What Is a Consent-Management Platform (CMP) and How Does It Work?
Maciej Zawadzinski
3x Exited Founder-Turned-VC | Investing in Hard-to-Beat Founders
First-party cookies are the lifeblood of every website, enabling businesses to remember key pieces of information about users and to collect analytics data. Third-party cookies are the bread and butter of AdTech, allowing publishers to monetize their websites, and brands to run advertising and marketing campaigns.
However, the introduction of the EU’s General Data-Protection Regulation (GDPR) has significantly impacted the way websites and business collect, store and use both types of cookies. For one, the GDPR includes cookies in its definition of personal data, which refers to any piece of data or information that can identify a visitor.
Collecting and using personal data from EU/EEA citizens and residents must follow relevant notices for data processing under Article 6 of the GDPR. For this reason, publishers and website owners now need to obtain freely given, specific, informed and unambiguous user consent when collecting and using cookies for advertising and marketing purposes.
Ask us anything about CMP development
Considering how many visitors some websites receive each day, the need to effectively manage this process is paramount. A consent-management platform (CMP) makes the consent-collection process much easier and ensures GDPR compliance out of the box.
What Is a Consent-Management Platform?
Consent management is a process which allows websites to meet the EU regulatory requirements regarding consent collection. With a consent-management platform (CMP) in place, websites have the technical capability to inform visitors about the types of data they’ll collect and ask for their consent for specific data-processing purposes.
Some of the regulatory obligations facilitated by consent-management platforms include:
- Displaying consent pop-ups and widgets to users,
- Collecting and storing information about visitor consent decisions, and keeping record of changes thereof,
- Before consent is given, collecting only pre-approved data by firing only accepted tags,
- Collecting and managing data-subject requests – e.g. dealing with visitors’ requests to access, rectify, move and erase their data.
What Does the User-Consent Collection Process Look Like?
While the process of collecting and storing user consent will differ from tool to tool, below is an example of how this process could look from a technical perspective:
The process of collecting and storing user consent from a technical perspective.
The process of collecting and storing user consent from a technical perspective.
Does My Website Need a Consent-Management Platform?
Regardless of where an organization is based (in the EU or otherwise), its website must meet regulatory obligations when processing EU/EEA citizens’ data or the business will face financial penalties.
Asking for consent when processing users’ personal data is one of the most important duties imposed on website owners by the GDPR.
However, even with the GDPR several months in force, many leading international AdTech vendors – Google included – still don’t allow companies to conveniently collect and manage GDPR-compliant consents when using their technology platforms.
At the same time, though, they explicitly require companies integrating Google products to inform data subjects about data processing and collect consents accordingly. This is why third-party consent-management solutions like Piwik PRO Consent Manager are needed to collect consent for data processing and allow users to exercise their right to access, rectification, portability and erasure of data.
In short, a website needs a consent-management platform if any of the following activities are taking place:
- Processing of personal data: the use of personal data for purposes like behavioral advertising, remarketing, analytics, content personalization and email marketing.
- Automated decision making, such as behavioral profiling.
- Overseas transfer of data: when companies collect EU citizens’ data for processing outside the EU.
Considering the far-reaching implications of the consent obligation, most consumer-facing businesses need to collect user consent as a basis for lawful data processing.
This makes consent a necessary condition to implement a vast majority of advertising and marketing activities like email marketing, remarketing, profiling, personalization, etc., all involving data processing.
However, there are some exceptions. Not all activities require collecting consent from users. There are five grounds for lawful data processing without user consent.
When Is User Consent NOT Needed?
Consent is one of six lawful bases for processing personal data. Apart from consent, however, the GDPR envisions five specific conditions that allow user data to be processed unconditionally without the need for consent collection. These situations include:
- Contractual requirement. When you supply goods or services requested by a data subject, their consent may be prerequisite for the fulfillment of the order – e.g. a user must provide an address to have their products sent to them by an e-commerce website.
- Legal obligation. When processing a particular type of data is a legal obligation, such as the processing of criminal records.
- Vital interest. If processing user data is vital for the protection of someone’s life. Healthcare and insurance sectors, for example, don’t need to ask for consent.
- Performance of public tasks. Authorities performing their official functions or tasks in the public interest don’t need to comply with consent-collection requirements – e.g. government departments, schools, hospitals, and the police.
- Legitimate interest. When there is a genuine reason for processing personal data without consent. Interpretations of this legal ground may vary, but a good example would be risk assessment or checking children’s age, such as in an online liquor store.
Naturally in some of the above cases, the data processor’s interests and the interests of the individual must be balanced and cannot outweigh the negative effects to the individual’s rights and freedoms. This doesn’t seem obvious for everyone, as there are AdTech companies that use wrongheaded interpretations of legitimate interest as legal ground for their collection and use of personal data for profiling and targeting. The GDPR addresses these situations specifically in Article 6:
Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
The Core Functionalities of a CMP
A functional consent-management platform should cover the whole visitor life cycle, from getting the consent of a new visitor to handling their data-subject request.
Collection of Consents
First off, users must be informed that their personal data is being processed. Detailed information about the scope of data processing should be included in the Privacy Policy or a pop-up notice (or both). At the same time, you must let users decide if they agree to the specific purposes of processing.
While the GDPR does not clearly indicate what a consent request should look like, pop-up boxes are considered to be the industry standard and are the most common implementation.
A single consent form is useful when consent is requested for a single purpose. Here: analytics (Source: Piwik PRO Consent Manager)
Users must be allowed to give their consent in a free manner – e.g. access to website content cannot be contingent on obtaining user consent for remarketing. Consent should also be granular; users must be allowed to selectively decide what types of tracking, analytics and other activities their data can be used for.
An example of an extended consent form that allows users to give consent in a more granular manner – i.e. selectively for a number of processing purposes (analytics, remarketing or content personalization). (Source: Piwik PRO Consent Manager)
A consent-management platform will ensure that a user’s selection will be remembered and respected. The data will only be used for the purposes agreed to by the user.
Information about the choices is stored in a first-party cookie, which means that users will be requested to give their consent again after deleting browser cookies or switching to another device or browser.
The database of all visitors’ consents is accessible for the owner of the website from the CMP admin panel. Consent decisions, depending on the settings in the CMP, can be saved for a limited period of time. Also, users can be regularly reminded to state their consent decision if they haven’t done so prior.
Keeping Record of Collected Data
A CDP also makes processing data subjects’ requests less complicated by lightening the load during GDPR-compliance audits. Data-privacy authorities may ask you to demonstrate that lawful consent was collected from your users, meaning the following documentation must be kept:
- Who gave consent (the name of the individual or another identifier, usually an email address, cookie, or device ID).
- When the consent was given (an online record that includes a timestamp).
- What the user consented to (a list of the specific purposes for using personal data that they agreed to).
- Whether, and when, the consent was withdrawn or changed (an online record that includes a timestamp).
In addition to the widgets and pop-ups displayed to users, