Webinar - On Demand
Introducing DataGrail Consent: Setting the New Standard for Consumer Choice
DATAGRAIL EVENT SERIES
View Webinar
Thank you for your interest!
Please click below to view the on-demand webinar.
View WebinarInterested in seeing DataGrail in action?
Take a self-guided tour of the platform right now!
If a new window did not open with the product tour, please click here
Despite nearly every website having a tool in place for consent management, there is still a privacy and compliance gap.
A recent audit of 5,000 businesses revealed that 75% of organizations do not honor a person’s right to opt out of being tracked by online trackers and, therefore, are not compliant. Consumers expect something different. They expect more.
Today we’re introducing a new standard for consumer choice. One that lets you start a privacy dialogue with your customers and automate consent compliance for your busy privacy team.
Introducing Datagrail Consent, a first-of-its-kind, no-code consent management platform that delivers a dynamic, deeply customizable experience while automatically maintaining compliance with the latest data privacy regulations.
Join Richard Arney, CCPA/CPRA co-author, and Tarun Gangwani, Product Manager at DataGrail as we dive into the current state of consent — and what the future will look like, and get a first look at DataGrail Consent.
Hey, everybody. Hope all is well on the Internet. I am Tarun Gangwani. I am the product manager on consent, and I'm delighted to be cohosting this conversation on the state of consent with our pal, and expert in privacy and consent all things consent, Rick Arnie, who is the coauthor of the California Privacy Rights Act. Welcome, Rick, and thanks for having thanks for being on the line.
Thanks for having me. Appreciate it. Awesome. Cool. So, first caveat being that this was supposed to be a live event, and we're apologies, you know, that we're kind of running through it and we're gonna do it on demand.
But we still felt this was an important conversation to have, and so we're gonna do it here and have it recorded, and hopefully everyone has a chance to tune in later. So, with that being said, we're really excited today to do 2 things. 1, I'm gonna have Rick and I kinda talk about, you know, what's going on with consent. It's been over a decade since the E privacy act was first introduced with the GDPR and thus, you know, the banners and everything you've seen on the Internet. And it's been just a few years that the California Privacy Rights Act or what I'll call SIPRA from now on has been really enshrined into law.
And, a lot of the catalyst that led to SIPRA was almost in a response to kind of the GDPR and what what, other countries were doing. But there's a lot of innovative ideas that I wanna tease out with Rick here, you, being on the call. And then, if we have some time, Rick, I'd love to kind of show you what we're cooking, here at Datagrill to kind of help people get to a better place when it comes to consent management, in the industry. Perfect. I look forward to that.
Awesome. Cool. So, Rick, tell me just a little bit about, you know, how did you get into this, world of, you know, authoring one of the most important privacy regulation acts, in the world, especially United States? And, what what gets you excited about working on these kind of problems? So it it started I was a victim of identity theft, actually.
And, you know, I was friends with my friend, Alastair Mertaggart. Our kids go to school together. And over the course of a few conversations, we started realizing, gosh, this this seems kinda out of control. The amount of information is being collected, and you don't know where it's going. And then there's a breach, and it's very expensive and problematic.
So that was kind of the genesis of how we got together and decided we we wanna do something about this. That's awesome. And, I'm really I'm really glad that it comes from a place of passion and personal sort of responsibility in some ways. Like, it seemed like you felt it and probably felt well if, you know, your invasion of privacy is if your privacy is not being respected, then surely there must be millions of people out there that need a some similar sort of solution or answer. Yeah.
You know, when we started working on this, we actually we we tried to be very professional about it. We did some focus groups. We did polls. And one of the most amazing things that came out of that is that people really have strong feelings about privacy. I mean, when you sit them in a room and you ask them, what do you think about this?
Some of them get kinda angry. They're like, this stuff's totally out of control. And one of the things that came out of that that was really interesting when we pulled people, and this is very early days, is that we got a pullback that 88% of people wanted better privacy control. They actually wanted to make sure that they took and and and and just contextually for everybody, an 88% poll in California, a place where a lot of people don't agree on anything, is truly extraordinary. In fact, I'll just give some historical context here.
