Three dimensions of privacy UX all brands need to understand

In the past few years, numerous privacy regulations have come into force to provide consumers greater control over their data. But the patchwork of regulations and varying approaches means compliance remains complex. 

The regulatory landscape is tightening; GDPR fines levied grew substantially in the past year, CPRA recently passed to strengthen CCPA, and emergent legislations like LGPD (Brazil) and the Virginia and Washington state privacy acts are following closely behind. Yet consumers are increasingly concerned about digital privacy and are looking for ways to limit access to their data. 

For consumers to trust brands with their data, privacy needs to be at the center of user experience. Now more than ever, high-quality and compliant experiences across all digital channels should define your marketing strategy. Managing brand reputation and minimizing risk requires setting an organizational standard of data ethics for yourself and your advertising partners. But to make informed evaluations about your media plan or how you’re leveraging consumer data for remarketing, brands must understand multiple dimensions of privacy UX. 

1. The role of industry and regional frameworks 

When the EU’s GDPR was first introduced, there were no set guidelines for what a compliant experience looked like. That’s where an industry framework like the IAB’s Transparency Consent Framework (TCF) comes in. The TCF is the most widely adopted framework for GDPR compliance for media ecosystem participants in Europe. It set an industry standard in terms of specific UI requirements as well as the transmission of user preferences throughout the digital ad supply chain.  

The TCF provides consumers, publishers, intermediaries — and advertisers — a common language for how consumer data is processed, and it has served to standardize privacy experiences across a vast ecosystem. 

However, the TCF is not the only way to meet GDPR core principles, like informed consent. 

A site that is not supported by ads might show a lightweight “cookie banner” experience that prompts users to opt-in to cookies, but it won’t leverage the TCF’s consent string signals, and it won’t necessarily meet the TCF’s UI specifications for how data processing is disclosed. In the US, the IAB has created the CCPA Compliance Framework to serve a similar purpose.

What can be confusing to understand sometimes is that the IAB is not a legal authority; the IAB only regulates the usage of their own compliance frameworks. When it comes to compliance with GDPR, regional data protection authorities (known as DPAs in Europe) have their own specific requirements, and key rulings are impacting how companies are implementing their privacy experiences. 

For example, France’s data protection authority, the CNIL, now requires the presence of a Refuse All option, to make it as easy to decline consent for all data processing purposes as it is to consent. GDPR enforcement is even more decentralized in Germany, which is divided into 16 states, each with their own data protection authority. 

2. Beyond compliance, towards data ethics

There are some aspects of consumer data privacy not addressed by laws or technical frameworks that some organizations have determined are best practices for responsible data use, regardless of applicable privacy regulation. These include avoiding the use of opaque targeting tactics (i.e., fingerprinting, geotargeting) and making the opt-out process user-friendly as opposed to requiring multiple steps and forms to complete. 

In addition to technical red-flags which can signal a vulnerability to data breaches, brands need to pay attention to how consent is facilitated. A privacy experience that educates the consumer by putting consent front and center will explain the benefits of personalized advertising and establish a value exchange with the consumer. Going beyond base-level compliance by setting a goal of strong digital citizenship can deepen consumer trust by building a direct and transparent relationship that sets your brand apart. 

3. You are who you work with

In the digital marketing ecosystem, everything is interconnected by the flow of consumer data.  Just as brands are accountable for the vendors processing consumer data on their websites or the third-party data segments they work with, brands are accountable for the privacy experiences delivered by their media inventory suppliers. 

However, evaluating these experiences is a complex task.  

Compliance isn’t binary and data ethics is subjective. What’s more, the complexity of programmatic advertising makes it difficult to have full visibility into the privacy practices of partners. So what is the right approach for advertisers today? 

In a complex global ecosystem with constantly changing regulations, it’s important to define your organization’s approach to privacy. Establishing your own set of best practices will form the basis for evaluating your media inventory suppliers and other partners, and ensures that all of your customer’s digital experiences with your brand match your brand standards for data privacy. 

Introducing Privacy Lens

When approaching privacy UX, remember that minimizing risk, building trust, and driving revenue actually go hand in hand. Quality privacy experiences improve returns on ad spend, and brands must have a clear sense of their organization’s data privacy standards when approaching media buying strategy. 

With Privacy Lens, you can set your own standards for privacy experiences and use our proprietary scanning technology to evaluate media inventory against them. Select from a dynamic list of rules based on industry frameworks, regional regulations, or markers of data breach risk, and visualize impact on your media plan in real time. 

If you want to learn more about how Sourcepoint can help you drive privacy-first advertising experiences by identifying media inventory suppliers that meet your quality standards, contact us.