What is universal consent and how does it benefit companies and their customers?

Digital platforms and markets used to be the wild west. There were few protections for users’ privacy, with their data being scraped everywhere they went, and no visibility as to who had it or how it was used. All of this data didn’t really help companies understand their users and customers a lot better, though, because most of the data was low quality and large amounts of it had to be combined to form profiles.

When privacy regulations started to be passed, companies worried about losing their access to data and not being able to run their marketing operations. But the restrictions and new requirements have kicked off a revolution. Controlling access to data, requiring consent, and a shift to more direct and higher quality data sources has created a huge marketing opportunity.

By implementing consent and preference management for a universal consent strategy, companies can know their customers better than ever and provide them the best user experiences while complying with data privacy regulations. The result? A healthier bottom line than ever.

Consent management is the foundation of data protection and privacy compliance. It includes all the legal/regulatory requirements and technical functions, along with the user interactions:

• regulations requiring user consent for data processing
• companies asking for user consent to collect their data
• how consent is stored and managed
• how consent is documented or proven (for an audit or data subject access request)
• signaling consent to third-party platforms and services (e.g. via Google Consent Mode)

Preference management enables companies to learn from their customers how they want their relationship and interactions with the company to work. For example, communications via postal mail, email, SMS, etc. Subscription to the weekly newsletter, notifications about sales, personalized offers, or all of the above?

Companies also combine that preference information with other data they have on customers, like their purchasing history, account information (contact details, single or family plan, subscription tier, etc.) to form a centralized, cohesive, and detailed profile that can be used across the marketing ecosystem to make campaigns more precise and effective, thus boosting engagement and revenue.

Preference and permission management go together, but the latter has more legal implications, e.g. for privacy regulation compliance, anti-spam laws, etc.

Preference management applies to asking customers about how they prefer to interact with the company, often regarding communications.

Permission management is also often about communications. Companies need consent in many cases to contact customers, and it’s also just good business to adhere to what customers tell you in terms of how, how often, and about what they want to be contacted.

Best practices involve using a double opt-in subscription, so it’s very clear that customers have consented to being contacted for specific purposes and by specific means. They also need to be able to change their permissions settings or opt out easily.

In addition to communications consent, permission management can also include requests for broader marketing consent, for example to share customer data with third-party partners for a variety of uses.

Particularly for data privacy regulation, but also as a best practice, when asking for permission to share customer data with third parties, prior consent is critical. Customers must also be notified about what data would be shared, with which parties, and for what purposes. Depending on the jurisdiction, the legal basis used must also be included.

Permission management can also involve controlling user access. For example, if a company has a SaaS account and multiple employees need to use it, permission management enables customization of each employee’s login, expanding or restricting access to the functions, features, and settings to which they need access. This can make training and onboarding faster, but it’s most important for security to prevent access to areas that need to be strictly controlled and carefully administered.

Both preference and permission management can typically be updated once initially set. Like preferences, communications permissions tend to be managed by the customer. Account permissions tend to be managed by an internal administrator. Customer notifications about data collected and its use and access are always required for both.

Exact legal requirements for permission management will vary by region and regulation, but more transparency and requests for consent are customer experience best practices in addition to legal requirements.

Universal consent management includes functions related to data privacy compliance that are already likely familiar to many companies. However, it expands the scope of what consent is requested for and what regulations and requirements are being met.

Universal consent management also includes functions of preference management, which is a growing discipline tied to privacy compliance, marketing operations, plus user-centric and consent-based marketing.

Combined, they represent an evolution away from old data collection technologies like third-party cookies and marketing initiatives driven by them, and innovation to systems and fresh ways of doing business that lead to happy customers, more robust data privacy, and healthy revenue growth.

Under pretty much all data privacy laws, users must be provided key information, like what personal data is collected, for what purposes, how long it’s retained, who may have access to it, what users’ rights are, and how they can be exercised. The other big user-facing regulatory consideration is usually consent — when it’s needed, for what, and how it has to be obtained.

