Increasingly, brands need consent banners that are complaint, functional, and UX optimized. If you don’t know whether you need a consent banner, start with this post.
Current Consent Banner Landscape for Health-Related Companies
Healthcare companies will have to navigate an increasingly complex regulatory landscape for data collection and sharing to ensure compliance with the law. Because of this, some companies are taking the route of featuring trust as a core value or differentiating factor. They comply as if the regulations applied to them, even if they might not be affected.
Current Focus Areas for Consent Banner Laws
Some of the key focus areas are as follows:
- Accuracy of Claims: Healthcare must ensure that any claims made in advertising are accurate and not misleading. In the context of a consent banner, this reflects ensuring the stated position and configuration of preferences on the banner is respected by the site and related technologies.
- Privacy and Data Security: Healthcare companies collect a significant amount of sensitive information. The company must ensure it respects privacy laws and clearly communicates its data use policies to customers. There may also be concerns about how this data is stored and protected from unauthorized access. In the context of a consent banner, this may reflect the need for additional disclosures in the banner, preference center, or privacy notice made available to users.
- Ethical Considerations: Healthcare testing can reveal sensitive information, such as potential health conditions. These companies should consider these ethical implications in their data sharing to ensure it does not inadvertently cause harm or distress.
- Regulatory Compliance: Healthcare organizations are often subject to rules set forth by the Department of Health and Human Services and the Federal Trade Commission. A successful consent strategy needs to ensure compliance with regional laws governing data collection and data protection.
“C” Was for Cookies, Now it’s for Consent
Lastly, a number of privacy-related controls now exist in the browser and mobile platform markets, which can make campaign targeting and measurement difficult.
Ranging from Chrome’s phase-out of 3rd party cookies (slated 2024) to Apple’s App Tracking Transparency and related privacy tools, these technology restrictions will interleave with the aforementioned regulatory changes to make the need for new tactics and channels to be evaluated on a consistent basis. Reviewing and updating tactics and channels will ensure that they remain compliant and that they continue to fulfill their expected purpose.
Healthcare companies will need to ensure that any campaigns run comply with the relevant policy guidelines (Apple/Google) for the mobile space, including ensuring relevant disclosures appear on the mobile store pages and privacy notice.
On the World Wide Web, healthcare companies will need to monitor changes in the targeting and measurement capabilities of vendors and ensure that they remain compliant with relevant regulations in the respective regions in which they operate.
Always be up to date with the Search Discovery Data Privacy Newsletter
Consent Banner Design Considerations
Our survey of 294 brands showed that most are at high risk for noncompliance. Consent banner design considerations are one part of the puzzle that can help bring brands into regulatory compliance and meet customer expectations as technology shifts.
Banner placement is one of the choices that must be made when installing a consent management system. Should it be top or bottom? A popup? Left or right corner? Many possibilities exist. If your focus is to reduce user friction by having a common UX pattern, it may be best to look at the most common placements. In our review of 52,000 websites, we found the following ratios (rounded):
Percentage of Sites
Aligning the consent banner to the bottom of the window was over 10x more common than any other alignment. While many consent platforms allow for alternate configurations, given the prevalence of this placement, consumers are being trained to expect the consent banner in this location. Use of alternative placements thus risks the user missing the banner.
Implied vs. Explicit Consent
Consent is broken down into two types, Implied and Explicit.
Implied consent is presenting a banner or other notice and stating that continued use of the site or application constitutes consent. In this presentation, the user doesn’t take an overt action, and, if they decline, they are forced to stop using the service. Implied consent is not recognized as valid or binding under several regulations and technical policies and should be considered carefully prior to adoption.
Meanwhile, explicit consent presents the user with a choice, and the user must make a selection of acceptance via button, checkbox, or other mechanic. This is increasingly being required under various regulations.
Default Consent: Opt In vs. Opt Out
When obtaining consent, there is often a need for a default consent selection. Options here include opt-in and opt-out. Various regulations may force one or the other, and both are explored below.