The highest poll I'm aware of, and I'm kind of I I get very close to initiatives, is human trafficking, which was 90%. So, you know, you you know yeah. And and well, obviously, well, that makes sense. And then they're like, wait. That doesn't make any sense because that must mean 10% of people are okay with that, which they're not.
What it is is 10% of people actually don't like an issue. So they vote no one every one of them. So the limit so privacy is really popular, actually. It's something people really want. That's amazing.
And so tell tell me a little bit about how did you draw inspiration from privacy regulations in the past and how you approach the specific authorship of the California Privacy Rights Act when it comes to consent and giving people rights online? Well, it turned out we kinda created a laundry list of things you could do in privacy law. We actually, no joke, hired a guy on Upwork to review all privacy laws globally for $25 an hour. I'm not kidding. And we created a laundry list what you gotta do.
So yeah. Yes. And it works. There's a guy down at LSU, no joke, and produced a whole list of things you could do in privacy. And turns out that one of the most popular things on that list, everything from I wanna know what you have to want to protect our data, don't you want you to sell it, One of the most popular things on that was, I just want to be able to say, no.
Don't sell my information. Selling information and using it for something I didn't want you to use it for, that ranks one of the highest. And that that is the idea of consent, like, just giving control over something to somebody. The word consent actually pulled very, very well for us, in terms of privacy rights. So that was the beginning.
You know, these things, you don't know exactly what is popular and what is not until you ask people, whether it be in a focus group or poll. And that that ranked really high, consent. It makes sense. And, so we're kind of as we've been working in DataGrow and working on consent products, we recently put out the privacy trend study. It's available on our website.
And I wanted to ask you if you had a chance to read it. And in particular, there's a segment in there where we found that over 75% of websites, when you say you're opting out, actually don't respect that opt out request and still track you. We see network requests still execute and thus are potentially selling or sharing information despite me saying otherwise. What do you think about that, SAD, or does that surprise you? You know, it's it's it's not a good thing, and it's not surprising at the same time.
I mean, let's remember we lived in an era where you could you could collect as much information as you want with minimal disclosure, no rights to the consumer at all pretty much. You could sell it, chop it up, slice it, dice it, do whatever you want with it. And it's not uncommon for me to see companies now post the past due law that literally don't even know what they collect or what they sell or what they share. So we're in early days on this. However, it's very clear that, you know, with our law and other laws that are being passed across the country, that people are gonna have to kinda understand better about where their information is as a company.
And it's not overly burdensome, and, frankly, it's very aligned with what consumer wants are. So this isn't, like, a negative exercise per se. It's being revealed that privacy is really good business. I mean, people want business people wanna do what their consumers want, what their customers want. I'm a business person.
I'm not some lawmaker. Okay? So people want companies wanna do what consumers want, and it's very clear consumers have this value of just wanting to make sure because you always have no problem sharing their information with an entity as long as they understand where it goes and and it's not being told without their permission. So what I'm hearing is, on the one hand, consumers are, okay with having sale and share of information as long as their rights are made clear to them. And I think businesses earnestly want to protect their users and rights because it's good business.
So then there is clearly a breakdown in the tools and kind of, like, actual configuration and setup that, is the main root cause of this 75%, sort of failure, if you will. That's correct. That's correct. The tools now are being created. What's exciting for me as a coauthor of CPRA is that it's playing out kind of as we hoped, and that is that people are coming forward with efficient tools that are aligned with what the law says needs to be done.
And those tools are able to actually be very effective in in stopping the flow of information in an efficient way. I mean, new laws are scary for a lot of people. As I mentioned, I'm a business person. I don't I don't like laws that get in the way of what I wanna do. The the tools that are out there right now, they're cropping up, and this being one of them we're talking about today, is is terrific because it efficiently allows you to comply with the law.
And and, frankly, there's a lot of side benefits. So you get you get to kinda understand where all your data is and control over who's using it, and it's actually more positively put than I think in the past. One of the things you mentioned about efficiency, there's a particular, concept, made very clear in the, CPRA, which is known as the global privacy controller universal opt out signal. It was in fact the subject of a recent litigation against, you know, a very popular retailer and more and more litigations and sort of private rights of action are happening against this signal. What is this this signal, and why did you think it was so important to codify the law?
