Consent fatigue: User burnout in the era of endless pop-ups

In the digital age, the advent of comprehensive data protection laws like GDPR has led to a severe transformation in how users perceive their digital privacy.

With several non-compliance penalties making headlines of late, organizations fear enforcement of regulations. Obliging to these legal standards, along with exploiting gray areas around them, they inconsiderately place cookie consent banners on their websites.

Cookie banners prompt people to provide consent for data collection, data processing, and cookie placement (for tracking or advertising purposes). Users typically encounter cookie consent banners when visiting a website for the first time, asking them to accept cookies real quick or next time if they do not express their choice (accept, decline, or customize) at the first go.

This may sound simple and easily done away with, but imagine the situation when users get these repetitive encounters on every website they visit. It leads to a feeling of being bombarded with requests. This overexposure to consent banners leads to the dawn of a phenomenon called “consent fatigue.”

In this blog post, we address user burnout due to these endless pop-ups and explore methods to combat consent fatigue.

Implications of consent fatigue

Consent fatigue is neither good for consumers’ rights nor for businesses’ revenue streams.

Websites, in pursuit of their data collection approach, forget the user experience and design cookie banners that lack sound UX practices. Users facing these banners would rather experience exhaustion and indifference.

While these banners are supposed to offer a sense of control and transparency, they instead raise privacy concerns and annoy users.

Let’s understand the two-fold implications of consent fatigue.

Consumer side: Over-exposition to consent banners

Frequent consent requests can lead to individuals becoming habitually numb to the information and prompts. Facing numerous consent decisions regularly, individuals can develop decision fatigue. Under fatigued conditions, users are most likely to choose the quickest option available, like “accept all,” even if their hasty actions skip the devil’s in the details.

Even though the GDPR sets a gold standard of consent, requiring it to be informed, specific, unambiguous, and freely given via a clear, affirmative action, many businesses adopt manipulative consent banners. Such overly intrusive banners do not only erode trust in companies but also diminish users’ motivation to actively select their privacy settings.

Users rather end up consenting to data collection and processing, which otherwise they wouldn’t agree to without fully understanding the implications. Prioritizing convenience over privacy, some individuals might ignore it altogether. Rushing through choices accounts for poorly informed decisions, potentially exposing users to unintended data processing.

Organization side: Poor data analytics

While non-compliance with regulations is the elephant in the room, the constant bombardment of cookie consent banners can have several negative implications for businesses themselves.

The multiplication and recurrence of consent banners become overwhelming for users to the extent that they end up abandoning the websites. With every visitor lost, a website’s conversion rates and sales get affected. Websites’ manipulative data practices create suspicion and erosion of trust. A brand’s reputation decays, with most people having negative reviews about it.

Consent fatigue also accounts for businesses receiving inaccurate data for analytics. Consent fatigue makes people rush through their consent choices. Their inadvertent consent to data collection or opting out of the wrong choices makes the data profiles prone to errors or inconsistencies.

This inaccurate data can’t be relied upon for effective decision-making, and decisions drawn from it could be biased or misleading.

Flawed data can further damage marketing efforts. Lack of granular data about the specific needs and preferences of users may lead marketers to create messaging that is rather generic and doesn’t accurately resonate with the target audience.

Poor privacy UX practices mostly account for consent fatigue. If consent banners are complex, ambiguous, or not user-friendly, demonstrating that users freely and informedly provided their consent will be difficult. Such tactics are susceptible to lengthy investigations during audits and can lead to potential penalties for non-compliance.

Article 7 of the GDPR reinforces the point that even consent mechanisms that are technically compliant but hinder user understanding may potentially attract scrutiny from authorities. The French data protection authority CNIL’s imposition of €50 million on Google for making the consent mechanism “difficult” suggests that technical compliance isn’t enough if user experience hinders meaningful choice.

Best practices to mitigate consent fatigue

1.     Identify the lawful basis for processing beyond consent

Prior to collecting data from users, organizations must identify on what legal basis they’re carrying out the processing activity. Besides consent, GDPR provides five other lawful grounds for processing the personal data of consumers, including the performance of a contract, a legitimate interest, a vital interest, a legal requirement, and a public interest.

There is often a general misconception that the processing of personal data can’t be legal if formal consent is not obtained from users in the first place. However, not all data processing activities require obtaining explicit consent. With other choices available, consent doesn’t remain a “silver bullet” for GDPR compliance.

For instance, processing personal data on the basis of consent doesn’t fit appropriately when the processing is based on a legal obligation or when an organization has a legitimate interest in doing so.

When consent is still necessary for processing, identifying a different legal basis can further aid in asking for more specific requests. Users then most likely will feel less overwhelmed and can grant consent for specific purposes instead of a blanket “accept all” or “reject all” choice. With lessened exposure to pop-ups, users’ trust in companies will grow when they find the company exploring lawful avenues beyond reliance solely on consent.

The U.K. Information Commissioner’s Office, in its guidelines on consent, states that when consent is appropriate, an organization should carefully vet the most appropriate lawful basis that most closely reflects the true nature of its relationship with the individual and the purpose of the processing.

2.     Consent for processing that may result in high risk to individuals

Consent as a lawful basis becomes crucial to obtain in situations when:

• Processing is likely to result in a risk or high risk to the rights and freedoms of individuals;
• Algorithmic decision-making or profiling is involved that may significantly impact individuals;
• Processing requires the sharing of personal data with third parties;
• International data transfers take place;
• Special categories of personal data or personal data of minors are processed.

Outside of the above-mentioned exceptions, processing activities limited to purposes deemed reasonable and appropriate with minimal privacy impact, like commercial interests, individual interests, or societal benefits, could be exempt from formal consent. In this case, where GDPR applies, data protection impact assessment may play a key role in identifying risks or high-risk individuals. In risky contexts, organizations will require consent.

3.     A softer approach: educate users

Even with clear language presented to users via privacy notices and cookie banners, the overload of information and intricacies of data collection practices may account for consent losing its significance. Some argue that the consent model itself is irreversibly broken and that empowering users with education to make informed choices about their data is the only real answer to consent fatigue.

Keeping in mind that pop-ups can’t be relied upon for any meaningful level of agency, companies can resolve it by proactively instilling clearer knowledge in the population about complex data collection practices and how their uninformed decisions can lead to negative consequences, including data misuse and exploitation.

Integrating bite-sized education modules into relevant website sections where data collection takes place equips users with context and clarity into for what purposes their data is being collected. Simulations and gamified scenarios are fun and engaging methods to explain complex data collection practices. Interactive exercises and games that explain varied types of data, how companies use their data, and what potential risks and benefits sharing data with companies imply for consumers can further aid in front-end approaches focused on education and empowerment.

Conclusion

Currently, almost all websites are loaded with a high frequency of consent requests, privacy notices, and cookie banners.

Users’ repeated encounters with cookie consent banners barricading access to websites, paired with the consequences of consent abuse practices by websites, resent fatigue. This fatigue leads to consent losing its purpose.

Unless human psychology is inscribed in future approaches to consent and other legal bases for processing are explored, consumers, businesses, and regulators alike will continue to grapple with consequences. A remedy for organizations to avoid the risk of consent fatigue would be to request consent for cookies in all transparency.

Companies benefiting from regulatory gray zones can have a short-term gain, but those who are willing to go the distance in respecting their consumers’ privacy preferences will come out the other side better and brighter.