Why We Need White Hat Consent Rate Optimization and to Fight Dark Patterns
Have you ever got tricked into agreeing to
sneaky clauses in online legal agreements just because you don’t read the small
print on the internet?
Me too.
I feel pressured into clicking buttons like
“Accept all” when there’s an article I want to read and the user interface of
the consent option is so poorly designed it leaves me no other choice.
This has been the reality of consent pop-ups
since May 2018 when the GDPR
was enforced in Europe. Since then, the rest of the world has been doing their
best (or their worst) to get cookies on all my devices that have internet
connectivity.
Such resistance from users is becoming more and more common and new laws are created to fight it.
This is why I’m proposing a new set of standards
and designs, complementary to existing Consent Management Platforms, to help
legislators and website owners bring trust and fair business practices back to
the web.
Right now users pick short-term benefits over
long-term privacy issues, because dark pattern designs influence their
decisions. I think a granular consent optimization management system, where
consent is gained in time, would be a better alternative to the “all or
nothing” approach tools offer now.
(By the way, if you’re more of a visual person, make sure you check out the video I recorded for you — it’s at the end of this post.)
Dark Consent Patterns in the Post GDPR Era
A recent study called “Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence” analyzes five of the most popular Consent Management Platforms (CMPs) that account for ~58{1652eb1ffa4184925f6a63a9c04ea6b421acb7a78117241e7d4325cdca8339fa} of the market share: QuantCast, OneTrust, TrustArc, Cookiebot, and Crownpeak.
The researchers scraped the top 10,000 websites in the UK and found that dark patterns and implied consent are ubiquitous. Only 11.8{1652eb1ffa4184925f6a63a9c04ea6b421acb7a78117241e7d4325cdca8339fa} of them meet the minimal requirements set by European laws.
This study brings forward an interesting idea.
Providing standards and designs to authorities to disseminate at national
levels can increase the use of the more granular opt-in controls.
Even though users are likely checking “Accept
all” boxes willingly, it does not mean they don’t want to improve and respect
privacy issues. While being hunted all over the web by intent ads based on
online activities can be useful, it can also be quite a harrowing experience.
The ePrivacy Directive — the law applied in
Europe — a document dealing with cookies, placement of information
(LocalStorage), and fingerprinting is moving towards consent.
With GDPR, “granular consent” is defined as follows:
any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
I think it’s time the rest of the world
followed the lead.
Such all encompassing consent is not required for essential functions, such as remembering a login status, a shopping cart action, or collecting cookies for data security required by law.
With the upcoming ePrivacy Regulations, it seems this will extend to analytics and optimization exclusions (at least according to the latest draft from Nov 8, 2019).
Evil Brands or Optimization to the Extreme?
The same study I mentioned above also found
that notification style banners (or barriers) have no effect.
Removing the opt-out button from the first page increases consent by 22–23 percentage points. Providing more granular controls on the first page decreases consent by 8–20 percentage points.
Here’s an example from SourceForge.net. The
consent box shows a very obvious “Accept all” option.
Many websites use these types of designs that
make accepting their privacy & security notices easy. Using green for
accepting the terms and grey links or ghost buttons for the other options is a
very common practice.
This is the type of Consent Rate Optimization
that, in my opinion, uses dark patterns.
It takes advantage of the visitors’ “difficulty understanding how to make meaningful decisions about their privacy preferences”. Even in situations where they realize the implications of their decisions, they prefer short-term benefits over long-term privacy as the study rightly points out.
Consent Rate Optimization White Hat
I’m frustrated with the industry taking
privacy so lightly. I’m disappointed in myself for accepting conditions in
bulk. I think we can all do better.
A solid CMP should work like a drip campaign, like the ones used before GDPR in cold email outreach or trial nurturing campaigns. It’s a way of building trust and asking for something in return. For example, download my PDF and I’ll send you an email with it attached. It is something you expect from me and that I deliver. In the email, I might also invite you to take one more step, like getting another piece of content. It’s imperative though that each new step is consensual on both sides and neither party breaks the mutual trust that is established over time.
I fully believe this is what we should focus on in 2020 and beyond, and not on how to hack browsers ITP/ETP or use dark patterns for consent.
I believe the future belongs to new privacy formats like the ones below.
1. This Privacy “Nutrition Label” or standardized table proposed by Gage Kelley et al.
2. This simplified version of the privacy label, from the same study.
3. This “Privacy Policy Options” pattern for Modifiable Privacy Policy Statements and Capturing End-User’s Preferences from a study on “Pattern-based incorporation of privacy preferences into privacy policies: negotiating the conflicting needs of service providers and end-users”.
4. Privee: An Architecture for Automatically Analyzing Web Privacy Policies by Sebastian Zimmeck and Steven M. Bellovin.
5. Robert W. Reeder’s interactive matrix visualization called Expandable Grid which shows a color-coded overview of a policy that can be expanded for more details.
6. The Platform for Privacy Preferences (P3P)’s automated efforts in presenting a readable overview.
I’ll Fund You
Got through this entire post?
Good, it means we’re on the same page.
If you didn’t, how about checking this video I recorded for you yesterday?
If you’d like to continue this conversation,
let’s connect on LinkedIn
(let me know you’re coming from this post to discuss consent rate optimization
practices).
If you’re someone who researches the best
design principles for consent, I want to hear from you. To show my commitment
and full support, I will fund your
project.
I’m particularly interested in open source
projects that are proposing layers of consent design and standards. I’m willing
to fund these initiatives if they are proven to increase consent percentages and the understanding of the users’
choices.
For the benefit of the users, we should focus
on allowing businesses to build trust and validate consent in time, and stop
dark patterns once and for all.
Send me your articles based on recent papers on our blog (I’ll even pay for
those) and overviews of proper design principles of consent forms.
We can make the world more privacy conscious. Convert will help. I will help.