Stay Agile Blog

I write about the need for transparency, efficiency, equity, and diversification - in contracts, in tech stack development, in content pipelines, in media placement, in investment and revenue streams, in team and channel development, in attribution methods, and more. Read all posts. >>


Unstick Your Consent Management Processes

consent consumer data operations planning preference management state legislation May 15, 2023

New state data privacy laws in the U.S. have much in common with the EU's GDPR legislation, which went into effect in 2018. Which is good news, in that it gives those of us serving primarily U.S. constituencies with an already-in-place model from which to build.

One of the biggest consistencies between emerging state laws is that businesses will have a 45-day window to honor an audience member's request to view the data you've stored about them -- or to request you delete that data entirely.

A few key takeaways:

  1. Your privacy policy needs to set expectations about how a person can request access to or deletion of their data.
  2. You are responsible for providing the vehicle by which a person can request access to or deletion of their data. This includes providing a form for manual requests, as well as enabling cookie opt-in banners.
  3. You must honor requests for deletion of the audience member's data from whichever channels they note. 
  4. You have to be able to provide the paper trail confirming you've honored audience requests.

This is challenging for a few reasons: It requires you to have ongoing knowledge of the legislation transpiring throughout the U.S. states, which is changing regularly and includes a pending federal law. It requires you to understand all of the places you own audience data. And it requires you to have an operational process in place to ensure erasure happens in each of those places. For your sake, that process would preferably be automated and scalable.

To add complication, consider this use case from Ketch, in which a person invokes their right to have their data deleted. The identity marker they provide so that you can find their record is an email address -- which is all they are required to provide. However, some of your systems may not recognize that person based on an email address alone. Resulting in shenanigans.

Source: Ketch

In the example above, the company housing constituent data would have a challenging time using one piece of information to identify an audience member and subsequently honoring their request in an automated way.

Similarly, a person could invoke their right to erasure by using the Global Privacy Control Signal, which is considered in most states a valid way to submit this request and must be honored by the organization receiving it. This could also easily turn into a manual process if your systems aren't set up to easily operationalize.

There are several tools to make this process easier:

  1. Ensure your internal systems are set up to recognize a user's request to opt out when they use Global Privacy Control to do so. Doing this will require the support of a web developer who can ensure your backend recognizes the opt-out code, which is supplied automatically in certain browsers like Firefox and can be manually added to browsers like Chrome. Tools like OneTrust or a consent management system (see next point) can support you in both setting up your cookie opt-in banner and in enabling cookie blocking per user request so that your backend process these incoming signals without manual intervention needed. For organizations that collect user information, the GPC signal can be incorporated into your forms and passed through to your backend systems to allow for seamless permission integration.
  2. Consider a consent management platform that can automate opt outs throughout all of your systems. Ketch provides one of the most intuitive platforms I've seen on this front and, in the use case they present above, would support you by creating the identity resolution infrastructure to recognize Bob's email address and match that with their Hubspot Visitor ID.
  3. Look into an automated service like Termageddon to ensure your privacy policy is consistently updated as laws change and/or go into effect. Tools like Termageddon plug in via backend code, so you can trust you're always representing what you should be in your privacy policy. The key remaining factor, though, is to ensure that all of your internal teams are consistently aware of what's changed and how their processes comply or don't comply.


Need support determining how you're storing user information and whether you're in a position to honor audience requests?

>> Book 1:1 help to formulate your action plan or discuss an audit.

>> Contact me about ongoing support with your consent management strategy.


Stay ahead of change.

Sign up for tips to help you feel in control and in command of your audience reach.