Defining Consent Events
This document dives into the requirements of regulation compliance and how consent events are used to help organizations comply.
Consent, Data Use, and Complying with Regulation
Capturing consent is the baseline for all current regulation regarding data privacy but very few brands are using consent in any of the ways it can save brands money. Consent, if it’s captured at all, is most often limited to a browser clickthrough agreement like accepting cookies. Unfortunately this level of consent doesn’t even help brands comply with the full rules of data privacy regulation, for example, California’s privacy law (CCPA) and the EU’s (GDPR) both require that people have the option to ask for a copy of their data, request changes or to ask for it to be deleted entirely. When properly implemented, consent records can reduce the cost of data privacy requests (Data Subject Access Requests or DSARs) and it can even automate data maintenance and compliance.
It’s not just about saving money either: Concord even uses consent records to improve the accuracy, recency and effectiveness of customer data.
It’s useful to think of a captured record of consent as a receipt for data use. If you are specific about what you want data to be collected and used for, when a user accepts the data use consent it becomes an easy to manage lever for maintaining data privacy compliance and can be the trigger for marketing, advertising and sales automation.
Use Cases for Consent
Compliance - The consent most basic use case means that people have valid, freely given, specific choice about the collection, storage and use of their data. Personal data includes more than names and email addresses, it includes marketing, product, behavioral, ip address (even a portion of it) and more.
Concord’s consent network works with your cookie consent popups (3rd part or custom built) to capture consent in an auditable record. If people wish to control their consent or view their consent across devices, when they do so, anonymous consent records will be attached to the person’s verified profile including a customer ID or hashed personal ID that can be added to consent records.
DSARs - Data subject access requests (DSARs) is a name used to indicate a request in which a person exercises any of their rights under regulation. DSARs are typically a request for a full copy of data, request changes to specific information or a request to delete some or all of their information. All of which few organizations are equipped to comply with.
An accurate and complete record of consent however can represent entire customer profiles, specific data shared or collected, EULAs and site terms of service.
Concord’s consent network allows organizations to define consent records for any and all types of agreements or stored information. When someone (anonymous or known) accesses Concord and requests a history of their consent or a complete record of their data shared along with when and where, Concord will first verify their identity (email security code at initial release, mobile two-factor authentication is coming soon) and then the full list of consent and data shares is presented to the user. This allows brands to build trust with people (avoiding many opt-outs) as well as complies with regulation.
Automation - Concord’s APIs allow brands to create a data feed to automate the process of creating consent for customer profiles and notify brands when the consent changes. Consent updates also include requests to change, renew or update personal information like updated email addresses. All consent status changes specify which piece of information it applies to and what action is expected to take place so that brands can automate their compliance without needing to involve support or other people to process the requests.
Data Quality - Stale and inaccurate customer data is a problem for every business. Concord helps brands update and refresh their data with information validated by people themselves.
Owner’s of any consent record can log into Concord, independently of brands, and view their history. It may simply be a list of consent events or it may also include showing them the contents of their personal Concord data vault (private to the owners themselves).
Brands can use Concord’s “Better Data” products, site add-ins and client library code to make it easy to ask people to add to, update or renew data and consent in their data vault. By allowing people to own and control their data, they get better service as they maintain their data and keep it renewed.
Rewards and Incentives - Concord can add reward points and non-fungible incentives (like coupons and discounts) to brands effort to update and improve their customer data. People that continue to share their information with brands get ongoing benefits and it’s a built-in part of the consent transactions.
Custom Consent Event Use Cases
Use Case: Custom or 3rd Party Cookie Consent Notifications and Settings
Some sites create their own cookie consent popups some of which also contain toggles that match GDPR standard practice related to Analytics, Performance, or other cookie options.
Use Case: Mobile apps or other software
Use Case: Read receipts for Terms of Service, Clickthrough agreements, EULAs...
May online services, cloud services, and software solutions require users to read and accept agreements before use of the service. Capturing the history of each required element in such agreements is another good use case for adding Concord consent events.
Custom Types of Consent Events to Consider
Step 1: Do you need to capture a "view" event (like scrolling through a EULA to it's end)?
Example: A person playing an online game must agree to the terms of service that specify the game developer is not responsible for instability of internet connections or service outages. Concord captures a consent event when she scrolls to the end of the entire agreement before being allowed to continue.
Step 2: Do you need to capture an explicit acknowledgement?
Example: A software EULA has an "I Accept" prompt at the end of the agreement. Concord captures the explicit agreement noting the "accept" state.
Step 3: Do you need to capture a link to the username, internal ID, signature or other identifying element of the user?
Example: A new user creates a login using her email address. This email address is the primary key in the customer record. When she logs in for the first time and sees the clickthrough agreement, Concord captures her username (email) as part of the consent event and agreement.
How to Collect and Process Consent Events
Every org can start simple and build their consent records over time. For each type of consent, brands create a consent event definition and register it with the Concord Consent Network. Consent event types can be based off of common templates like site terms, social media, data collection and more.
Brands should inventory the core agreements that they want. Orgs can start with a few prioritized core consent types:
- Start with site consent and cookie consent popups. Create a consent type for each data use type that matches your site terms.
- Note: Concord can perform an audit on your websites and properties and help create an initial list of consent types appropriate for your sites or applications.
- Add consent for each use of data. This helps for compliance (GDPR, CCPA and others require detailed disclosure of how data is used) as well as makes DSARs much easier to process and automate.
- Create a consent definition for apps, applications, EULAs or other agreements.
- Add consent for specific and often changed, requested or key information. The ideal state will be automation of executing user requests related to maintenance of their information.
Consent through Concord Add-in for Websites
From the Concord Admin console:
- Navigate to the Compliance features admin screen
- Create consent types using the Consent builder
- Be sure to create consent types for each “project” for the brand. A project can correspond to a website domain or it may be for a mobile application or even live consent events like tradeshows and healthcare.
- Concord has a code library and APIs to help developers implement apps that are not html based.
Implementing Consent in Apps or Custom Website Add-ins
Add listeners and click actions to capture Consent Events
If you are using your own or a 3rd party cookie consent popup, for example, the selection toggles for consent options would go in the concordReady function.
Adding consent events by category and type.
If this is a toggle on/off be sure to submit the correct “grant” based on the state of the users consent to accept or deny the grant.
//required: category, required: urnType, required: grant, optional: details
Additional Functions - Current User Consent Status
In order to properly display the current status of a users consent for any specific consent type use getConsentHistory.
For example, this allows developers to properly display the state of cookie consent options.
Developers should use the grant or deny state of consent in conditional code to turn off trackers that the current user may have declined.
Returns any consent events that match a specific type.
This is useful for selecting the consent events that match a specific use in common website or application code like turning on/off social features or tracking based on user consent.
//required: category, required: type, optional: version
Because terms of service, cookie consent options, etc. are updated regularly, consent events when they are executed contain a version so it is clear which version of the terms were agreed to by the person accepting the consent terms.
Since developers will want code that remains up to date regardless of when terms are update on the site or in the application, new consent events default to the latest version.
An important (but optional) use case however is developers may want to automatically trigger a new consent popup or notification if the current user accepted a previous version. Passing the dataURN to the findConsentEvent function will return the status of a specific consent as well as the latest version.
Specific consent events by type can be referenced with the dataURNs (registered in the Admin console for Concord).
Development and Debugging Functions
Returns an enum of allowed grant values
Consent events can also specify where the consent was obtained. For most applications they are triggered by user actions but in some cases consent was obtained from another source.