Secondhand Lions GDPR Cookie Consent Privacy Taste Test

I was challenged by readers in my previous post “Real World Consent Translated to Digital” to describe a digital experience that follows the seven key factors derived from the traveling salesman in Secondhand Lions (SHL).

We are weeks past the start of GDPR (+4) and in addition to being flooded with emails trying to keep you on mailing lists, you have probably noticed some changes in cookie consent banners on web sites.  I’ve mocked up a privacy taste test, if you will, by looking at 4 examples of post GDPR cookie consent to illustrate how well companies are following the SHL traveling salesman’s 7 keys to successful digital interactions.

Cookie Consent is not the end all be all of evaluating a company’s privacy stance, but it is the most immediately visible and why it was chosen to illustrate keys 1-5.  If you are not identified, cookies are mostly collecting semi-pseudonymous data based on your internet browsing.

Official Rules of the SHL Cookie Consent Privacy Taste Test

Below are the seven SHL key factors to advertising digital interactions:

  1. Respecting privacy
  2. Being transparent
  3. Asking for consent, realizing that consent can be withdrawn at any time
  4. Being clear about what he was asking consent for
  5. Earning trust
  6. Offering value – consent and trust got the brother’s “off the porch” and value determined further interaction
  7. Personalizing value and tailoring convenience

The goal of these seven keys is to win consumer trust to begin a conversation in which the advertiser can present something of value to the consumer.  Ultimately, brands and advertisers want to get to a two way conversation with consumers at Key 7.  Brands will be evaluated on how well keys 1-4 earned trust, key 5.  Keys 6 and 7 are for another day and another post that evaluates personally identifiable information.

Key 1 – Respecting privacy:  We need a working definition to evaluate Key 1.  Combining two definitions of privacy from Westin and Wolfe (see post discussing what we mean by the right to privacy) we can define digital privacy as:

The right to control who watches or learns about you and maintaining that control over your personal information.

Key 2 – Being transparent:  I would call this the Hub McCann test after the encounter where Hub tells the traveling salesman hiding behind the car “to come out where we can see you”.  Does the brand show us what they are doing with our data?

Key 3 – Asking for consent that can be withdrawn at any time

Key 4 – Being clear about what you are asking consent for.

The approach and execution of Keys 1-4 will determine the level of trust earned – key 5.  Brands will be scored in each category using the following scale:  0 = Fail; 1 = Low; 2 = Medium; 3 = High

Brand A

Landing on the site of Brand A shows a cookie consent banner on the bottom of the screen on 5/29/2018 seen in figure 1 below.

Figure 1

The site informs you that they use cookies for your experience benefit.  Then they ask you to accept the cookie blindly or choose a cookie preference.  This notice fails in the Key 4 criteria which is why they changed it as of 6/7/2018 to the following notice in figure 2 below.  It really wasn’t clear what they were using the cookies for.

Figure 2

They are now giving us some examples from which we can make an informed decision to “Accept All Cookies”.  This is an improvement on the clear and understandable language of transparency from their original attempt.

You can choose to control how your data is collected and used by clicking on “Cookie Preferences” and a pop up sidebar on the left hand side of the screen appears illustrated in figure 3 below.

Figure 3

Brand A has divided their cookie preferences into 3 categories:

  1. Necessary Cookies –no control
  2. Functional Cookies – You have a choice of all on or all off for functional cookies. It however lacks full control and transparency.  It is one thing to analyze general website usage.  It is another to tell me you are going to suit my needs and improve my user experience.  This sounds like personalization that requires profiling me, but it is unclear.  If I want good website performance, I have to also accept personalization which is implied but not disclosed.
  3. Marketing Cookies – I understand I am going to be profiled if I accept these cookies. Intent is there, but it is not transparent who is going to get my data.  This statement lacks the clarity required by transparency, and the choice is all or nothing based on insufficient information.  Are they sending my data to 5 ad agencies or 250 ad agencies?  It is too general to be transparent, what are they hiding?

Brand A is a good example of doing the minimum to achieve compliance.  They do have a link for more information where we can visit their Privacy Policy which was effective the night before GDPR in clear and understandable language vs. legalese.

Brand B

Brand B’s cookie consent banner below (figure 4) gives the cookie intent with examples and data sharing activity along with a link to a cookie specific policy.  You have the choice to accept the cookie, or visit the cookie settings.

Figure 4

Clicking on Cookie settings opens a Privacy Preference Center (figure 5) with 4 categories of cookies to opt-in to and 2 information tabs.  They are transparent and clear with the intent, and they list the specific cookies used for each category.  I have control of each category, and I don’t have to accept profiling to get good site performance.  This site had 49 targeting cookies which had to be accepted all or nothing.

Figure 5
Brand C

Brand C’s cookie consent banner is brief, but straight forward (Figure 6).   They list 3 ways cookies are used and offer a link to their more detailed cookie notice.  If you don’t agree to the cookies, you can click on manage and a cookie control box pops up (Figure 7).

Figure 6
Figure 7

Brand C gives full control to check which of the 5 cookie categories you opt into or in this case out of.  They also allow you to opt out of each of their 265 cookies spread over 61 screens averaging 4.3 partners per screen.

Brand D

Brand D has really done nothing more than meet the pre-GDPR EU cookie notice pictured below (figure 8) with a link to a privacy policy and an accept button.

Figure 8

They give no real control, and they are not transparent about what is being done.  Your only choice is to accept or deny the cookie – all or nothing.

Taste Test Results

Brand D is not respecting privacy or being transparent and is likely not compliant.  Brand A is the example of doing the minimal for compliance.  As such, Brand A fails to meet the SHL transparency test of “coming out where we can see you” as we have no idea what 3rd parties are getting our data.  Choice and control are also limited.  Overall, Brand A is compliant, but is not respecting privacy or being transparent enough to warrant much trust.

Brands B and C are both respecting privacy and being transparent.  Brand B has the better UX design and is clearer, but Brand C gives more control.  Brand B could use more control as it prevents me from having personalization from say Google but not Facebook.  Both have moved beyond compliance and are winning trust.

Companies who actually respect privacy will make it easy to choose and maintain control of personal information.  Their efforts will be rewarded with greater trust.

Advertising Implications

The take away of this taste test is that compliance with no change in respecting privacy, transparency, control, and consent loses out to those who go beyond compliance.  The foundation of successful digital interactions is trust and merely complying doesn’t win that trust.

Smart companies will respect privacy before they are compelled to do so.  In a Post-GDPR world, this means that people outside of the EU are not treated with less respect for their privacy than EU citizens.  Companies may want to consider the messages they are sending about who they are if they are complying with EU citizens’ data privacy but continue business as usual for those outside the EU.  Respecting privacy wins in the new era of Advertising and Analytics done correctly.  What you waiting for?  Get your audience off the porch with transparent privacy and engage on the level of personalization (SHL Key 7) that leads to higher value relationships.

Comments are disabled here to consolidate replies here on Linkedin.