Under many data privacy laws, users’ consent must be obtained before any personal data is collected or processed, aka “prior consent” or the “opt in” model. Users typically must be able to decline consent or change their consent preferences later on, including withdrawing it, as easily as they gave it initially.

Under some other data privacy laws, most notably the state-level ones in the United States, personal data can be collected and processed in many cases without prior consent (notable exceptions are often sensitive data and personal data belonging to children), aka the “opt out” model. But at any time, users must be able to opt out of data processing, sharing, sale, profiling, and/or targeted advertising, depending on the regulation.

Many people online are probably familiar with consent banners by now, those popups on websites and apps that request the user’s consent to collect personal data via the use of cookies or other tracking technologies (data processing services). These banners are driven by a consent management platform (CMP) that is typically customizable by each business or website operator for the specific regulations they need to comply with and the data processing services they use.

However, consent banners are not the only way personal data is collected, nor the only way and location consent needs to be obtained for compliance as regulations and technologies change. While reliance on third-party data is decreasing for marketing and other operations, the need for — and sources of — zero-, first-, and second-party data is increasing, which also need consent in many cases. This is why preference and permissions management are of growing importance online for interactions and data collection from customers, users, visitors, players, etc. on various digital platforms. As a result, more than just consent banners are now often required, and attention to great user experience is critical via advanced and user-friendly features to streamline the processes.

Regulations and technology are always evolving, as are customers’ sentiments about privacy and data access. There are many platforms and technologies via which user data is collected, and many regulations that require a legal basis and often valid user consent.

Additionally, data privacy compliance requirements and pressures can come from laws that cover more than one topic. The General Data Protection Regulation (GDPR) remains one of the most influential data privacy laws, for example, but in the Digital Markets Act (DMA), data privacy is only one component, along with measures to enable smaller businesses to compete better and to place checks on dominant tech platforms. The ePrivacy Directive is designed to protect electronic communications. IAB Europe’s Transparency & Consent Framework v2.2 is meant to protect privacy and create standards for digital advertising.

Data protection and privacy measures are increasingly not just coming from governments, either. Laws like the DMA created stringent data privacy standards for the designated “gatekeepers”, and so they have started to hand down requirements to their customers to ensure privacy compliance end-to-end in the digital ecosystem.

Third parties wanting to retain access to the platforms and services from Google, Facebook, Apple, etc. need to comply with these requirements as well to ensure continued access to advertising, data, audiences, app stores, and more.

Google is already requiring that publisher customers use a Google-certified consent management platform (CMP) integrated with Consent Mode v2 and the TCF v2.2 in the EU and UK. These companies need to be able to obtain and signal valid user consent to Google in order to retain access to Google services for advertising, analytics, and more.

The sources from which personal data is collected and the purposes for which user consent is required continue to grow. But people get annoyed when they’re bombarded with the same requests over and over (see: consent fatigue), and long legalese documents like end-user licence agreements or terms of service are rarely read in full.

Enter universal consent. This is how valid user consent is requested, securely stored, managed, and used among organizations’ tech and marketing stacks to ensure that valid consent controls what data companies have on users and how it’s used.

There are a variety of activities for which online users must be asked for consent, and via which their personal data can be collected and used. This includes multiple data sources for zero-, first-, and third-party data, such as:

• cookies and other tracking technologies
• profiling
• targeted/personalized advertising
• use of automated decision-making (LLMs/AI tools)
• sale of data
• access to sensitive personal information (including that of children)
• communications (typically for sales or marketing purposes)
• terms of service/use or other contractual legal documents

Most obviously, companies wanting to remain in business and not incur large fines and other penalties, loss of brand reputation, and exodus of customers and consumer trust need to comply with relevant privacy regulations (and regulations with data privacy components).

Especially for digital businesses, the odds of their customer base being global can be quite high, which can mean they need to comply with multiple data privacy regulations in multiple regions, providing users with different information and consent choices.

