NOTE: This conversation was recorded on January 31st, 2025. It has been slightly modified to tailor the conversation to a blog format, prioritizing readability.
Introduction and Background
Vivek: My name is Vivek Vaidya, one of the founders and CTO of Ketch.
Jodi: And I’m Jodi Daniels, CEO and privacy consultant at Red Clover Advisors.
Vivek: Today we’re discussing consent management.
Jodi: Specifically how it’s evolved since I began working with consent in 2012. What’s your history with privacy and consent?
Vivek: I entered the privacy space around that time, perhaps slightly earlier with the introduction of Ad Choices – the little blue triangle that some might remember. That was my introduction to privacy, sparked by an article about IAB members needing to comply with new requirements.
At our previous company, Krux, a data management platform for media companies and brands, we worked extensively with European clients. Questions about data collection and processing became critical issues early on, particularly because we had German clients as early as 2011-2012. The evolution over the past decade has been fascinating.
The Evolution of Cookie Banners and Consent
Vivek: Let’s look back at where this journey began. The GDPR kicked this off, but people were putting up ‘cookie banners’ as they’re still called, back then.
How has the landscape evolved from then to now?
Jodi: The story begins with cookie banners, and it’s interesting – I often tell clients that many organizations implemented these banners without fully understanding the privacy landscape. It became a case of following industry trends – companies would implement banners because they saw others doing it, creating a domino effect.
Then came U.S. legislation like CCPA and its amendment, CPRA. This sparked new questions about whether “notice at or before collection” requirements necessitated a banner. Even today, privacy professionals have varying interpretations of these requirements.
Organizations now face multiple decisions: Am I supposed to have a banner? Am I not supposed to have a banner? Do I have a notice? Do I have an opt-in? Do I just have custom settings? Do I have nothing? Do I geolocate?
These are complex decisions that companies are still working through.
Current Challenges and Changes
Vivek: Looking at CCPA, CPRA, and the “do not sell” requirements, especially in California, organizations are really focusing on what it means to capture user consent. They’re examining what we’re actually doing with user consent, connecting it to specific purposes, and understanding how we’re using the data.
Users now have more granular choices – they can allow their data to be used for X, Y, and Z, but not for A, B, and C. This shift is becoming more prominent, and it’s encouraging because it gives consumers more control.
The timing of consent capture has also become a key focus. Everyone I talk to about consent or cookie management recognizes that consumers are getting frustrated. Organizations are thinking more carefully about when to ask for consent, how much to ask for, and what timing makes the most sense. These dynamic considerations are coming up more frequently in conversations with our customers.
Consent Duration and User Experience
Jodi: What’s interesting about that is the follow-up question of how long consent should last and when to ask users again.
Vivek: Exactly. From our perspective, this is something that brands and companies with direct consumer relationships need to determine based on their business needs. It ultimately comes down to the purpose of data collection. The consent duration should align with the specific purpose you’re collecting it for.
In some cases, that might be twelve months, in others, three months. It also depends on what consumers are comfortable with. There’s a balance to strike – nobody wants to be asked for permission repeatedly for the same thing. If I’ve said yes to receiving emails about five specific topics because I’m interested, I don’t want that same question every three weeks.
Maybe checking in every six months or annually makes sense, but you need flexibility in how you approach consent renewal timing.
Privacy Laws and AI Impact
Jodi: Companies are facing a complex landscape in 2025. We have nineteen different state privacy laws passed, with sixteen becoming effective, plus global regulations.
Organizations are working to figure out how to evolve, manage consent, coordinate multiple systems, and stay responsive to user preferences. Adding to this complexity is AI – whether you see it as a friend or foe. How are these privacy laws and the rise of AI affecting the consent experience?
Vivek: With AI, there are two main considerations – how it’s built and how it’s used – essentially training and inference. As a consumer, I want the benefits of inference. I appreciate when Amazon recommends books based on my interests. My recommendations are full of espionage and mystery thrillers because that’s what I enjoy reading.
This raises the question – am I comfortable with Amazon using my data to make these discoveries? They need to in order to know my preference for espionage and mystery thrillers. When I receive clear value from my data being used, whether through AI or other means, I’m comfortable with it. I believe many consumers share this perspective.
Google Maps is another great example. Getting accurate directions and real-time traffic updates like accident notifications and alternate routes provides tangible value. The exchange makes sense to me.
The Privacy-Value Exchange
Vivek: People tend to object when experiences become unsettling. Then there’s the business perspective, like the current lawsuits against OpenAI regarding copyright infringement. This adds another layer to the consent discussion.
But for consumers, it often comes down to transparency. If you clearly communicate what data you’re collecting, why you’re collecting it, how you’re using it, and what value I receive in return, most consumers will be receptive.