And even so go so far as it being a requirement if you're going to do business in this in in the state of California and other states are kind of following suit. What made you think about that? Because that it seems very forward thinking compared to kind of other, consent frameworks in the world that don't necessarily, call that as a requirement. Yeah. It's a it's a great question.
I mean, I think what we came back to is the first principle that, people have a right to privacy, but they struggle with how they can assert it, how they can actually make that right live for them. And so one of the things we thought long and hard about is, how can we make this right usable? Because rights are only so good as people use them. I mean, they're you know, things atrophy. They they, you know, they, you know, people do what they wanna do until they're confronted with, I actually want this right.
So we wanna make it easy, and that would gave rise to global privacy control in the sense that I I'd like to just be able to communicate via my browser to where I go that I my value is I just don't want you sharing or selling the information. And we thought that was an elegant, easy way that that doesn't require you know, one of the things came back very clear in our research was that people just are so tired of this pop up, that pop up, asking this question, that question, disclosure pages. I mean, there's that study that said if you were to read every disclosure page for every app on your phone, it would require I think it's, like, 400 hours. Like, no one reads that stuff. Right?
So so, you know and that's frustrating to the average consumer. But if you could just program your browser to say, hey. This is what I think and this is what I want, Then a lot of people can use it. They can communicate their know what their ideas are very efficiently. So that that's what gave rise to it.
And I and I certainly see its adoption as we've been thinking about the space internally of DataGrow. But one of the things I've observed is that when I set the global privacy control signal, I noticed that, not all scripts or cookies that are nonessential are blocked or actually handled. It seems that only a subset of them are handled. I'm wondering and and this is this drifts between consent management platform and and, thus websites that are employing them. What's what's the stance on this?
Or, you know, should GPC be thought of as a reject all or only reject some things? What's your what's the take? So the whole idea with this is that when you just stepping back and looking at the theory of it as opposed to the technical aspects of it, the whole idea is that when a consumer goes to a website and wants to do business with a website, they have a certain expectation that they're gonna be doing business with that website, and that's it. And that the representations of the website of what the website and company are offering that consumer, there's an expectation of relationship there where it doesn't go beyond that. Like, you know, if you in the most extreme example, if you're just buying something for a website, you don't expect it to profile you and sell your profile to somebody else that you're then sold a product that has nothing to do with what you just bought.
So in theory, the idea is we just wanted to make it so that when I go to website, I can do business with that, and then that's it. And I no more. You know, I don't want, you know and I and I do have the feeling that part of your website is not profiling people and selling my profile. That's it. Unless you disclose it and say that's what our business is and you wanna voluntarily do that.
Great. But most people don't want that. And so the idea of GPC is to strike that balance that, you know, we don't want you doing anything other than the business I've asked you to do. And that's that's the relationship we want with it. So just to reiterate, your kind of stance on it is that if I set the global privacy control signal, only essential cookies are just Yep.
Are basically the essential functionality site fires and nothing else. That's right. That's right. Because that's what I wanted as a consumer. That's correct.
Mhmm. Yeah. And I I think that makes sense too. Mhmm. Yeah.
And then that and then it's a closed system. Then I know I'm doing business with somebody. I'm happy to share information as long as it's not being tracked, sold, or shared. Then that's what GPC should be doing. And so, just, again, thinking about the sort of American landscape of businesses that are deciding to adopt consent solutions, what role does, like, consent have in building data subject or basically their consumers' trust?
Like, you know, it could be argued that, well, maybe I don't need it if I'm of a certain size or I have certain ways of working around it. I I don't really need the notice appearing on my page, etcetera. Like, that might all be true according to the CPRA. But what about from the sort of humanistic sort of, protecting user privacy stance? Like, how important is that, and how should businesses think about approaching consent solutions irregardless of the law?
Yeah. It's a great question because the law does require it for certain sized entities that are trading certain amount of information that have certain amounts of revenue. We can, you know, get beyond that to say, well, do you want to create trust with your customer? And I come back to the popularity of of, privacy. This is not something that companies are shoving down consumers' throats.
They actually want it. And it's a signal to a consumer if you do have a button that says, just don't share them and sell my information. It's a signal to a consumer that this is a pro privacy website. And, you know, again, I'm keen off the fact that this is wildly popular. Come back to the human trafficking example.
