Guy Tytunovich, founder and CEO at CHEQ is a leader in go to market security.
Getty Website owners were in trouble after the introduction of the GDPR, and subsequent privacy laws around the world. Businesses were not able to understand the new regulations, which imposed complex legal requirements regarding data collection and processing. Site owners turned to outsourcing to manage cookie consent and compliance. These tools often fail to comply due to poor configurations or lack of technical ability to enforce privacy preferences. This is known as the compliance gap. It's a significant difference in a business’s privacy compliance, both actual and perceived. Many businesses have installed consent tools on their websites, and yet they are not compliant with leading privacy laws. This creates a false sense for privacy for users, and businesses feel less secure.
This status quo has been acceptable for years. While businesses were not compliant with the law, they weren't being enforced. With the increasing enforcement and penalties related to laws such as the GDPR or CCPA, it is important for businesses to take stock of consent management processes. If not for user privacy, then for their own wallets. Let's look at some common mistakes that can expose businesses to non-compliance risks.
Poor configurations, opt-outs and implied consent are all necessary to process user data in accordance with the GDPR. The consent requirement is the most important of these legal bases. This consent banner is a result of this requirement. Businesses have often misunderstood consent requirements under GDPR and been misinterpreted by sellers of cookie consent tools. Consent is given on an "opt-in" basis. It must be clear, unambiguous, and freely given. This means that the user must be informed about what they consent to and have the option to opt out or in for data processing without coercion.
You don't need to look very far to find consent banners which do not meet these requirements. They may offer prechecked consent boxes, or make opting out much more difficult than opting into tracking. Many banners operate on the principle of implied consent. This is when the user's permission is not explicitly granted. A user may consent to a cookie banner being closed or navigated away quickly without giving permission. This is a clear violation to GDPR guidelines, but regulators have issued numerous warnings and guidelines about the matter.
User behavior is typical in that they click quickly on any form or banner presented to them as the path to the content they want. There is a temptation to use this behavior to continue valuable tracking. However, the law is clear and these so-called "dark patterns" are non-compliant and erode user trust. Nobody likes to feel coerced or tricked.
Regulators are paying attention. Noyb, an internet watchdog, has filed hundreds of complaints against noncompliant consent management platforms. As a result, CMP providers are being investigated.
Technical Compliance Gap: Preference Enforcement is Required
Although misleading consent banners can be detrimental to user privacy and trust they can be corrected. However, many consent banners don't control the tracking happening on the site.
In order to comply with laws such as the GDPR or PIPL, the consent preferences must be maintained and enforced after the consent decision has been made. If a user chooses not to be tracked, then no tracking cookies can be set, first- or third-party. The same applies to any tracking that occurs prior to opting in.
Vice cites Vice as saying that 32.5% of websites surveyed gathered consented before users made any decision on the matter.
CMPs do not control tags or cookies that are used on websites. They rely on a number of APIs to ensure that users' privacy settings are respected. Real-time enforcement is difficult and often uncertain. Businesses must block cookies being fired unilaterally before consent can be granted in order to ensure compliance.
Act Now to Avoid Increasing Criticism from Regulators
Many businesses have opted to wait and see if there were any enforcement actions against laws like the GDPR or CCPA.
While enforcement of privacy laws has been slow, enforcement actions have increased at a steady pace. In the first three years of GDPR, there was only one major tech company that was fined for noncompliance. However, fines have risen in recent years.
Many of these fines are directly related to consent management.
Amazon was fined $887 million by regulators in Luxembourg for violating GDPR. The tech giant had used an implied consent model to access EU properties.
WhatsApp was also fined $266 Million in September for not being transparent about data collection and processing.
Fines are not only being handed to large corporations. Enforcement actions have been taken against smaller and medium-sized businesses, while large companies have been hit with much higher fines.
Even more important, consumers today demand transparency from the brands they purchase from. 71% of people will not buy from a company that collects sensitive data or shares it without their explicit permission.
The trend is clear: Regulations may have been murky over the years, but the dust has settled. Businesses must reevaluate compliance programs today to avoid being scrutinized by regulators tomorrow.
Forbes Technology Council is an exclusive community for CIOs, CTOs, and other technology executives. Do I qualify?