We Implemented Consent. Did We Do It Ethically?

Summary

Fresh out of implementing consent on a high-value, high-traffic consumer-facing website, the author reflects on some subtle choices conveniently made in favor of having more data vs. "erring" on the side of visitor privacy.

Introduction

As the cheers subside at the office and we stop patting each other on the back for finally implementing a full opt-out consent module, there's a little voice in my head that whispers, "But did we really, though?"

I know where this voice comes from. In the final flurry of Tag Manager changes, we made some calls which, from the viewpoint of an innocent visitor, can certainly be called questionable.

Some background: Our marketing site is multi-country and is the global public face of our company. For US properties, the default mode is full tracking opt-in with the ability to selectively opt out of 3 separate "tracking cookie" categories from the "Manage My Cookies" option:

California residents get some additional print to comply with the California Consumer Privacy Act of 2018, and have the option to specify they don't want their information shared with advertisers.

For most other properties, largely due to GDPR, the default is opted-out on first landing, with a prompt that does a pretty good job of not leaning heavily on the "Accept Cookies" button:

This all looks pretty boilerplate, right? So where is the little voice coming from?

The Problem

Well, the trouble begins with what happens under the hood when a new tracked user (let's say, an American named Bob) decides to opt out.

Typically, at that point Bob has already landed on our site and any traffic source data such as campaign parameters has already made its way to our primary analytics platform along with the standard set of rich metadata associated with their first ever pageview.

In some limited scenarios, Bob may have already performed a number of interactions—travelled deeper into the site, even completed forms and other conversions before deciding to address the annoying (but not blocking) consent banner.

So, when Bob finally gets around to it and tells us that he does not, in fact, wish to be tracked in any way, do we throw away all that good data and potential insight we gathered from the moment he first landed?

We do not.

We know just how valuable this information is (and honestly, how difficult it would be to erase from multiple vendors we already sent it to). So we keep it, assuming conveniently that in the mind of the user it would be very clear that "Reject Cookies" means their unobserved activities began from the moment they opted out.

Remember this assumption—we'll come back to it in a moment.

The Upside Down

Now, what happens when a user lands on a regional property where they are not being tracked by default?

Like our US user Bob, Alice in the UK is greeted by a non-obstructive consent banner but she is not blocked from taking further action into the website. She can go on to do any number of things, with the difference being that all of our tracking starts out muted.

From the point of view of our dozen Analytics and MarTech tools, Alice is invisible and nothing at all is happening. Only the server logs presumably know that certain site assets are being loaded by a certain IP, but (let's say) we stick to our code of honor and we don't do anything with that data that even remotely resembles customer profiling.

Eventually, Alice is tired of seeing the banner and she decides she doesn't mind being tracked. Maybe she understands it's "no big deal" and may actually help her find content relevant to her needs faster. Or maybe she's accustomed to this sort of thing and knows resistance is futile. Whatever the reason, Alice clicks on "Accept Cookies."

Now, do we assume that her consent begins from the moment she accepted?

We do not!

Again, we understand just how precious the first few hits from a brand new visitor are. We know that if we ignore those for practically everyone new who visits our UK property, marketers would not be able to evaluate ROI on hundreds of thousands of dollars in ad campaign spends. We have nightmares about our Traffic Source analytics becoming a ghost town full of tumbleweeds that the new highway doesn't pass through.

So, even though it could be a tricky business, we go the extra mile and we retroactively fire the beacons associated with actions that our unsuspecting new visitor performed prior to consenting to be tracked.

And we tell ourselves that, clearly, Alice meant to consent from the moment we first caught a glimpse of her on our website.

The Ethics

Yes, it's time to wade into the weeds.

On the one hand, one could easily make the case that entering a company's website is akin to entering a brick-and-mortar store in which there are security cameras installed. For decades, vendors like Walmart have displayed signs telling their customers they are being recorded, without getting into any detail about how they use this information. Hint: it's not just for security.

So, perhaps the user entering our website implicitly consents to us observing them at least in some basic form. Consent banner or not, they should understand on some level that their actions leave a trace in the same way as their physical presence at a physical store does. And with that understanding, maybe we have enough leeway in how to define the moment tracking with consent begins.

But that answer is way too easy, isn't it?

Because unlike physical presence, Internet visits happen in a setting that, from the point of view of the end user, can be very private. And that's what caused this whole stir in the industry over a decade ago...

So what if we didn't feel we have leeway to make decisions that favor more visibility for us and less privacy for Bob, Alice, and the rest of the faceless masses that wish to remain faceless?

Conclusion

Let's say we just want to do better. From that viewpoint, a somewhat elegant answer could be that we need to provide more details about what exactly the user consents to when they do, and what exactly will happen if they decide to opt out.

In the following looong-winded block of text from another website, there is still zero mention of what happens to data already collected and to data sitting in the memory of the user's browser in the eventuality that they will consent. But at least it's a step in the right direction, and it explains to laypeople what all these "cookies" actually do, for us and for them:

Is it enough to just do better?

Probably not. Burying the devil in openly shared details inside huge chunks of geeky prose we know very few people will actually read is not good enough to silence the little voice I hear. But it strikes me as much more honest than always assuming conveniently (and quietly) in our favor. Gotta start somewhere, I suppose.

And maybe, if enough of the key players join this conversation, eventually consumer awareness will get to a point where we don't have to bury Bob and Alice and everyone else in long and tedious explanations of assumptions because we will all have, together, arrived at a broad consensus about the exact shape of this particular consent relationship.