Like, this is ranking up there. So I think Right. You know, people are gonna distinguish they're gonna see sites that don't have this or don't respect the GPC signal, and those sites are gonna be more suspect as time goes on. There's no question about that. Not only are they putting themselves in potential legal jeopardy, but more importantly, they're just they're they're losing an opportunity to create trust with their customer where privacy is good business.
They're losing an opportunity to enhance that, yeah, and the upside that comes from that and not being in the category of, like, I'm not so sure about this website, what they're doing there. Right. No. Totally makes sense. That's excellent.
So yeah. You know, I I think, Rick, it'd be kinda cool to kinda show you what we've been cooking here, as as as, we've been announcing today. We actually did, make generally available a new consent tool, that we built in house in response to some of what we've been seeing in the market and have been talking to, various experts like yourself, our customers, and, you know, really wanting to hit home the point that the privacy can, and should be more than just checking a box and and putting a product out there. It actually should build trust and and and engage customers in a privacy dialogue. And so I would love to just kinda demo it for you live and, get your thoughts on what we've been thinking.
Legacy. So I'm gonna go ahead and, share first, my window here, Firefox. So I've got the Firefox browser up and running, and, I picked Firefox today through this demo because it actually has built into the experience the ability to send that global privacy control signal as I mentioned. So I wanted to demonstrate for you on Datagirl site the ability for our consent solution to respect, that privacy right and, work behind the scenes even though I'm not interacting with a banner. So I've got Datagirl up and, you know, that site up and running, and Datagirl consent is installed on the site.
And so I am on our trust center page, but I don't really need to be here to open up the banner. I can actually just use my, opt out signals. And so you see here Drift, and there are other trackers and cookies running on the site that are, you know, used for providing a personal experience. Like, that is, like, kind of the web today as we use trackers to make for better experiences. But as we've been discussing, you have rights as a, as a data subject.
And so I'm gonna just show you all of the different network requests that are occurring on this browser, and all of these requests are the result of this, chatbot capability that we have on the site drift. And so as it stands right now, I am browsing the site, and I'm having my information shared and, you know, they're taking that information for what they are. I haven't exercised that right. So I'm gonna go ahead and and use the built in functionality. So that's available in the privacy settings.
And there's actually 2 options. 1 is called websites to not sell or share my data, and 1 is do not track request. I think as I understand it, Rick, the do not track is kinda similar to GPC. It's just a different standard. Right?
Yep. That's correct. So I'm gonna go ahead and turn those on, and then I'll go ahead and refresh the page. Wow. Look at it.
It's gone. It's gone. Yeah. So not a single network request actually triggered, after setting that signal, and that's because data grower consent treats GPC as reject all reject anything that is nonessential to the site. That's terrific.
That's amazing. That all that's going on in the background, and then once you invoke GPC, and that basically goes to every website, not just this one, every website I would I would visit with Firefox, it then goes blank, which now I I have visual confirmation that my choice is being respected, and I'm still able to use your website. I mean, this functionality doesn't go away. I just know now that I'm much more of a closed system, that I've got a pipe to this website, and I'm gonna interact with them. There's no change to the efficiency of the website or getting what I want or what you want to get to me.
And now that that stuff that was put in front of you, you could see all of it there is gone. Very good example. Yeah. And I think, this is just one way that, you know, viewers at home can really see if these things work. It's like, I'm not doing anything that a normal consumer couldn't do.
And, in fact, these are the same sorts of methodologies that the attorney general and and other, you know, legal entities across the United States are using to detect if whether or not our consent preference is respected. Is that right? Yeah. So I'll I'll make a commentary on this. I mean, this is all good because it's aligned with the consumer, but also be aware that, if you're an enforcement agency, whether it be California or the I think it's now 13 or 14 other states that are have passed privacy laws, this is a quick and easy way to see compliance, by website.
So it's no longer a secret what's going on with some of these websites if you can do this very quick AB test, essentially, where you go in your own browser and say, I don't want this anymore. And all of a sudden you look over there, and 2 seconds later, if there's still a lot of things there, the questions of the enforcer will arise from that. And, you know, these laws are gonna be enforced. There was already enforcement actions taking place. It's still early days.
But, you know, I wouldn't wanna be a company that's you you press that button and there's still all this on there, and you gotta ask all the very uncomfortable questions about why that is. You know, that that's a very vivid example. Not only can be used by consumers to see if it works, but enforcement agencies as well. Right. Definitely.
