Publishers have long been working on ways to understand more about their readers, changing them from anonymous traffic to identifiable, logged-in readers. For subscriptions publishers, this is old hat, but over the last few years, free-registration and logged-in strategies have become more prevalent across a wider mix of publishers.
Whether it’s to warm up a larger base of readers which a subscription publisher can in time encourage to become paying subscribers, an attempt to compete better with the masses of logged-in user data owned by Facebook and Google, or simply a matter of being able to offer individually-relevant messages, logged-in strategies have become the norm.
In publisher circles, this is often referred to as “authentication” strategies. A user has become identified and therefore authenticated once they have voluntarily supplied information about themselves to that publisher and accepted communications in return.
Now, in the wake of the arrival of the General Data Protection Regulation, and the pending California Consumer Privacy Act, media businesses are increasingly interested in how to attach user consent to these authenticated users. The result: authenticated consent is a term that has started to crop up more and will likely gain more steam in the future.
Here’s a primer.
What exactly is authenticated consent?
It is when a publisher uses tech to tie together the authenticated logged-in user data it already owns with that same user’s data privacy preferences. The more advanced publishers have begun to work on data-privacy preference centers via which users can upload what emails they’d like to receive or not, and whether they’re happy for certain ad tech partners the publisher works with to use their data for example. But in a lot of cases, the reader’s data privacy preferences will be stored by a publisher consent management platform after they have either accepted or declined to give consent for their data to be used via whatever message a publisher has chosen to go with. They then ensure the user credentials are applied across all the devices they use.
Why is it necessary?
A bunch of reasons. There are currently a lot of holes in consent strategies and messages. The way consent is stored is typically based on a combination of IP addresses and what is stored in a cookie. That means that for anyone traveling outside of Europe to another country won’t get the kind of consent message they should as a European citizen under GDPR law. The same goes if a European visits California once the CCPA is introduced next year. The consumer experience could get very messy. Then there is the fact that no one’s consent experience is the same across the multiple devices they use. “Authenticated consent allows you to have a very user-focused consent journey across devices [and across different territories] rather than being hit up with different consent messages,” said Brian Kane, COO of authenticated consent vendor Sourcepoint.
So this is a way to ensure a user’s consent is explicit and informed without any grey areas?
Yes. Currently, most sites running consumer consent requests are flying close to the sun when it comes to GDPR compliance. Some still use default opt-in for users, others don’t even include decline buttons yet, and there are still cookie walls floating about despite the Information Commissioner’s Office ruling them out. Other publishers overload users with information about what ad tech partners they use in their consent message, which means users are often clicking ‘agree’ just to skip through to the content, so their consent isn’t really informed. “Most brands picked the ‘ask for everything up-front’ approach,” said Darren Guarnaccia, chief product officer at privacy vendor Crownpeak. “They’ll ask for your firstborn and left kidney, just asking for too much right away. How do you have informed consent when asking for this dizzying array of things?”
Is this mainly beneficial for publishers and consumers?
Advertisers too. But in theory any player in the digital ad supply chain. Currently, consent signals are pretty binary. Demand-side platforms and agency media buyers bidding on digital ad inventory will see a signal that either shows if a consumer has said yes or no to consent. It doesn’t allow for grades of consent. For instance, if a consumer says yes to receiving weekly emails from a publisher but they may not want to be targeted with ads. Or vice versa. This is something vendors are currently trying to solve for. But also, any media agency would welcome knowing whether or not inventory they’re bidding on has been consented to by informed users who understand totally what they’re consenting to. It’s better for everyone in the long run if they’re to avoid being pulled up by regulators.
The most obvious will simply be how to scale it. But there is evidence to show that quality publishers can build large-scale registered users bases fairly fast. It’s not really feasible to gain authenticated consent without some kind of logged-in strategy.