According to the Deloitte Privacy Index 2020 – the firm’s sixth annual assessment of the privacy practices of Australia’s top 100 consumer brands – ‘meaningful consent should now be front and centre for every industry and every sector.’

Yet only 16 per cent of brands offer consumers the option to opt-in to marketing activities, and 83 per cent of consumers said they are concerned by internet cookies that track their activity online and use this information for marketing purposes or to sell information on to third parties – highlighting the vast difference between consumer expectations and industry consent practices.

Deloitte national privacy and data protection lead partner and index author David Batch said: “Obtaining consent in the right way is critical for building consumer trust. As we navigate the digital realities of pandemic restrictions, of working and socialising online, as consumers we have become far more aware of the need to secure our privacy.

“At the same time COVID-19 has pressured governments and businesses to use the data they either have, or can collect, to better understand what is required to protect, plan for, and support our health and our economy.

“Australians have overwhelmingly told us they don’t like being marketed to without opting in, or bundled consent, which couples something we do want with something we don’t, especially when it is unnecessary.

“Meaningful consent is the real opportunity for brands in COVID-19 times and beyond. And it is the responsibility of every organisation in Australia that accesses and processes personal information to do its bit in increasing trust in the digital economy.”

For the 2020 Index, Roy Morgan Research surveyed more than 1000 Australian consumers aged 18 and above, asking them about their personal consent-giving practices when interacting with apps and websites and what constitutes meaningful consent to them.

This was compared with analysis of the websites and mobile applications of Australia’s top 100 consumer brands, examining the consent behaviours and attributes of their websites and apps as well as sector level breach and complaints data published by the Office of the Australian Information Commissioner (OAIC). The results were scored and aggregated across 10 industry types to rank each industry to create the Index.

Each year the Deloitte Privacy Index focuses on a different privacy element and as such should not be treated as a like-for-like comparison. By focusing on consent practices in the 2020 Index, sector rankings have shifted.

Retail has jumped from fifth place (#5) to first (#1), demonstrating that, as an industry, it manages consent privacy practices in 2020 better than it managed application privacy practices in 2019. However, this does not indicate that the retail sector provides consent best practices to consumers. The overall industry analysis found that no industry scored above 30 per cent when its consent practices were tested, which demonstrates industry-wide and regulatory immaturity.

“Gaining meaningful consent from consumers, within current legal and technical constraints, isn’t easy,” noted Batch.

“Striking the balance between optimal user experience and obtaining meaningful consent differs across platforms and use cases. Across industry we have seen a lack of maturity in the consent space, such that any updates to Australian law would require significant industry changes and uplift.”

Other key Index findings include:

· 93 per cent of consumers expect a service to provide them with the option, upfront, to opt-in to non-essential uses of their personal information rather than having to opt-out of these uses.

· None of the top 100 consumer brands met consent best practices for cookie management.

· 52 per cent of brands obtain consent for non-essential cookies through the bundled consent of accepting a privacy policy.

· 7 per cent of the brands that do not mention marketing activities in their privacy policy were found to use marketing cookies when their website was tested.

· Only 21 per cent of brands provided consumers with a comprehensive consent management portal or equivalent that was also fully or partially available from the associated application.

· Only 33 per cent of consumers agree that their consent for non-essential processing is valid when it is obtained through acceptance of the terms and conditions and/or privacy policy.

· 64 per cent obtain this consent through the bundled acceptance of their privacy policy, and of these, 65 per cent limit the functionality of the website without obtaining this consent, meaning consumers have little choice but to consent to marketing activities.

· 50 per cent of consumers stated that they had given consent (when they had previously refused) because they were tired of being continuously asked by the same service.

· Only 7 per cent of consumers said they had a very good understanding of how their personal information would be used after they consented to its use.

· Only 12 per cent of consumers think consent given for non-essential uses should be enduring.

“Although meaningful consent and permission are intrinsically personal, our research overwhelmingly demonstrates a disconnect between what consumers expect and what brands actually do,” noted David Batch.

“No one wants to give consent through constant pop-ups. Nor does a consumer consider consent is given when driven through a catch-all, non-specific privacy notice. The key is in empowering people to choose if, when and how they participate.

“Good consent must be expressly sought and voluntarily given. We’re seeing this in COVID-19 initiatives such as tracing apps, where the concept of care drives voluntary participation and builds trust between community and government.

“If we’re to maintain trust in institutions and corporations, meaningful consent is essential to the bigger picture. Now the community is waking up to the power and value of data, real transparency, fair value exchange and true voluntariness will be required to establish consent and trust.”

The report also outlines five key actions brands can take to improve consent practices:

1. Have a smart consent strategy

Decide whether you want to follow the minimal legal approach to gaining consent, or whether you want to position your brand as a data ethics leader by following best practices.

2. Gain a deep understanding of your data

For most businesses, the biggest hurdles to operationalising consent management are understanding what data they are processing, where it came from and what it is being used for

now. To achieve this dynamically and at scale, they need good data governance and management capabilities, and the right technology.

3. Don’t bundle certain consents

Consumers have clearly indicated a strong preference to opt-in to certain activities that aren’t essential for the service they seek. These include marketing, online tracking and physical location tracking. Ask for express permission to do these things at the appropriate time in a way that is as ‘frictionless’ as possible.

4. Create an online portal for users

Provide a digital portal for consumers to monitor and change their consents. Make it easy to access, understand and use. This will increase transparency, individual control and trust – demonstrating how consent is taken seriously.

5. Give granular choice in your cookie banners

Give more than two choices in cookie consent banners and avoid the all-or-nothing approach. Allow consumers to opt-in to tracking and marketing cookies and don’t have this turned on by default or bundle the consent with other functional, less invasive cookies.