As state, sector and international privacy laws get passed with increasing frequency, more companies are adopting cookie consent banners. This is in order to comply with requirements of these laws to obtain user permission or provide opt-out options for data sales.
However, many who think they’re compliant after implementing a consent management platform (CMP) are often finding that they are not covered as well as they thought they were. This puts companies at risk of unknowingly misleading consumers, and as a result, putting the company in the crosshairs for a private lawsuit or enforcement action such as Unfair and Deceptive Practices Act (UDAP) violations.
Deception is invoked when something is misleading consumers, intentionally or not. As a result, plaintiff’s attorneys are sending demand letters alleging that some consent banners either intentionally or unintentionally mislead website visitors about the way their data is collected and used.
In this article, we’ll explore why this happens and why retailers in particular need to pay close attention when setting up their consent banners.
Advertisement
Your Cookie Banner’s Blind Spot: Overlooking Tech
Let’s start with the basics: companies need to know what’s running on their websites. This visibility is critical to making everything transparent and understandable for visitors, ensuring they can give informed consent. But this is easier said than done due to technical challenges and common mistakes.
This may seem obvious, but cookie consent managers typically only surface cookies. But what about all the other ways our data is collected that aren’t cookies? Some pixels, tags, and fingerprinters gather personal data, yet these often don’t get flagged by consent tools. Additionally, these scripts may drop other cookies that aren’t listed in your consent banner.
Another significant issue is the infrequent and inconsistent scanning for new tags on your website. The consent banner becomes outdated quickly, sometimes in days. New tech gets added to websites all the time, often introduced as a piggybacker on another tag, which then collects data without being detected by the banner. Users can’t consent to it if it’s not presented to them. The result is that tracking cookies will get served in a “Reject All” state.
Misconfigured Consent Banners: Another Data Leak Risk
Sometimes, it’s a matter of incorrect configuration leading to data leaks.
In most cases — 90% according to our research — ad tech is dropped before the cookie consent banner loads. On average, we found 18 third-party cookies loading on the page before the consent banner appeared. This means users don’t have a real choice in sharing their data with those third parties. This issue often stems from how the consent tool is implemented on the site.
The incorrect categorization of cookies and tags is another problem. The challenge lies in the subjective nature of cookie classification, as there’s no universal standard, leading to confusion and potential mismanagement. What’s important in the U.S. is to make sure that users can opt out of any optional cookie, meaning not Strictly Necessary or Functional.
For example, some “Targeting” or “Advertising” tags may get labeled as “Strictly Necessary,” allowing them to run when a visitor expects all targeting tags to be blocked. In extreme cases, the sheer volume of cookies can overwhelm the compliance team. We’ve scanned sites with as many as 473 third-party cookies — properly managing and categorizing them can become daunting.
Another all-too-common user error occurs when the consent banner is completely missing from certain pages. New web pages, microsites and campaign landing pages can be overlooked or forgotten, yet they still pose a significant risk. Similarly, the user needs to be able to opt out, so a banner that only presents “Accept All,” for example, could be considered deceptive.
Lastly, it’s crucial to allow users to change their consent preferences. Ensure that once they’ve selected their choice, the banner remains accessible if they want to adjust their choices. Some regulations require that users have the option to withdraw their consent at any time, and if this option isn’t easily accessible, the organization may face compliance issues.
Dark Patterns
Lastly, let’s briefly touch on intentionally misleading practices. Dark patterns in cookie consent can often be unintentional, but here are some of the most common examples that subtly push users into accepting tracking cookies or data collection — often without the user fully understanding what they’re agreeing to.
Common mistakes include pre-selected consent checkboxes, confusing language that obscures the real intent, hard-to-find options to decline cookies, frustrating multi-step processes to reject cookies and banners that pretend to offer a choice but only provide an “accept” option. These tactics, whether intentional or due to poor design, undermine user privacy and risk noncompliance with evolving privacy laws that increasingly demand explicit and informed consent.
Having these dark patterns on your site is a surefire way to get in trouble with both regulators and private lawsuits, so avoid them at all costs.
So Why Does this Matter so Much for Retailers?
Building trust with this large audience is crucial — if shoppers feel their data isn’t secure, they’re less likely to buy from you. Online consumers know that their data security and privacy are at risk when engaging in a transaction online, given the sensitive financial information and sometimes personal products they purchase. If they’ve explicitly opted out of data sharing but see ads or marketing related to their purchase, it’s a direct breach of their trust, which could translate into actual business losses.
Beyond the trust and revenue issues, sharing purchase data related to sensitive products may also violate privacy laws. For example, data related to medical conditions is protected under Washington’s My Health, My Data, and financial products have additional safeguards. Certain retail products related to health, wellness and fitness have additional protections.
Steps to Resolve These Issues
First, assess your current consent management practices. Ensuring they’re up to par is crucial to avoiding legal pitfalls and maintaining user trust.
- Configure your consent management platform correctly: Ensure that the script loads before other tech, is visible on every webpage and that it is comprehensive. Verify that trackers are properly classified, particularly those labeled “strictly necessary,“ which should encompass only core site functions. Use consent verification tools to spot any issues automatically.
- Confirm Reject All: Confirm that no tracking technology is served when a user selects “Reject All,” and confirm this externally, i.e. using a separate tool than the CMP.
- Keep it up to date: Scan and update your cookie consent often, at least once a month if not weekly. Confirm that you have a complete and categorized list visible to your users.
- Avoid misleading dark patterns: Stay vigilant in configuring your technology and avoid deceptive practices. Address any problems promptly to minimize fines and prevent recurring legal issues.
- Maintain a clear privacy policy: Keep your privacy policy simple and accessible. Communicate any updates to users.
- Show good faith: Your intent matters. Demonstrating a lack of malicious intent can help reduce penalties and mitigate damages.
By being proactive and transparent with your consent management, you stay compliant and build trust with your users, shielding your organization from potential legal troubles.
In conclusion, mistakes in consent management can lead to unauthorized data collection, erode user trust and result in hefty fines. Understanding the limitations of what a consent manager can and cannot do by following the steps above are key.
As CEO and Founder of LOKKER, Ian Cohen is dedicated to providing solutions that empower companies to take control of their privacy obligations. Before founding LOKKER in 2021, Cohen served as CEO for Credit.com and CPO for Experian, where he focused on consumer-permissioned data.