What is Consent Management Platform (CMP) & Why Do You Need It?

It’s been common practice for businesses to sell their consumers’ personal information like age, gender, likes, hobbies, where they study, etc. without their consent to marketers. In turn, marketers use this information to show consumers targeted ads. While this sounds harmless, the fact that an individual’s personal information is being passed around like a commodity is the reason why privacy laws such as the CCPA and GDPR have come into effect.

The GDPR has made it mandatory for organizations to ask consumers for consent before selling any part of their personal information. On the other hand, the CCPA requires organizations to provide its consumers the option to object to the sale of their personal data by displaying a button stating “Do Not Sell my Personal Information”.

These laws need to be followed strictly and failure to do so can result in drastic repercussions, as happened with the Cambridge Analytica incident where 50 million Facebook accounts were used for psychological profiling to assist Donald Trump in the 2016 elections. This was done without the consumers being aware and was a massive breach of consent by Facebook. Facebook was said to pay a fine of $633,000 for this breach.

Therefore, setting up a robust consent management system is empirical for any organization intending to process its consumers’ data. However, it’s not as easy as it sounds. This article will talk about why a consent management platform is important and how the adoption of an efficient CMP can prepare any business for compliance with existing and upcoming data privacy regulations.

When is User Consent Required?

Before we move on, let’s first look at how leading privacy laws like GDPR and CCPA define consent management.

Under the GDPR, consent is one of the lawful basis of data processing. Article 7 states that “Consent must be freely given, specific, informed and unambiguous”. This requires that an individual’s consent must be given voluntarily without any pressure or influence that could affect his or her choice. Moreover, an individual must have the ability to withdraw his/her consent at any time, without any detriment. Such withdrawal of consent must be as easy as giving consent.

The law under the CCPA is more commonly known as the right to opt-out which states that “Consumers have the right—at any time—to direct businesses that sell personal information about the consumer to third parties to stop this sale”. However, organizations must provide the option to opt-out of the sale of personal data to its customers by displaying a button stating “Do Not Sell my Personal Information”. This falls under section 1798.120 of the CCPA. The CCPA also requires businesses to record an opt-in consent from minor consumers and consumers who allow the collection, processing and sale of their data in return for a financial incentive.

Propagation Management

The CMP should simplify the notification, collection, and propagation of consent to approved 3rd party solutions to meet business objectives. Key capabilities should include:

1. Adherence to the Interactive Advertising Bureau (IAB) framework

• Consent banner notification that lets users select companies with whom the publisher can share data.
• Enable websites to pass user’s consent decisions down the supply chain.

2. Improve accessibility to consent data

• Push (webhooks) or Pull (API) based flexibility to make consent accessible to internal business applications so that they can make the appropriate decisions while processing personal information.

Map and Correlate

1. Collect, normalize and aggregate consent from multiple sources.

2. Correlate multiple consent actions by the same data subject

• Link consent to identity.
• Provide an enterprise-wide view of consent based on identity and identity categories (customers, employees, vendors, temporary users, etc.).

3. Evaluate policies from a central location

• Detect data that is collected or retained without explicit consent.

Track, Govern and Manage Consent

A CMP should enable and comply with a consumer’s request to opt-out or withdraw consent to the processing or sale of personal data.

1. Consent management portal

• Tools to manage consent globally through a hosted page. Ability to propagate decisions to internal business applications.
• Cookie consent through on-demand consent banner.

2. Integrate consent management into data maps and business process flow diagrams

• Incorporate consent management into data maps.
• Incorporate consent decisions into records of processing activity to satisfy GDPR Article 30 requirements.

3. Single Identity Dashboard

• Visualize consent for each data subject in a single, comprehensive dashboard which includes visualization of PD data processed within the organization for that user and consent validity.

Consent Management Platform Checklist

If you want to know whether your CMP is up to the mark and has all the capabilities necessary to operate efficiently, we have drafted a checklist to help you figure out if your CMP is the one.

1. Duty to Provide Information

• Notify users on how you are using cookies or other technologies.
• Explain the purpose of your cookies and why they are performing these tasks.
• Include this info in an easy to read, find and understand Privacy Policy.

2. Consent

• Obtain your the users’ valid consent to store a cookie and other similar tracking technologies on their device.

3. Setting cookies

• Collect and process data with cookies only with valid consent.

4. Legally compliant documentation

• Document and store consent received from users.

5. Opt-out and Opt-In

• The objection and acceptance must be as simple.

Conclusion

Consent is one of the most, if not the most, important data privacy requirements worldwide. Fulfilling this regulation using manual methods is tedious, costly and risky. Adopting the PrivacyOps framework can help the organization in the following ways:

• Build customized consent collection methods to gather and record consent from a variety of locations including websites, web-forms, SaaS applications and consent databases.
• Use pre-built consent workflow templates to sync consent statuses across 3rd party systems.
• Honor consent revocations easily from offline or non-primary channels.
• Customize the preference center based on functionality, branding and user interaction requirements.
• Visualize consent at the visitor and organizational level using intuitive, easy-to-use dashboards.

Given the increased frequency and severity of enforcement around consent violations, it is wise to invest in automation at an early stage of the compliance process and prepare your organization for data privacy regulations around the world - not just the existing ones but also those that are upcoming.