Debunking 4 myths in Consent Management

Ever since the dawn of the internet, companies have been able to collect and use consumer data unabated. With data privacy regulations gaining ground, people have increasingly become conscious of data misuse by businesses. Data privacy regulations have tried to bridge the gap between businesses and consumers through consent management and other principles that instill consumers’ trust in businesses as an ethical and responsible use of their data.

Consent comprises one of the six legal bases upon which businesses could legally collect and process consumer data. With the myriad advantages businesses have with consent management, there are still some misconceptions about it that lead businesses to workarounds. In this blog post, we bust four such myths and highlight how consent empowers businesses and transforms consent roadblocks into empowering tools for increased user engagement.

Myth #1: “Once consent is obtained, it’s valid forever”

GDPR does not indicate a shelf life for consent, and theoretically, consent could be indefinite. However, the validity of consent may not hold value over time. The issue with consent is that its quality degrades over time. It makes consent not a one-off event, and certainly, it doesn’t mean consent once obtained remains valid indefinitely.

Let’s understand this with the following scenarios:

1. The data required to efficiently support a product or service evolves. For example, a health application initially required only basic information and activity data to offer personalized workout plans to users. However, with evolving technology, the app now asks users for access to monitor their heart rate and sleep to support advanced training. Such cases require users to update their consent promptly.
2. Individuals may not always remember what they consented to in the past. Changing societal expectations for data privacy reduces the value of informed consent. Users who were once comfortable sharing data might not always feel the same. Their discomfort may prompt them to revoke consent, but at the risk of losing access to core functionalities. Timely communication about why consent matters keeps informed consent consistent.
3. The context of consent for which it was originally obtained in the first place, if used for some other purpose, requires fresh consent. If an organization deliberately uses the same data for other purposes, the user’s consent as per GDPR is deemed invalid. Based on GDPR’s “purpose limitation” principle, doing so may result in enforcement action or damage to a brand’s reputation.

Myth #2: “All consent is the same”

Consent types vary depending on the situation. Whether consent is being informedly given or assumed, consent could be explicit or implicit. Understanding the application of different consent types is crucial to compliance with data privacy regulations.

In the realm of data privacy, explicit consent occurs when an individual informedly agrees to their data being used for purposes stated by a website. Comparatively, implied consent forms the case inferences from users’ actions are made rather than explicitly obtaining consent for data collection or processing.

Explicit consent is required when processing sensitive data about individuals. Opt-out and opt-in are two mechanisms for implementing explicit consent. Businesses are required to obtain explicit consent if processing the data poses a high risk to individuals, such as automated decision-making, online tracking, marketing communications, and cross-border data transfers.

Implied consent applies in cases where there is already an established relationship between the organization and the user. Implied consent is limited to purposes, or at least relevant, for which data from customers was obtained in the first place. Possible use cases for such data should be clearly mentioned in privacy policies to educate users without being vague.

Let’s understand explicit and implicit consent with an example. A user signs up on a food delivery app and grants location access. With location access, the app can identify restaurants in the vicinity of the user, estimate delivery time and cost, and provide real-time tracking of the driver. Apparently, the app has a clear purpose for location access to function. Since granting location is a direct action by the user, explicit consent applies. However, if the app suggests nearby restaurants running offers to users, inferring that the user may appreciate discovering such deals, implied consent is considered.

Myth #3: “Consent management is only for legal compliance”

With data privacy gaining momentum, consent has emerged more as an expression of trust than mere compliance with regulations. It is the new foundation upon which relationships between customers and businesses are built. With trust rooted in privacy, customers are becoming increasingly susceptible to how brands use their data. This suspicion gives rise to customers looking deeply into the level of control an organization provides over their data.

Businesses can prioritize user control to build brand credibility and gain a competitive edge in the market. Transparency features like clearly communicating what data they’re collecting, who it is shared with, and how they plan to use it boost opt-in rates. This transparency, coupled with user-friendly consent management mechanisms, enables users to make informed decisions.

These ethical practices help the company comply with data privacy regulations and emphasize priority for user privacy and autonomy. Granular consent enables businesses to get deep insights into customer preferences. Driven by these insights, businesses can use data management as a tool to serve customers in the most relevant way possible. It allows personalized experiences, tailored marketing messages, and product recommendations for increased user engagement and satisfaction.

Effective consent management enables data utilization and even monetization when properly embedded into an organization’s infrastructure. So, it becomes a much broader business imperative, with key stakeholders across marketing, revenue and IT teams.

Myth #4: “Users don’t care about consent details”

Our recent research report, Privacy Beyond Borders, found that 97% of consumers from around the world prefer to do business with companies that have a strong track record of protecting data privacy.  It also found that:

• 69% desire clear expectations of how their data will be used

• 69% want the use of encryption and secure data storage practices

• 68% would like the ability to control the types of data collected

Trust is akin to consent management, which comes with providing in-depth information into the nitty-gritty of how an organization may use user data and how it would benefit an individual.

Regardless, only 52% allow users to opt out of sharing data, states a KPMG survey titled “Corporate Data Responsibility: Bridging the Trust Chasm,” which also revealed that only 59% of business leaders said that they provide users with control to know how much data goes to whom. Such figures are astounding and require immediate attention when consumers expect businesses to leverage their data to provide positive user experiences, even individually.

Rapid changes in the data privacy landscape require businesses to be more transparent with their consumers. User-friendly interfaces that direct users to easily discover important functions and content are an important consideration.

Granular consent options that allow users to choose data points to share as per their convenience clearly dominate over the single “all or nothing” option. Making use of visual cues and providing post-consent feedback with a message summarizing their choices reminds users of their consent options and draws their attention to informed decision-making.

Final thoughts…

Of the four myths we debunked, we learned that consent is an ongoing process, and its value changes with the shift in purposes for an organization to process data and evolving user expectations. Implied consent is controversial, and organizations should strictly adhere to obtaining explicit consent for compliance.

The importance of consent management is not limited merely to regulatory compliance; it goes beyond that. By demonstrating respect for user privacy, organizations can foster user trust and gain a competitive edge in the market. It’s crucial to provide users with control over their data in a rapidly changing privacy landscape. Transparency in data usage and user-friendly interfaces for informed decision-making go a long way in building brand loyalty.