11 min read
Jan 16, 2020

Managing Customer Consent and Preferences in a Privacy-Conscious World

Satisfy heightened customer expectations by understanding the importance of data privacy and consent in an increasingly privacy-conscious world.

Chris WarnockSpecialist Analyst

January 1, 2020 marked the beginning of a new normal for consumer data privacy regulation in the United States. Although the California Consumer Privacy Act (CCPA), a statute passed in 2018 that went into effect on the first of this year, only applies to Californians, it has set a nationwide precedent for privacy as a basic right. As data privacy laws become increasingly fragmented by state, businesses need to take a holistic approach to managing customer information. Reacting after laws are passed means always being at least one step behind legislation and the competition.

It’s no secret that the government can’t keep up with the pace of technological advancement. Lawmakers are seldom technology experts, and consequently the politicians responsible for regulating the technology industry rarely understand how tech works and often fail to anticipate where it’s headed. While this doesn’t absolve the government from responsibility for regulating consumer data privacy, businesses can’t rely on legislation to set the pace of change. Understanding the value of strong and flexible privacy policies is the key to maintaining customer trust and gaining consent to collect valuable user data.

Group 3@1x Created with Sketch.

Consumers overwhelmingly support federal data privacy protections

A recent GetApp survey found that 87% of U.S. consumers believe that data privacy should be protected at the federal level. Additionally, 91% want the right to opt out of sharing their personal information with advertisers, and a similar portion feel they should have the right to opt out of tracking as they use a website.

Based on our survey results, people clearly want the government to take action by regulating businesses that gather and sell consumer data. They also want more control over whether or not their data is collected, and the ability to opt out of data collection at their discretion. Despite these universal sentiments, most people remain unaware of major privacy laws like CCPA and the General Data Protection Regulation (GDPR). The same survey found just 29% of consumers have heard of GDPR, and only 24% are familiar with CCPA.

Even if most people don’t follow the legal developments around data privacy, the vast majority of Americans want the protections they provide. Some companies are more prepared than others when it comes to privacy. For example, Mozilla is making new privacy protections developed for CCPA compliance available to all users of its Firefox web browser. Meanwhile, Microsoft is honoring California’s privacy rights for users throughout the entire U.S. Both organizations understand that establishing CCPA compliant policies for everyone is the most prudent approach to future proofing their business as privacy laws continue maturing. 

Group 3@1x Created with Sketch.

By nature, the CCPA is more likely to apply to larger businesses

The CCPA impacts any organization that earns $25 million in revenue per year, sells 50,000 or more consumer records per year, or derives 50% of its annual revenue from selling personal information. Since most small businesses don’t meet these annual revenue requirements, large companies and SMBs that are heavily active in the data economy will make up the bulk of impacted groups.

Of the companies that satisfy the CCPA requirements, most are unprepared to comply with the new law in part because certain provisions remain open to interpretation—making the specifics of compliance and enforcement somewhat grey. While many smaller businesses don’t proactively implement data privacy protections simply because they aren’t required to, the convoluted nature of this nascent legislation is understandably not something most companies would voluntarily subject themselves to.

Group 3@1x Created with Sketch.

Most companies should raise the bar for data privacy standards anyway

Much like large companies giving the same CCPA privacy rights to users outside California, smaller companies that aren’t required to meet compliance standards should strive to do so anyway. Small and medium sized businesses need to view improvements to data privacy policy similar to enterprise players: As a long-term strategy for building customer trust.

Imagine that you are a small business operator and one day laws are passed that require all businesses that touch any private user data to meet requirements similar to CCPA or GDPR. Alternatively, your company could grow large enough to satisfy the revenue requirements of existing laws. Businesses need to understand modern consumer expectations around privacy, as well as expanding legal requirements before the emerging status quo catches up with them.

Group 3@1x Created with Sketch.

How to build user trust with data privacy

Build customer trust by understanding why people share personal data and consent to tracking, as well as what their expectations are after they hit “agree.” 

Become a brand your target customers know and provide “must-see” content. 

Consumers trust businesses they are familiar with and are more willing to share personal information with brands they know. Additionally, if people want to see website content badly enough, they will share their information to gain access to it.

Give users control over their data.

Our survey found that 85% of consumers would be more willing to share their personal data if they were able to see everything that was collected about them, while 90% said they would be more willing to share their personal data if they were able to delete it at a later date.

Offer something of clear value in exchange for user data.

Our survey found few consumers consider functional benefits such as simplifying the login process, or the specific terms and conditions that come with accepting cookies. Additionally, just 21% of consumers report a desire to see personalized content on a website as a reason for accepting cookies, despite this often being why websites ask permission to use cookies in the first place. 

While it is important to clearly articulate how cookies or personal data will be used, be sure to also communicate a clear value add to users in exchange for their cooperation. Most consumers are data pragmatists, and will trade their personal data for the right benefits or under the right circumstances. 

Here are some additional quick tips:

  • Avoid asking customers for information that you don’t have a specific use for.

  • Shorter forms have higher conversion rates.

  • Limiting the amount of customer data your business houses will mitigate exposure if a data breach occurs.

Group 3@1x Created with Sketch.

Customer experience around data privacy has room for improvement

In general, people find it difficult to opt out of having their personal information collected and stored while they are online. Beyond this, most people have felt forced to provide information or accept cookies as a condition for accessing a website or its content. To thwart this, many people provide false personal details. 

We found that 71% of consumers admit to providing fake personal information (e.g., name, email address) in order to access website content. False information isn’t useful to advertisers, and consumers shouldn’t feel forced to choose between using a purportedly free service and giving away information or consenting to being tracked. Our survey identified a few factors contributing to poor customer experience when it comes to data privacy:

Opting out of data collection and accessing stored data is difficult.

More than half of consumers (53%) feel that the process for opting out of having their personal information collected and stored for marketing purposes is difficult. When we asked consumers if requesting a copy of the personal information businesses collect on them was easy, 79% said that it wasn’t.

Users feel forced to provide information or accept cookies for website access.

81% of consumers say they have felt forced into providing pieces of personal information in order to access content or continue to use a website, while 82% say they have felt forced to accept cookies in exchange for website access.

Group 3@1x Created with Sketch.

What are consent management platforms (CMP)?

Consent management platforms (CMP) help businesses create, manage, and enforce privacy policies. This means automating the processes around soliciting user consent before collecting data, as well as handling user requests to access and delete stored information. Companies impacted by CCPA need to provide opt-out consent, for example. 

This means giving consumers the option to revoke implied permission to sell their personal data. Conversely, under GDPR consent requires deliberate action from users to opt in, as opposed to the “on by default” approach taken by California’s new law. There is contention over whether pre-checked boxes should qualify as consent from users. 

Regardless of the requirement, correctly configured CMPs should enable companies to set and enforce policies that meet their standards (and perhaps even exceed the standards set by privacy legislation). Consent management software simplifies the process for users opting in or out of data collection, as well as accessing and deleting stored data. This helps create a smooth, transparent customer experience while ensuring compliance with privacy regulations.


In December 2019, GetApp used Amazon Mechanical Turk to survey 390 consumers. Respondents were required to reside in the U.S. and self-report both consuming online news and shopping online at a minimum frequency of once per month.

NOTE: This document, while intended to inform our clients about the current data privacy and security challenges experienced by IT companies in the global marketplace, is in no way intended to provide legal advice or to endorse a specific course of action. For advice on your specific situation, consult your legal counsel.

Back to top