Opt-In: In an Opt-In scenario, no data is collected unless the user has consented (commonly via some explicit action). This is the consent method required in the European Union and related areas. Collecting data without consent is seen as a violation and is subject to enforcement by the regulatory authorities.
In the United States, use of Opt-In consent may be required under specific laws when collecting sensitive information such as health data.
Opt-Out: Under this consent configuration, data is automatically collected unless the user takes some action to indicate they wish for data collection to cease. If such action is undertaken, the organization is required to honor the request and cease sharing or selling the data (this varies by law). Opt-out consent is common in the United States and reflected in multiple State laws for non-sensitive data collection. Such a consent setting may be viewed as illegal in other regions.
Our recommendation: We recommend leveraging the appropriate consent style for the region. Such configurations should be reviewed often in light of the current state of affairs, with regulations changing requirements often.
Dark patterns are techniques of design used to impair a user’s ability to make an informed decision regarding consent. These can be many things, such as nudging a user via color selection, pre-checking checkboxes, or using legalese language. Recent regulations have begun to explicitly call that the use of such techniques will invalidate consent captured. This may put the employing organization at substantial legal risk.
Dark Patterns are actively enforced against. In May 2023, the Italian Data Protection Authority fined a marketing agency for several General Data Protection Regulations violations, resulting in a fine of 300,000 Euro.
Our recommendation: We strongly advocate for developing a consent pattern that avoids the use of dark patterns to reduce risk and potential liability.
Universal Preference Signals
Several of the upcoming State regulations require acknowledgement of and compliance with a Universal Preference Signal, which will act as the user’s expression of desired consent preference. While most states are forthcoming with what will be a valid preference signal under their laws, California has stated that organizations subject to the California Consumer Privacy Act must honor the Global Privacy Control.
A Consent Management Platform should be able to detect this signal, and opt users out of data sharing automatically. The site behavior may also need to test for this signal and alter behavior when the signal is detected.
California does conduct enforcement sweeps for this signal, and in 2022 reached a settlement with Sephora. Part of the charges against Sephora included non-compliance with the global privacy control signal.
Some of the technical considerations for consent include that specific consent signals may be required for different use cases. For example, Google will require publishers in the EU to obtain and provide to them a TCF (Transparency and Consent) string as part of their serving ads in 2023.
Further, we see more organizations adopting server-side technologies for tag management in order to mitigate the impact of data leakage and develop stronger data governance practices. Even in this configuration, organizations may be compelled to obtain consent prior to collecting or forwarding data. Organizations may have to ensure that the consent signal is propagated throughout the data flows as a result.
Finally, should a traditional client side tag manager be leveraged, proper integration between the consent management platform and the tag management system is essential for compliance. Take care to ensure that what the consent banner claims, is enforced by the tag manager to mitigate risk of deceptive claims by regulators.
Preference centers, which we recommend, provide additional information or context to the user about the types of data shared, their purpose, and even which vendors the data are shared with. Consent platforms can display this data in a number of ways.
In our review of nearly 52,000 websites, we found the following:
Preference Center Style
Percentage of Sites
Centered Popup with Tabs
Most observed displays (85%) had the preference center open in the middle of the window as a popup. Of those, more than a third (35%) elected to use a tabbed display to present the user information for the various categories of data collection.
Our recommendation: We recommend either display over the slide-in panel, which was far less common in our testing.
US Privacy Law Consent Banner Considerations
Increasingly, privacy laws have been passed around data collection in general and, in some states, with enhanced protections for health data. Some of these considerations are highlighted below.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA sets rules for when and how health information can be shared, which could impact genetic testing companies depending on what information they collect and how they use it for covered entities.
In December, the Health and Human Service Office for Civil Rights (OCR) released a bulletin reminding HIPAA-covered entities of their responsibilities. Under this guidance, it reminds entities that they require a Business Associate Agreement (BAA) to share data with providers governed by the agreement. Transmission of data to a vendor without a BAA agreement requires a HIPAA Authorization from the end user. The OCR has made clear that a consent banner selection does not meet the standard required for HIPAA Authorization.
