Consent Rate Optimization, a New Discipline in Website Optimization

For the benefit of the users, we should focus on allowing businesses to build trust and validate consent in time, and stop dark patterns once and for all.
A solid CMP should work like a drip campaign, like the ones used before GDPR in cold email outreach or trial nurturing campaigns. It’s a way of building trust and asking for something in return. For example, download my PDF and I’ll send you an email with it attached. It is something you expect from me and that I deliver. In the email, I might also invite you to take one more step, like getting another piece of content. It’s imperative though that each new step is consensual on both sides and neither party breaks the mutual trust that is established over time.
This is why I’m proposing a new set of standards and designs, complementary to existing Consent Management Platforms, to help legislators and website owners bring trust and fair business practices back to the web.
It takes advantage of the visitors’ “difficulty understanding how to make meaningful decisions about their privacy preferences”. Even in situations where they realize the implications of their decisions, they prefer short-term benefits over long-term privacy as the study rightly points out.
With the upcoming ePrivacy Regulations, it seems this will extend to analytics and optimization exclusions (at least according to the latest draft from Nov 8, 2019).
Send me your articles based on recent papers on our blog (I’ll even pay for those) and overviews of proper design principles of consent forms.
I believe the future belongs to new privacy formats like the ones below.
Many websites use these types of designs that make accepting their privacy & security notices easy. Using green for accepting the terms and grey links or ghost buttons for the other options is a very common practice.

Dark Consent Patterns in the Post GDPR Era

I’m particularly interested in open source projects that are proposing layers of consent design and standards. I’m willing to fund these initiatives if they are proven to increase consent percentages and the understanding of the users’ choices.
I think it’s time the rest of the world followed the lead.

Study shows adherence to the three core conditions of the EU law regarding privacy
UpSet diagram of sites by adherence to the three core conditions of the EU law. Sites meeting all three conditions are in green.

I fully believe this is what we should focus on in 2020 and beyond, and not on how to hack browsers ITP/ETP or use dark patterns for consent.
A recent study called “Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence” analyzes five of the most popular Consent Management Platforms (CMPs) that account for ~58% of the market share: QuantCast, OneTrust, TrustArc, Cookiebot, and Crownpeak.
Have you ever got tricked into agreeing to sneaky clauses in online legal agreements just because you don’t read the small print on the internet?
Such resistance from users is becoming more and more common and new laws are created to fight it.

1. This Privacy “Nutrition Label” or standardized table proposed by Gage Kelley et al.

Right now users pick short-term benefits over long-term privacy issues, because dark pattern designs influence their decisions. I think a granular consent optimization management system, where consent is gained in time, would be a better alternative to the “all or nothing” approach tools offer now.
I’m frustrated with the industry taking privacy so lightly. I’m disappointed in myself for accepting conditions in bulk. I think we can all do better.
This is the type of Consent Rate Optimization that, in my opinion, uses dark patterns.

Evil Brands or Optimization to the Extreme?

any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
4. Privee: An Architecture for Automatically Analyzing Web Privacy Policies by Sebastian Zimmeck and Steven M. Bellovin.

Example of the three components of the QuantCast CMP
The three components of the QuantCast CMP on Sourceforge.net.

2. This simplified version of the privacy label, from the same study.
Good, it means we’re on the same page.
The researchers scraped the top 10,000 websites in the UK and found that dark patterns and implied consent are ubiquitous. Only 11.8% of them meet the minimal requirements set by European laws.
Removing the opt-out button from the first page increases consent by 22–23 percentage points. Providing more granular controls on the first page decreases consent by 8–20 percentage points.

Here’s an example from SourceForge.net. The consent box shows a very obvious “Accept all” option.
The ePrivacy Directive — the law applied in Europe — a document dealing with cookies, placement of information (LocalStorage), and fingerprinting is moving towards consent.
The same study I mentioned above also found that notification style banners (or barriers) have no effect.
Got through this entire post?
This has been the reality of consent pop-ups since May 2018 when the GDPR was enforced in Europe. Since then, the rest of the world has been doing their best (or their worst) to get cookies on all my devices that have internet connectivity. If you didn’t, how about checking this video I recorded for you yesterday? (By the way, if you’re more of a visual person, make sure you check out the video I recorded for you — it’s at the end of this post.) If you’re someone who researches the best design principles for consent, I want to hear from you. To show my commitment and full support, I will fund your project.

Source

Even though users are likely checking “Accept all” boxes willingly, it does not mean they don’t want to improve and respect privacy issues. While being hunted all over the web by intent ads based on online activities can be useful, it can also be quite a harrowing experience. Such all encompassing consent is not required for essential functions, such as remembering a login status, a shopping cart action, or collecting cookies for data security required by law.

I’ll Fund You

6. The Platform for Privacy Preferences (P3P)’s automated efforts in presenting a readable overview.
5. Robert W. Reeder’s interactive matrix visualization called Expandable Grid which shows a color-coded overview of a policy that can be expanded for more details.
[embedded content]

We can make the world more privacy conscious. Convert will help. I will help.

I feel pressured into clicking buttons like “Accept all” when there’s an article I want to read and the user interface of the consent option is so poorly designed it leaves me no other choice.
With GDPR, “granular consent” is defined as follows:
If you’d like to continue this conversation, let’s connect on LinkedIn (let me know you’re coming from this post to discuss consent rate optimization practices).
Me too.
This study brings forward an interesting idea. Providing standards and designs to authorities to disseminate at national levels can increase the use of the more granular opt-in controls.
3. This “Privacy Policy Options” pattern for Modifiable Privacy Policy Statements and Capturing End-User’s Preferences from a study on “Pattern-based incorporation of privacy preferences into privacy policies: negotiating the conflicting needs of service providers and end-users”.