It feels strange to be writing about consent in 2020, not least because the General Data Protection Regulation (GDPR) just celebrated its second birthday (over a Zoom call most likely) and America introduced the California Consumer Privacy Act (CCPA) last year. But there is still a large amount of debate around what “strictly necessary” means, whether this applies to analytics as well as marketing, and several other bones of contention.
So, here are my views on some of the main considerations if you’re reviewing your approach to consent, and what you can do to make the most of your data in a post-consent world.
Are analytics cookies strictly necessary?
Let’s start by addressing the elephant in the room: do I need consent for analytics, or is this just an advertising thing?
Sadly, I’m not a lawyer, and I don’t know which legislation applies to you, so I can’t provide a neat answer to this one. But let’s be honest with ourselves, the answer is almost certainly “yes, you need consent”.
I’ve read both the GDPR and the clarification the UK Information Commissioner’s Office (ICO) issued in 2019, and it’s my opinion that explicit consent will be required for analytics in the vast majority of cases.
While I haven’t researched other legislation, such as the CCPA, in as much detail, there are sufficient similarities for me to believe this interpretation is likely to be true beyond Europe as well.
There will, however, be some legitimate arguments for tracking without explicit consent. For instance, fraud detection would be useless if we required the consent of the fraudster to detect them. But these are relatively niche and not applicable to most of us.
It’s also important to remember that, if using such an argument, the data must be clearly and provably protected from other business uses, such as marketing. So, this is not a way to “game the system”.
What should I expect to happen if analytics goes opt-in?
Unfortunately, it’s a fact of life that most people do not read consent requests, no matter how important. Just ask the 22,000 people who unwittingly agreed to clean Manchester’s public toilets when accessing a public Wi-Fi hotspot.
Don’t panic just yet, though! There are a number of factors that influence the impact you see on your site and the ICO’s consent request was a very soft touch. While you can’t control how privacy-sensitive your users are, you can ensure your consent design is on point, and you have a clear value proposition to give them.
What should I do next?
1. Test variants of your consent management messaging
Even if you remove interpretations of consent requirements from the equation, there is an enormous amount of variety of consent management design. Some provide simple banners, such as ours on the Builtvisible website (pictured below), while others take a more aggressive stance, even going so far as a full-page splash.
The more aggressive you go, the more engagement you will get with your consent management tool. But this will come at the cost of losing some users, and therefore business, through frustration.
It’s a fine balancing act but one well worth experimenting with. Some good old-fashioned split testing would be ideal if you can get the go-ahead from your data protection team. Otherwise, try to iterate over a few months rather than settling for the first one you get the green light on.
2. Define the value of your data and make a policy
Remember: the data you’re looking to collect has value, your users are demanding something in return for it.
Think about what value the data you want to collect has to your business, and then work out what you’d be willing to pay for it – either literally, through promotions or pricing, or figuratively, through content or other exclusives.
A great example of this is from the Washington Post. As with many news outlets, a good proportion of their revenues are derived from advertising and targeted advertising pays more. So, they worked out the value of that advertising and added an additional subscription layer for those wanting to read without consenting to tracking.
This is the most transparent and direct pitch for consent I’ve seen. It’s really compelling and I actually really like it from consumer-perspective as well as a professional one.
3. Ensure accuracy of your remaining data
Accurate and consistent data is critical to ensuring you get genuine, value-adding insight – garbage in, garbage out. While this isn’t going to come as news to anyone (I hope!), it’s still a challenge we all face, and inaccuracies will have a much bigger impact on a smaller data set.
Take the time to thoroughly audit your set up, from account settings through to tag management (or hardcoded tags if you’re still old school), and create a proper project plan for fixing any issues you find.
Not sure where to start or what to look for? Get some advice – we’d love to hear from you.
4. Enrich your data by integrating platforms
Don’t mourn the data you’ve lost; make the most of the data you still have. By integrating your different data platforms, you’ll give yourself the richest set of data to work with and maximise the insights you find.
This is something that has been a priority to analysts long before the GDPR was even thought of, but it takes on greater importance in the context of lower web data volumes.
With the relatively recent explosion of inexpensive cloud data solutions, we’ve never been better placed to make real progress in this area. Make sure you’re collecting some common keys in your various data sets, build a data warehouse in BigQuery (or your cloud tool of choice) and let the fun begin!
It may feel like the topic of consent is a tricky one, but there’s a simple rule to help us: if in doubt, get consent.
Once we’ve accepted the inevitable data loss and settled our nerves, we can turn our attentions to what’s really important: using the remaining data as best we can to drive real value for the businesses we work for.