6 steps to build a user-centric consent stack as told by Gartner

As with most topics in privacy, if you ask the question “what is the most important factor in successful consent and preference management,” the answer will depend on with whom you are talking.

If you talk with a privacy professional on the technical side of the equation, he or she may answer that question with “thoughtful consent stacking.” On the other hand, if you ask that question of a privacy pro on more of the front end of privacy, he or she may answer “user-centric design.” The full answer, of course, is that both are right – simultaneously and equally.  

First it is important to understand what “consent stack” and “user-centric design” really mean. 

The definition of a “consent stack” is best explained by an analogy from a different field – financial payment services.  A payment stack is a set of technologies and services, often layered on top of one another, to provide the full suite of payment services in a seamless experience. Think of standard online payments. At the most basic level, there is a website through which you can make a purchase. That website must communicate with a payment provider, which communicates through orchestration layers with various credit card companies, banks, and payment providers such as PayPal. These communications must be two-way, and everything must work real-time and seamlessly for a transaction to occur.  

The same thing is true with successful consent management. An organization may need to offer preferences and capture consent for marketing (and different types of marketing), business communications, cookies and online trackers, experience customization, and business practices like sharing. This means that the organization must be able to connect the different technologies and services together to form a united, seamless experience that is carried out real-time. There may be a consent and preference online center, for example, that somehow connects with all the technologies, including databases, to pass on directions and receive back information.  

User-centric design, however, is a concept that comes from the website development world and refers to both a design process and outcome. A user-centric design process focuses on user needs, goals, and feelings, which results in a user experience that meets user needs and goals in an intuitive way. In the privacy consent and preference management context, user-centric design results in an intuitive, user-pleasing set of experiences through which those users can give and retract consent and express relevant preferences.

A successful user-centric consent and preference management experience considers not only how users can express their wishes, but also the ‘what’ and ‘when’ – what preferences and consents are relevant to users, and at when those appear in the user journey.  

Given that both the development of an effective and efficient consent stack and user-centric design in consent and preference experiences are critical to successful consent and preference management, the next question is – how?

Fortunately, the latest Gartner Market Guide for Consent and Preference Management covers this topic, so we’ve highlighted the 6 steps to build a user-centric consent stack… 

1. Move to consolidate and centralize consent stores

Consents and preferences are the most visible, public area of privacy compliance, except for privacy notices. Failures show up almost immediately to consumers, and regulators can easily evaluate implementation results.  

With multiple systems involved in maintaining consents, the risk of non-compliance goes up. A sole source of truth for consents (and preferences), however, can reduce the risk of noncompliance. Though a consent and preference stack is still most likely necessary, centralizing consents and preferences in a single system of truth will reduce complexity, eliminate conflicts among systems, and increase the probability of 100% compliance.  

Ambiguity in consents and preferences not only risks compliance, but it also decreases the flexibility in current and future data uses. As an added benefit, centralization of consent stores increases confidence in to what data collection and uses a user actually agreed or disagreed, which allows an organization to confidently monetize data in the future.  

2. Develop a close partnership with Marketing

The AdTech world is changing rapidly, and the Marketing organization is best placed to deeply understand impacts of these changes to privacy consents and preferences. For example, Marketing is a critical partner in managing the shift from third party online trackers, like cookies, to properly consented repositories of first party data and uses.

Also, Marketing has some of the most central thinking about future uses of data. Without close communication with Marketing, a consent and preference stack might accommodate current needs but not future needs. Marketing will be a critical stakeholder to future-proof the consent and preference stack.  

3. Assess products, allow for growth

Speaking of future-proofing consent and preference management, it will be important to consider the pros and cons of each solution and compare against the needs of the future.

Remember that implementation can occur over time, and it may be that only the higher risk issues that an organization must address in the short term. In fact, with a flexible solution in place it may be preferable to wait to address some needs as the organization builds more knowledge and confidence.  

4. Build a single source of truth

As mentioned above, a single source of truth for consent and preferences will reduce risk, reduce complexity, and increase future flexibility with data. While it may take a stack of technologies and services to complete the consent and preference process end-to-end, a sole source of truth at the conceptual center of the stack is a must.  

5. Give users back control

Study after study in multiple fields show the buffer effect of control against a variety of negative feelings, including anxiety and depression. In other words, people just plain feel better about things when they also feel that they have some control over the situation. The corollary in privacy is by giving data subjects control over what personal data they share and how the organization uses and shares the data in turn, those data subjects also have less privacy-anxiety and increased trust in the organization. Ultimately, giving control to users also has some very practical benefits, like reducing the number of individual rights requests.  

6. Treat consent as more than a compliance tool

Yes, adequate, trackable consent management is a compliance requirement in most jurisdictions. However, thinking about consent and preference management as something much larger will result in a transformational outcome.

An organization that builds an internal culture of considering personal data as a resource to caretake and cultivate will find that it must build a wholistic consent and preference management framework – one that gives data subjects control over the things that are important to them, which in turn builds trust and customer delight.