Enforcement has increased in recent months against healthcare provider organizations that make claims around data use and sharing that are not followed via technical controls.
Learn how we can assist companies with HIPAA solutions here.
Federal Trade Commission (FTC)
The FTC regulates advertising and related claims to ensure they are not deceptive or misleading under their Section V powers. Therefore, healthcare companies must ensure their marketing materials and data sharing consent claims are accurately represented on the websites and mobile apps in use.
The Health Breach Notification Rule is an FTC rule that can apply in some cases to health information when it is held by entities not covered by HIPAA. Of note is the first-ever enforcement action of this rule against GoodRx, which sought $1.5m in fines and numerous corrective actions.
The FTC has also recently issued a notice of proposed rule making to enhance this rule in the coming year.
Search Discovery recommends an audit for your data collection, which we can help with. Contact us below to learn more.
State Health Data Regulations
State laws around biometric information are more limited than the general privacy laws, which have seen a surge in recent years. Currently, special conditions may apply to biometric data collected and used for residents of Illinois, Texas, California, and Washington State. These laws often apply special considerations to insurance or employment contexts, and so we urge caution for those use cases. We expect to see more laws in this area in the near future.
While many of the laws are new, Illinois is known to be aggressive in the enforcement of its Biometric data laws, recently winning a landmark case against Clearview AI in 2022. In February of this year, the Illinois Supreme Court ruled that claims can be filed for cases going back as far as five years, and claims can accrue every time data is collected and disclosed, which expands possible risk for companies dealing with the State’s Biometric Information Privacy Act.
State Privacy Regulations
Notably with State laws a number of new processes may be required depending on the exact context, these can cover:
- Contract requirements such as Data Protection Agreements
- Data Protection Assessments prior to data collection and use
- Data Subject Access Rights (the ability for the end user to request, correct, delete information or limit information use).
States with Current Privacy Laws
States with Future Enforcement
- Oregon (expected)
- Delaware (expected)
EU & UK Consent Banner Considerations
While the United Kingdom is no longer part of the European Union due to Brexit, the UK still adheres to a localized view of Europe’s General Data Protection Regulation (GDPR). Enforcement of the UK’s data protection laws falls to the Information Commissioner’s Office (ICO). Under this law, consent is required for most data collection, and processes around personal data rights & governance activities must be in place and followed.
With Europe proper, data protection falls to state-level authorities and a larger European Data Protection Board (EDPB). In 2020, the EDPB released guidelines on what valid consent looked like under GDPR, releasing a stricter set of rules they would use for enforcement going forward.
Organizations operating in Europe & UK need to ensure they comply with the GDPR and the Privacy and Electronic Communications Regulations, both of which lay out conditions for consent under each respective law.
International Data Transfers
Care must be taken when transferring data between countries. Some regions such as the European Union have agreements with the United States regarding cross border transfers. You may have to take part in a program or framework such as the Data Privacy Framework and meet key requirements that reflect the data protection practices of both countries.
Regular audits and reviews of marketing and advertising materials can help ensure compliance. Legal counsel should also review significant marketing campaigns, especially those involving sensitive data like genetic information.
2. How should we communicate our data use and privacy policies to potential customers in our marketing materials?
Privacy notices should be clearly communicated in a straightforward, transparent manner. This can be done through links to full privacy notices on marketing materials, as well as concise summaries where appropriate.
Claims about privacy and data security should be truthful, backed by robust security measures, and compliant with relevant laws. Any claim made should be substantiated to avoid misleading customers.
4. What kind of customer data can we use for personalized marketing, and how can we do this while respecting privacy regulations?
The use of personal data for marketing must comply with privacy laws, which often require explicit consent from the individual when the data is sensitive personal information. You should only use the minimum data necessary for your marketing goals, ensure it’s anonymized where possible, and always respect customers’ preferences regarding data usage.