Jodi: I agree completely. It’s about balancing customer expectations with value delivery. This is where many companies fall short – either lacking transparency or being too vague. If I opt in for a specific purpose and you’re clear about it, I’m comfortable with receiving book recommendations.
But if that information is shared with other companies for different purposes and it’s buried in the terms, that violates expectations. That’s when consumers feel betrayed.
Future Challenges and Solutions
Jodi: The technology landscape is rapidly evolving. I attended CES in January, and what struck me was the absence of a unified theme. Instead, we saw different brands presenting their unique visions for AI and technology implementation.
A significant challenge emerges when we consider data sharing between companies. What happens when a company I’ve shared data with needs to work with partners to deliver their service? I’m curious about your perspective on this.
Vivek: The fundamental principle here is transparency. Companies must be clear about how they’re using customer data. If delivering a service requires integration with other parties, that needs to be disclosed upfront. Take a consumer-facing service using Large Language Models (LLMs) as an example. If a customer provides input that’s processed through an LLM to generate value, that interaction involves third parties.
If I’m not building the LLM internally but using services from OpenAI or Anthropic, I need to communicate that to users. I should disclose that their data will be sent to these providers, explain any agreements in place about data retention, or clarify if we’re paying for services that prevent their data from being used for training. Whatever the arrangement, transparency is essential.
Data Management and Business Practices
Now let’s talk about regulation. The regulatory landscape has shifted consumer expectations. When I interact with a brand and request data deletion or access to my information, I expect comprehensive action – including deletion from all partner systems. That’s the company’s responsibility, not mine.
At Ketch, this is central to our discussions with customers. We’ve focused from day one on helping organizations handle these requests efficiently and automatically through programmatic solutions.
Jodi: Another crucial consideration is the multi-platform experience. As a consumer, if I’ve shared information through an app, mobile site, or desktop, I expect the company to recognize me across these platforms. I shouldn’t have to repeat the process.
Vivek: Absolutely. Cross-device, cross-browser, and cross-platform identity management is essential for consent management. No customer wants to answer the same questions multiple times across different platforms in a short timespan. If I’m your customer and you know how I engage with your brand, this should be seamless.
Jodi: It’s similar to calling a customer service line – you enter all your information in the automated system, only to have a representative ask for the same details again, or worse, getting transferred and having to repeat everything in the automated system. Nobody wants that experience.
Vivek: As an engineer who’s built these systems, I’m often puzzled when customers tell me their data exists in silos and their systems can’t communicate. These considerations should be fundamental from the beginning, but they’re often not.
Jodi: What we’ve found, even from personal experience, is that companies sometimes try to collect everything at once. But it should be a gradual process – crawl, walk, run. When I’m just discovering a brand, I’m not ready to share my full birth date just for a birthday coupon. I might start with a simple 10% discount offer.
First, let me try the products and evaluate my experience. Then we can build a relationship where I’m more comfortable sharing additional information over time.
Future of Consent and Closing Thoughts
Jodi: As Privacy Week draws to a close, I’d like to hear your thoughts on the future of consent. If you had to summarize one big idea, what would it be?
Vivek: The future lies in progressive, just-in-time consent. It’s about being thoughtful regarding when and why you’re capturing consent – does it really need to happen at this specific moment? I believe this approach to consent capture is what we’ll see more of in 2025 and beyond.
Jodi: That’s actually exciting to hear. We’ve been discussing this concept for quite a while. Perhaps this is finally the year it takes hold, much like how we talked about mobile adoption for years before it became ubiquitous.
It’s crucial to remember the importance of user experience in this evolution. We’ve all encountered those frustrating cookie banners that cover entire pages, making it impossible to access mobile apps or even read the notice itself.
The user experience directly influences consent decisions. If someone has a negative experience with how you present privacy options, they’re less likely to grant consent.
Vivek: The language used is equally important – it needs to be precise and clear, not ambiguous. How you present consent and the words you choose make a significant difference.
Jodi: Absolutely. The messaging needs to be clear, understandable, and part of an ongoing conversation. We can’t emphasize enough the importance of connecting with peers and cross-functional teams. Business is dynamic and constantly evolving. We need to ensure new features and innovations are implemented in ways that respect both privacy and user experience.
Get in Touch
Vivek: You can find us at ketch.com, and feel free to reach out to me directly at vivek@ketch.com. I always enjoy these conversations.
Jodi: I’d love to connect as well. Please reach out to Vivek, explore Ketch’s materials and products, and you can find me on LinkedIn. We have lots of resources available and love discussing privacy. Come join the conversation!
Vivek: Privacy is cool.
Jodi: Privacy is cool. Thank you, everyone.
Watch a replay of The New Era of Consent: Strategy for 2025 and Beyond.
Cookie Management Roadmap
Check out our Cookie Management Roadmap for tips and guidance to help you streamline your cookie review.
