I listened to you podcast, and wanted to share my thoughts and feedback...
I was also involved in W3C DNT group for a short period about 10yrs ago, and I think some of the lesson of the failure of DNT have not been learned from.
For me the most important issue was the name: it was called Do Not Track, but the reality was that it meant Do Not Target and there was no forking of the standard to support the 2 different signals. Also, the rules were... that it was unset by default, but tools such as AVG just used this an opportunity to sell more software and thus they automatically changed the users default setting without proper user-interaction.
I see similar problems with naming of Global Privacy Control, which ironically is not Global (as it only applies to US not EU) and it also lack granular control over targeting, analytics or service providers.
This time FireFox & Brave used this an opportunity to get market share by setting the default for GPC to active, and thus undermining the idea of a "real" user choice.
Furthermore, GPC has the opportunity to be used for a Do Not Train signal for personalized pricing and personalized ads, but thier needs be asked as a unique question rather than an blended question.
To give you an example, the Google Consent mode framework of ad_storage nicely maps to GCP. However, there`s no Browser based setting for analytics_storage, ad_personalization or ad_user_data hence causing CMPs to bundle ad_storage + ad_personalization + ad_user_data with no easy way to unbundle!
gtag("consent", "updated", {
ad_storage: "denied", // Do not target || GCP
analytics_storage: "denied", // Do not target (missing in GCP standard)
ad_personalization: "denied", // Do Not Train || Do not use pricing personalization
ad_user_data: "denied" // DROP emailHash or cell phone opt-out
});
Also the new DROP emailHash cell phone opt-out creates a parallel standard, even though its introduced by the same regulating agency in California.
Regarding GPC as primary signal, there is no way for the user or CMP to change this Brower setting for example navigator.globalPrivacyControl=false (i.e off) does not work as the value is read-only, and there is no HTML5 WebKit API to change this setting.
Hence, why most CMPs read the GPC on new visitor in the first banner layer, and they default the toggle to ON, but the user needs to click OK inorder for this setting to then be stored as a 12m cookie. Its then this 12m cookie that takes precedence over GPC.
But, I have seen some CMP get this wrong and hide the option for the user to change banner setting when GPC is on, only showing a GPC honoured. This creates a problem for users if they are landing from voucher code sites or abandoned cart emails, that rely on Targeting cookies inorder to reward a 10% discount back to the user (i.e value exchange).
Regarding CPRA and EU, I think its good that Omnibus is moving towards a global standard. For example
US = Footer opt-out for only Targeting only and only sending of pixel disabled (i.e cookie storage is allowed if not sent OTA).
EU = Modal opt-in for both Targeting + Analytics. Permission needed to save cookie on device
Is moving towards....
US + EU modal opt-in for only Targeting only (Analytics that is not used for Remarketing can be necessary).
However, both CNIL and CPRA require Analytics such as GA4 to chanegd to single-purposes mode with remarketing disabled. This is easy to do, however they also require linking of gclid lookups or reading of utm to be disabled, this renders the Analytics uselss for marketing peformance tracking, so I think the scped needs to be changed to only single-purposes mode, with both cost-data and conversion importing allowed under this mode.
Given that there are currently competing laws in California
CIPA - opt-in (1967 law)
CPRA - opt-out (2023 law)
It makes sense to also harmonizes, as competing frameworks cause confusion for Brand and also open-up the risk of Plaintiff lawsuit.
Its important to mention that I see vendors such as Klavio (CDP & ad network) or service providers such as Zendesk (livechat) that could implement GPC leave this to the CMPs to implement instead, which again opens up the risk of Plaintiff lawsuit.
Furthermore, I see some CMP giving too much control to brand when implementing GPC. TrustArc for example allows GPC to be implemented in 3 different ways. This is extremely dangerous, and it requires CMP harmonisation. There should only be 1 way to implement, otherwise it risks Brands accidentally selecting the wrong option.
It should be mentioned that the other reason why WebKit has only introduce HTML5 attributes for GEO geolocation and push notifications, not a native Consent Banner is because it would give too much control to Google Chrome and Apple Safari, who are trying to intriduce single sign-on preferences inorder to improve user-targeting. This, makes it harder for smaller publisher to compete, as they do not have the luxury of 1st party data from single sign-on`s.
Also, I should mentioned that AI browser such as ChatGBT atlas default to "deny" on all cookie banners unless they are explicitly told to accept. Hence, if AI browsers become more popular then they might undermine the default user choice of undecided. The exception to this rule is Consent or pay banner, where the AI browser always clicks accept, as it cant no enter credit card details by default ;)
Its important to mention that users are accustomed to the free world of a free Facebook and free search engine, they have no idea that the cost of an ad free platform much more that they are willing to pay. This is why 90% of people click ad supported when show consent or pay, or ask to pay for a service that was previously free.
Additionally, I think the DSAR and DoNotSell choiceson the footer of all US websites need standardizing, but that a discussion for another time.
Phil, these are fantastic insights - much appreciated! I particularly like the AI browser angle (deny by default except for consent-or-pay) and I am starting to think that their evolution/conformance (integrating consent flows and opt-out signals in one way or another) will happen faster than the combination of browser support and legal enforcement required to introduce meaningful changes in human-driven browsing. Looking forward to our discussion
Hi Sergio
I listened to you podcast, and wanted to share my thoughts and feedback...
I was also involved in W3C DNT group for a short period about 10yrs ago, and I think some of the lesson of the failure of DNT have not been learned from.