The safest approach is to comply with the strictest privacy laws applicable, or to tailor marketing materials to comply with the laws of each specific region.
6. How do we need to adapt our marketing strategies to comply with the General Data Protection Regulation (GDPR) in the European Union?
GDPR requires clear consent for data collection, rights to access and delete data, and strict rules for data transfer. Marketing materials must make data collection and use transparent, and data used for marketing should be minimal and anonymized where possible.
Penalties vary by law and can include hefty fines, lawsuits, and reputational damage.
8. Are there any special considerations for advertising to minors or other vulnerable groups in relation to privacy?
Yes, certain jurisdictions have additional protections for minors and other vulnerable groups. Explicit parental consent is often required to collect data from minors or to target minors.
Clearly communicate data practices in marketing materials and provide links to full privacy notices. Whenever possible, give customers control over their data.
10. What is the process for obtaining informed consent for data collection and use, and how should this be communicated in our advertising?
Consent should be explicit, informed, and freely given. This means clearly explaining data use, providing an option to opt-out, and ensuring customers aren’t forced into providing data.
11. What measures should we take to ensure that third-party advertisers or affiliates comply with privacy regulations?
Contracts with third parties should include clauses ensuring they will comply with all relevant privacy laws. Regular audits or check-ins can also help and may be required by regional law.
12. How should we handle requests from customers who want to view, change, or delete their data (right to access, rectification, and erasure)?
You should have clear processes in place to promptly respond to such requests, as required by laws such as the GDPR and CCPA.
13. How can we responsibly use insights from customer data to inform our advertising strategy without breaching privacy regulations?
Use anonymized and aggregated data where possible, ensure data is securely stored and handled, and always comply with regulations regarding data use and customer consent.
14. What is considered 'sensitive' personal data under privacy regulations, and how does this affect our advertising?
Sensitive personal data includes information like racial or ethnic origin, genetic data, and data concerning health. The use of such data in advertising is heavily regulated and generally requires explicit consent. The exact definition will vary between laws. You will want to ensure you handle data collection for each region you operate in.
In case of a data breach, you should have a response plan in place, inform affected parties and relevant authorities promptly, and potentially pause advertising if it involves affected systems.
16. What should we do if a customer believes their privacy rights have been violated in relation to our data collection?
You should promptly investigate any complaints, rectify any issues, and make sure you are compliant with relevant privacy laws.
How Search Discovery Helps with Consent Banner Optimization
We recommend the following steps, which we can help support in various regards:
- Campaign Review:Work with a privacy SME to conduct a campaign review with marketing, analytics, optimization, legal, and the in-house privacy team to flag potential risks early in the planning process.
- Tactic Review: Work with a privacy SME to review the tactical plan with marketing, analytics, optimization, legal, and the in-house privacy team to flag potential risks prior to launch.
- Vendor Platform Configuration Review: Work with a privacy engineer to conduct a technical configuration review with marketing, analytics, optimization, legal, and the in-house privacy team to flag potential risks in the execution stage.
- Consent Management Review: Work with a privacy engineer to conduct a consent audit with marketing, analytics, optimization, legal, and the in-house privacy team to flag potential consent-related risks.
- Compliance Monitoring: Work with privacy engineering to configure automatic compliance monitoring to reduce risk from on-the-fly campaign optimizations and modifications.
International Association of Privacy Professionals
- Certified Information Privacy Technologist: A certification reflecting knowledge of Privacy By Design methodologies, privacy threat modeling, privacy enhancing technologies (PETs), and anonymization techniques.
- Certified Information Privacy Professional – United States: A certification reflecting knowledge of various sectoral laws and regulations in the United States from a Privacy perspective.
- Fellow of Information Privacy: Designation available to those with two IAPP certifications, documented work experience, and multiple positive references.
Both Certifications are approved by the ANIB (ANSI National Accreditation Board).
- Fellow of Privacy Technology: Signifies holding all OneTrust Privacy Certifications and documented experience in Privacy