But so, yeah, let's take a look at the actual, notice. So I'm back in Chrome now, and I'm gonna go ahead and load it. And so since I switched browsers, you know, drift load and all of that, so we'll use the banner to, actually exercise my privacy. Right? So here you can see the banner.
I popped it up by clicking on this. Manage consent preferences, of course. Organizations have the option to put this wherever they want. Oftentimes, they'll put it in the, footer of the site next to the logo that, the CPRA recognizes as a good signal for consumers to know this is where they can exercise their rights. Yeah.
And so, I'll go ahead and pull up the banner, and you can kinda see it looks and feels like the site. Right? I I think you might have seen other, banner notices that almost feel like an ad that come in front of your face or have some other vendor logo and stuff like that. But this is tuned and extremely matched to the brand of my site, which I think is important when it comes to building trust with, consumers. That's correct.
Yeah. I like how it's, same look and feel, and it makes it easy to just seamlessly look at it and go, okay. This is just coming from them. I'm gonna accept this or or decline it. Yeah.
So let's just accept essentials only. Yep. And, the page refreshes, which you know, in our research, actually, when we were looking at other consent solutions, they don't even refresh the page. So my consent reference isn't even modified until that happens. And so we instantly trigger a page refresh, and you could see their drift once again, this is very we love drift, by the way.
We love the tool. It's just it's just visible example of what happens when you reject something. So Mhmm. Yeah. Now Yeah.
Now Yeah. This is an easy way to do it. An easy way to do it. Yeah. Awesome.
All of this works behind the scenes because we built a foundational integration to a tool called Google Tag Manager. Have you heard of Google Tag Manager, Rick? Mhmm. I have. And so Google Tag Manager is used by 90% of the Internet.
It turns out 90% of businesses use this tool to govern when scripts are injected onto a page based on certain triggers that occur. And the trigger usually for most tags is initialization. Like, when you first arrive on the website, go ahead and insert the script because, you know, I I wanna start creating personalized experience. But, what we did is we recognizing that most people use this, tool, we built a two way bidirectional sync of information between tag manager and our own consent module. So I'll pull up, an example, demo here.
The actual consent product. And so you can see here it is live in my, consent instance, a little example demo site. And if I, I'll go ahead and make this a little bigger so we can see They're realistic. You haven't tagged there from TikTok even. Yeah.
Exactly. Here we go. So then you can see here, this is one to 1 with the tags that are available in tag manager. So how this works is as soon as you connect with Google Tag Manager using a user that has published access to the, what's called, container here with all the tags, we sync that information in and instantly pull it in, which allows the privacy manager to just simply set the category for what that tag is. And after making a few other adjustments, including, like, modifying what those categories are if they so chose and configuring banner text, they can simply click this review and publish button and be off to the races and be compliant.
Oh, terrific. Cool. Yeah. And so a couple other things to kind of, you know, showcase here is, of course, we have the built in default categories, and so you have the ability to, modify the text as you will. And, also, you can modify the banner text itself as well, including even, modifications to specific wording, like, for example, what is essential always on or on on continuously or required.
You have very, very deep customization options, which, again, we thought was important because, you know, businesses, when you deploy consent, incidentally, it kinda sits in between the marketing team who has asked and needs to make it look like the site. The privacy team who's looking to comply with, you know, laws and regulations and, of course, even the end consumer. Right? So they are responsible for, making a data subject choice, and you needed to make it feel native for them. So we tried to design an experience that balances all those needs.
So having the ability to make quick changes and see the banner preview live was something that we have noticed. And in particular, now that you have this, you have the ability to just screenshot this, send this to label, be like, is this good to go before, actually hitting the go live and publish button. What I like about this tool is it allows that conversation to happen between, you know, whether it be the systems people, marketing people, the operations people. So that there's a clearing house in a very deliberate place you can go to and say, okay. This is what we need.
This is what we're gonna do. And it's very deliberate. You know, that you also, in the sense, have the consumer at the table because these are choices made on their behalf compelled by the law. And it's a very sort of deliberate way to manage all this information, and it it clears that. And then when it's done, you can see the effectiveness played out on the website.