Companies can also have to comply with multiple regulations in multiple regions beyond those explicitly for user privacy, like the laws in the Digital Services Act package or Germany’s Telecommunications Telemedia Data Protection Act (TTDPA). Managing all these regulations, their requirements, and managing and protecting users’ consent information (and personal data) can become extremely complex and a significant burden to smaller businesses with limited resources.

Being able to centralize consent management could help streamline a lot of functions, better enable compliance, improve user experience, and reduce the risk of errors that could lead to violations.

Regulations not only require that valid consent be obtained from users, but that it be securely stored and available in case of audit or data subject access requests. Increasingly, that consent information also needs to be able to be shared or signaled with other platforms to ensure services in use, e.g. for advertising or analytics, only collect and use user data compliantly.

It’s important to ensure that users are notified correctly, asked for consent by valid means, that adequate measures are taken to protect their choices, and that the information can be clearly signaled to services like Google’s to control their data gathering or use functions.

Furthermore, companies may need users’ consent for use of their products and services or for sharing their information with partners. This information also needs to be clear and securely recorded to protect companies’ operations.

As also mentioned, typically under privacy laws data protection authorities can initiate investigations and audits, and in case of a complaint, the burden of proof is on the company to show that they received user consent for the data collected or processing performed.

In addition to consumers’ right to complain to data protection authorities about potential data privacy violations or data misuse, it’s also increasingly common for users to have the right to make data subject access requests, i.e. to request and receive from a company all the data that’s been collected about a person. If data is not well documented and centralized, valid compliance with such requests can be time-consuming and very difficult.

Channels via which companies interact with customers are increasing as well, creating more ways to interact with, service, and market to customers, as well collect data and establish preferences. This also means more data and uses for which consent must be obtained, and increasing requirements from businesses for sophisticated and integrated tools. Companies need to be able to manage consent, preference, and permission management for websites, apps, WhatsApp and other communications platforms, chat, phone, etc. in one place, and be able to use the information collected across the marketing ecosystem.

Especially for larger companies, it’s critical for operational efficiency to be able to fulfill these requests in an automated and timely manner, given regulatory requirements for expediency and the potential volume of requests large companies can receive. By necessity, it would make sense for all relevant information to be accessible in a centralized location, with protection and access through consistent measures.

One way to look at data processing is that consent management asks, “What may we have?” Preference management, on the other hand, asks customers, “What do you want?

When the two are combined, companies can comply with data privacy requirements while also getting more and higher quality data — some of it directly from the data subject — referred to as “zero-party data”.

When companies employ universal consent and preference management they have a centralized and comprehensive source of customer information — a 360-degree view — that includes legal requirements, like consent preferences and terms of service agreements, and critical marketing insight data, like what products and services people are interested in, when they tend to buy, and how they like to be contacted.

This view includes first-party data, collected about user activities from sources data subjects use, like web browsers, for which consent is often required, as well as zero-party data, which, as noted, comes directly from users. And it will still include some third-party data, obtained from sources like advertisers, for which consent has traditionally not often been obtained. This type of data also often has to be aggregated to be useful.

It makes data easier to locate, access, and keep up to date. It facilitates sharing it, with relevant controls, across teams, marketing systems, or with third-party partners. And it makes it easier to provide in a timely manner to data protection authorities or customers to request access to it.

Universal consent management and the universal opt-out signal are both part of consent management and privacy compliance, but are not directly connected. The former is a set of legal, technical, and business functions to achieve and manage data privacy compliance requirements. The latter is an online initiative and a tool to streamline recording and communicating user consent preferences online.

Learn more about Global Privacy Control

The universal opt-out signal or mechanism is also known as Global Privacy Control (GPC). The goal of the initiative is to improve privacy online and provide internet users with greater control over their personal data, along with a specific mechanism to do that.

While there is a group of people and organizations involved, it’s an open initiative that anyone interested in or dedicated to online data privacy can join. Those involved include legal experts, technology professionals, and privacy advocates.