For me the most important issue was the name: it was called Do Not Track, but the reality was that it meant Do Not Target and there was no forking of the standard to support the 2 different signals. Also, the rules were... that it was unset by default, but tools such as AVG just used this an opportunity to sell more software and thus they automatically changed the users default setting without proper user-interaction.
I see similar problems with naming of Global Privacy Control, which ironically is not Global (as it only applies to US not EU) and it also lack granular control over targeting, analytics or service providers.
This time FireFox & Brave used this an opportunity to get market share by setting the default for GPC to active, and thus undermining the idea of a "real" user choice.
Furthermore, GPC has the opportunity to be used for a Do Not Train signal for personalized pricing and personalized ads, but thier needs be asked as a unique question rather than an blended question.
To give you an example, the Google Consent mode framework of ad_storage nicely maps to GCP. However, there`s no Browser based setting for analytics_storage, ad_personalization or ad_user_data hence causing CMPs to bundle ad_storage + ad_personalization + ad_user_data with no easy way to unbundle!
gtag("consent", "updated", {
ad_storage: "denied", // Do not target || GCP
analytics_storage: "denied", // Do not target (missing in GCP standard)
ad_personalization: "denied", // Do Not Train || Do not use pricing personalization
ad_user_data: "denied" // DROP emailHash or cell phone opt-out
});
Also the new DROP emailHash cell phone opt-out creates a parallel standard, even though its introduced by the same regulating agency in California.
Regarding GPC as primary signal, there is no way for the user or CMP to change this Brower setting for example navigator.globalPrivacyControl=false (i.e off) does not work as the value is read-only, and there is no HTML5 WebKit API to change this setting.
Hence, why most CMPs read the GPC on new visitor in the first banner layer, and they default the toggle to ON, but the user needs to click OK inorder for this setting to then be stored as a 12m cookie. Its then this 12m cookie that takes precedence over GPC.
But, I have seen some CMP get this wrong and hide the option for the user to change banner setting when GPC is on, only showing a GPC honoured. This creates a problem for users if they are landing from voucher code sites or abandoned cart emails, that rely on Targeting cookies inorder to reward a 10% discount back to the user (i.e value exchange).
Regarding CPRA and EU, I think its good that Omnibus is moving towards a global standard. For example
US = Footer opt-out for only Targeting only and only sending of pixel disabled (i.e cookie storage is allowed if not sent OTA).
EU = Modal opt-in for both Targeting + Analytics. Permission needed to save cookie on device
Is moving towards....
US + EU modal opt-in for only Targeting only (Analytics that is not used for Remarketing can be necessary).
However, both CNIL and CPRA require Analytics such as GA4 to chanegd to single-purposes mode with remarketing disabled. This is easy to do, however they also require linking of gclid lookups or reading of utm to be disabled, this renders the Analytics uselss for marketing peformance tracking, so I think the scped needs to be changed to only single-purposes mode, with both cost-data and conversion importing allowed under this mode.
Given that there are currently competing laws in California
CIPA - opt-in (1967 law)
CPRA - opt-out (2023 law)
It makes sense to also harmonizes, as competing frameworks cause confusion for Brand and also open-up the risk of Plaintiff lawsuit.
Its important to mention that I see vendors such as Klavio (CDP & ad network) or service providers such as Zendesk (livechat) that could implement GPC leave this to the CMPs to implement instead, which again opens up the risk of Plaintiff lawsuit.
Furthermore, I see some CMP giving too much control to brand when implementing GPC. TrustArc for example allows GPC to be implemented in 3 different ways. This is extremely dangerous, and it requires CMP harmonisation. There should only be 1 way to implement, otherwise it risks Brands accidentally selecting the wrong option.
It should be mentioned that the other reason why WebKit has only introduce HTML5 attributes for GEO geolocation and push notifications, not a native Consent Banner is because it would give too much control to Google Chrome and Apple Safari, who are trying to intriduce single sign-on preferences inorder to improve user-targeting. This, makes it harder for smaller publisher to compete, as they do not have the luxury of 1st party data from single sign-on`s.
Also, I should mentioned that AI browser such as ChatGBT atlas default to "deny" on all cookie banners unless they are explicitly told to accept. Hence, if AI browsers become more popular then they might undermine the default user choice of undecided. The exception to this rule is Consent or pay banner, where the AI browser always clicks accept, as it cant no enter credit card details by default ;)
Its important to mention that users are accustomed to the free world of a free Facebook and free search engine, they have no idea that the cost of an ad free platform much more that they are willing to pay. This is why 90% of people click ad supported when show consent or pay, or ask to pay for a service that was previously free.
Additionally, I think the DSAR and DoNotSell choiceson the footer of all US websites need standardizing, but that a discussion for another time.
// DoNotTrack standard linkClass or linkID
document.querySelector(
"a#ot-do-not-sell, \
a#ot-sdk-btn, \
a.ot-sdk-show-settings, \
a#teconsent, \
a.iubenda-cs-uspr-link, \
a.iubenda-cs-preferences-link", \
a.cky-banner-element"
);
// DSAR standard link destination
document.querySelector(
a[href*='onetrust.com/dsar'], \
a[href*='//app-preference.preference-management.usercentrics.eu/'], \
a[href*='//dsar.cptn.co/dsar/'] , \
a[data-modal-id='saymine']
);
Thanks for your great content and hopefully I`ll be able to join one of the discussions one day.
Thanks
Phil
Phil, these are fantastic insights - much appreciated! I particularly like the AI browser angle (deny by default except for consent-or-pay) and I am starting to think that their evolution/conformance (integrating consent flows and opt-out signals in one way or another) will happen faster than the combination of browser support and legal enforcement required to introduce meaningful changes in human-driven browsing. Looking forward to our discussion