So that in a sense, you get everyone at the table and say, okay. How do we wanna deal with this issue? So that, you know, nobody, including myself having coauthored this law, wants to destroy websites or make it so they can't do their business. Nobody wants to do this. But we do wanna make sure there's very deliberate choices made and consumers have a seat at the table.
This tool allows that to happen. Yeah. And I think, as you know, privacy is a whole team sport. I mean, nowadays, you know, privacy is not just within the legal department. It it extends across the security, the IT teams, developers, marketers, and so you kinda need a place to establish that sort of common ground.
Yeah. That's what this that's right. That's right. The one last thing is to how we handle different, how we serve the right banner to the right, person in the right location. We have this capability known as the policy center, and we, we, of course, at Datagrill keep up with the latest regulations, you know, coming online.
And so whatever where there's a new regulation or new policies enshrined or minted, in the United States or anywhere around the world, we'll create those policies on behalf of our customers. But the way we think about it is, basically, how should the banner behave? So for example, in GDPR, basically European Union countries, you have to show the banner as soon as the page loads, and you have to ask people if they wanna opt in to tracking. Versus in the CPRA, you technically don't have to show a banner, at when the first when the page first loads, although we recommend it. And so we can default to yes here or no depending on your business's, consideration and how privacy forward you wanna be.
But, also, the default consent behavior is, they are tracked unless they choose to opt out. So the way we thought about this is this is just behaviors. This isn't you creating a new configuration and a new banner and setting up a bunch of and doing a bunch of repeat work to be globally compliant. It's just one single pane of glass. That's terrific.
It's like a a menu you can just go down the list and click off how you how you wanna stand on this. Yeah. So that's, like, a brief slide through of the tool. We're really excited to have it come out into the market today, and, we can't wait to put it in the hands of customers who are just struggling, like, with, like, these tools and how, they're almost designed kinda unopinionatedly just to work for every use case, but we know the reality of how people work. Like, they use a common tool stack like GTM.
They have specific customization needs. And if they need to go deeper, they can, you know, use code, and, they have the right people in place to do that. And they just don't wanna repeat work, and they wanna ensure, you know, that they're compliant and safe and protecting the rights of their end users. What'd you think about what you just saw? Yeah.
I like how robust it is from my perspective. I mean, I'm gratified seeing tools enter the marketplace that are easy to use. I mean, I think one of the major problems we've faced looking at things like GDPR or other countries' efforts was that it was hard to comply with. It was just it and it not only hard to comply with businesses, but also consumers still didn't feel like they're getting their fair shake. Now it looks like these tools are becoming easy to comply with.
It's very clear what you need to do or not do, and consumers are given a choice. And the robustness of the tools are allowing regulators look at what's going on and allowing consumers to comply or companies to comply and consumers get what they want. So I'm very gratified seeing this all play out in the marketplace based on what our vision was for the law. And it's still early days, but it's it's looking like it's coming together nicely. Yeah.
And, yeah, we really, appreciated, you know, kind of seeing the text and having your partnership and building out this product because we did just want to ensure that we covered our customers' backs. You know? At the end of the day, they're trying to do business and do the best they can to serve the needs of their consumers while still protecting their rights to privacy. And, I think what we've got here, hopefully, hits the nail on the head and then checks all the boxes and then does even more than just that. Rick, thank you so much for having this conversation with me and and, giving me some insight into the, you know, kind of state of consent.
And, if folks wanted to follow-up with you, how could they do so if, you know, they have questions about the CPRA or just consent tools or anything that you may see just so that people can kinda pick your brain? Yeah. I'm happy to I'm always happy to talk privacy with anybody. I'm on LinkedIn. It's, Rick Arnie, and, feel free to send me a message through there.
I'm always interested in how things are playing out, what people are observing, and what tools they're using, and what consumers are thinking. So feel free to reach out to me anytime. Awesome. Well, for Rick, I'm Torent again, on the Datagrill team for consent management, and, it's been a pleasure having everyone. I'll kind of drop, this, little slide on the way out.
If you wanna learn more about Datagrill consent or, you know, get a demo from our team who would be delighted to show you a better way of doing things. You can visit our website, and find the consent management mode on the page. But, until then, thanks so much again, Rick, for your time. Thank you.