In addition to the group, the GPC or universal opt-out signal is a browser-based global standard for privacy control. The signal is supported by Mozilla and the Electronic Frontier Foundation, and the GPC is currently built into the Mozilla Firefox, Brave, and DuckDuckGo web browsers. There are also browser extensions that include the GPC, so it can be added to other browsers like Google’s Chrome or Apple’s Safari where it is not currently built in.

People can use the signal via browser settings, a universal consent form, or an extension to record their data privacy consent and marketing preferences, which are then saved in the browser. As they go about their activities online — visiting websites, posting on social platforms, ecommerce, etc. — each site they visit can be automatically informed about the user’s consent preferences for use of cookies and other data processing services in use. The user does not have to record their preferences on every site they visit, or every time they visit, e.g. via interactions with a consent banner.

Not all data privacy laws include reference to the universal opt-out signal, but support for it is growing, and statutes requiring it to be recognized have been included in more and more laws passed recently, particularly the state-level privacy laws in the United States.

Adopting universal consent management enables companies to comply with multiple data privacy laws in addition to other regulations and legal, technical, or business requirements related to doing business with customers and users. Using a consent management platform (CMP) like Usercentrics Web CMP, Usercentrics App CMP, or Cookiebot Web CMP, companies can ensure users receive the required notifications, agreements, and consent choices for relevant regulations — in their preferred language.

Universal consent management enables streamlined user experience and easier compliance and corporate fulfillment of requirements like those from privacy audits or data subject access requests. This both helps to build user trust and brand reputation, plus it can save the company’s time and resources.

It enhances marketing activities by enabling detailed and high-quality data profiles of users — particularly in combination with preference management — enabling campaigns to be more targeted, precise, and engaging, saving the company money on wasted efforts and boosting revenue. This information also helps power activities throughout marketing operations and the tech stack, protected by documented and granular consent.

Universal consent management also demonstrates respect for user privacy and dedication to user experience, which also contributes to building trust and cementing the company’s privacy-first reputation. This helps increase engagement long-term and grow customers’ lifetime value.

Users get the satisfaction of knowing companies respect their data privacy and rights, and comply with expressed consent requirements for personal data access and use. It helps people to use the internet to read, shop, socialize, play games, and more worry-free.

It improves interactions with companies and online experiences more broadly when both consent and preferences (via preference management) form the basis of companies’ communications, advertising, and other marketing activities. People get communications in the format and frequency they want, about the topics they want, and provide only the information they want to tailor their experience and interactions with the company.

Users also get more streamlined experiences online, with technology doing more of the heavy lifting to enable users to spend less time interacting with consent banners or agreeing to terms and conditions or other functions repeatedly, ending up with consistent, enjoyable, privacy-compliant experiences online.

These innovations will also make it easier for users to change their preferences over time, adding, changing or withdrawing consent; changing communication preferences for a company; or other expressions of interest or digital housekeeping.

It is likely to take a while for universal consent to become fully mainstream, and for the mechanisms to collect and communicate the information it has available to standardize. But it’s an exciting development for both companies and consumers.

Data privacy regulation is only going to continue to expand, so compliance will become even more critical to companies, especially those wanting to compete and succeed in global markets. Additionally, companies will face continued complexity from other regulations, requirements from business partners, and evolving consumer demands. Universal consent management can help.

Consumers benefit from better online user experiences, especially for privacy compliance and preference management. They can enjoy technology to manage consent, user agreements, and other business inquiries for them, freeing them up to get things done or have fun online knowing their privacy and preferences are respected.

Data protection authorities and companies like the gatekeepers designated by the Digital Markets Act benefit from more streamlined consent signaling from third parties using their platforms, easier investigations and audits, and better integrations among systems. Plus overall greater respect for and observance of data privacy online for everyone.

To learn more about how you can implement consent management and preference management for universal consent management operations, get in touch with one of our experts. Learn about the Usercentrics solutions and get answers to your questions today.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.