Is Your Consent Banner Giving You a False Sense of Security?

Updated on August 28, 2024
Doctor, woman patient and tablet for consulting with results, medical info and talk for healthcare with mockup space. Japanese medic, digital touchscreen or show video for surgery, wellness or advice

You might think that having a consent banner is enough to keep up with the latest privacy laws, but think again. In fact, simple mistakes or technical limitations of consent management platforms (CMPs) could be setting you up for a lawsuit.

There’s a new wave of privacy issues targeting consent practices. While some of these issues are done by companies intentionally to try to minimize friction and push people to hit “Accept All”, most of the issues are unintentional and often unknown by the company.

Lawyers are quietly sending demand letters to companies they suspect of engaging in false advertising or Unfair, Deceptive, or Abusive Acts and Practices (UDAAP), as defined by the CFPB. This includes cookie consent banners that fail to give clear and correct information about data collection. 

The FTC has also been clear: deceptive data practices are a big deal. Healthcare companies especially can get into hot water for data collection that may seem like an everyday occurrence on, say, a clothing website. The issue is that ad tech and analytics software are complicated and difficult to monitor behind the scenes. Additionally, there are a number of rules to follow about how you notify consumers: e.g. changing privacy policies without notice, or using hidden pixels, uncategorized cookies or other ad tech.  

Regulators are now zeroing in on faulty or misleading consent banners. This article dives into why companies are getting in trouble and what you can do to keep your healthcare organization safe from these pitfalls.

Why are organizations getting into trouble with their cookie consent banners?

We’ve broken it down into three main reasons, with some details to consider:

  1. Technical Limitations: Many tools have built-in restrictions preventing them from working as users expect.
  2. Unintentional Mistakes: Sometimes, banners are set up incorrectly without the company realizing it, leading to compliance issues.
  3. Dark Patterns: Some platforms are designed in a way that deliberately misleads users about data collection.  

In short, it’s critical to understand what “correct” looks like as well as the limitations of what a consent banner can and cannot do. 

1. Technical Failures and Limitations of Consent Management Platforms (CMPs)

CMPs have technical limitations and can create a false understanding of what data is actually being collected, leading to violations. These issues often occur behind the scenes, so the organization may be unaware of the issue until they receive a notice or demand letter. Here are some typical technical issues:

  • Inconsistent Cookie Blocking: Cookies drop on the user’s device on the page load, and the consent manager doesn’t reload the page correctly after a user selects “Reject All,” which leaves all the cookies set. 
  • Missing Cookies and Pixels in the consent notice: In the majority of sites LOKKER has scanned, tracking technologies are still served in a “Reject All” state. There are numerous issues at work here. Primarily, pixels are missed, tracking tech is miscategorized or uncategorized, and the tags on a website aren’t up to date. Many tags are dynamic and can change behavior daily, so a monthly or quarterly scan often misses a number of issues.  
  • Two different components working together: A user may reject a social media cookie, but if the company is serving a pixel from that social media company, there are still numerous ways that the user’s data is tracked and shared through interactions between cookies and pixels. Ad tech is very good at workarounds! 
  • Neglected Tracking Technologies: Pixels and other tracking tools might be left out of the consent banner, so data could still be collected via different methods, even if users have opted out.
  • Dynamic changes not detected: The technology behind ad tech is very dynamic, so your website might be serving different cookies and pixels on different days. You need tooling to scan every week if not every day. 

2. Unintentional Mistakes

Much of the work when setting up a CMP is left to the organization to do on their own. This often leads to misunderstandings for those setting up the platform, which then leads to ineffective consent management. Here are some common mistakes:

  • Missing Consent Banner: The banner might not appear on particular pages like subdomains, landing pages, or campaign pages. 
  • Inconsistent Scanning Schedule: Trackers often get added after the banner is set up but aren’t picked up by it.
  • Incorrect Tag Categorization: “Targeting” tags might be wrongly labeled as “Strictly Necessary.”
  • Updates to the Site: Marketing or product might add a new piece of functionality to the site but not update the consent banner. Additionally, the actual script that drops a cookie can drop new cookies that the organization doesn’t detect.
  • Assumed Rejection of Cookies: Some believe that if a user rejects “Functional” cookies, they should also be assumed to reject “Marketing” cookies.

3. Misleading Designs in Consent Tools – “Dark Patterns”

Dark patterns are the most obvious examples of deceptive practices. They’re called dark patterns because they trick users into giving consent, unintentionally or intentionally. While dark patterns aren’t new (the FTC published a report on them in 2022), the rapid increase in the number of state privacy laws requiring opt-in or opt-out mechanisms for data consent has led to more cookie consent banners—research shows about 67% of US companies now use them. This increase means more opportunities to misuse these tools or slip one past the regulators. Poor web usability or bad UX can also lead to issues. 

So, what are dark patterns? They are tactics that often involve deceptive interfaces that make it hard for users to decline cookies or fully understand the data they agree to share. Here are some common examples:

  • Pre-selected Consent: Consent checkboxes are pre-checked, making it easy for users to agree unknowingly.
  • Confusing Language: Complex or misleading language makes it hard for users to grasp what they are consenting to.
  • Obscured Decline Options: The “decline” or “reject all” options are hard to find, smaller, or less prominent than the “accept all” button.
  • Frustrating Choices: Users must jump through hoops to reject cookies, while a single, prominent button offers “Accept All” cookies.
  • Lack of Options: The banner offers no real choices, only an “accept” option.
  • Unauthorized Data Sharing: Data is shared even when users haven’t consented.

These practices are designed to boost consent rates at the expense of user privacy and control. Again, sometimes it’s not about intentional deception. Poor web usability or bad UX can also lead to issues.

Any of these issues can land organizations in hot water for misrepresenting their data collection practices, even if the intent wasn’t malicious. So, what’s the solution?

How Can You Protect Your Healthcare Organization from UDAAP Actions?

Make sure your CMP is running correctly by running a consent verification report. Verify that the CMP loads before other trackers, that it appears on every public-facing page, and that it is updated with the latest technology. Double-check that trackers are correctly categorized—especially those marked as ‘strictly necessary,’ which should only include essential site functions. Scan often using a different tool than the consent manager to check their work.

If problems do come up, addressing them promptly can go a long way to help reduce the damage.

Ensure you have a clear, easy-to-access privacy policy written in simple language. Communicate any changes to this policy explicitly to users.

Remember, intent matters and can affect the severity of penalties. In many cases, showing good faith and best efforts can help mitigate damages or penalties. Doing the right thing always helps!

Your CMP is not a catch-all tool for reporting and blocking unauthorized data collection, it’s one piece of the puzzle.