt-in, not opt-out: Always let site visitors choose specifically whether or not to provide consent. This means don’t precheck form or subscription boxes.
• Information overload: Make pop-up menus clear and easy to understand. Don’t overload users with lots of irrelevant information they’re not likely to read.
• Offer alternatives: If a user decides not to provide consent, what options do they have to continue? 

Data subjects need must clearly understand your requests in order to provide informed consent. Make sure the scope of your data collection is explained in plain language and readily available, not something people need to search for or use a lawyer to translate. 

3. Describe Risks and Benefits

Clearly state the potential risks a subject takes or the benefits received when they provide informed consent. 

• Risks: Describe in detail the methods you employ to protect collected data and clearly explain what happens in the event of a data breach. 
• Benefits: Similarly, list out specific benefits to providing consent. Will they receive exclusive access or offers? If so, let them know. Conversely, don’t penalize visitors who choose not to provide consent. 

4. Data Lifecycle & Withdrawal

Finally, be sure to prioritize privacy throughout the entire data life cycle based on informed consent you have received. 

• Right-to-be-forgotten: When users request that you delete their personal data, accommodate them as quickly as possible. If this can be automated in near-real time, even better.
• Product retirement: If your product or service is at end-of-life, be sure to clearly explain what happens to user data. Do you have a data disposal strategy? If so, let users know.

Informed Consent Improves Data Privacy for Everyone

We’re the first to admit that the changing legislative data privacy landscape is often confusing. Plus, organizations regularly mislead site visitors with vague and sometimes problematic privacy features. The long-term solution to these problems is to enact privacy legislation based on web standards that incorporates consent across products and services and continues to hold companies accountable.

In the meantime, we can design better consent experiences that are specific, explicit, and unambiguous. This builds trust with the people who use your website or digital product. Make it a core part of a larger, more inclusive and equitable user experience strategy.

Finally, the data privacy suggestions outlined in this post should not be construed as legal advice. If you need legal assistance, please consult a lawyer. Have other questions? Please reach out.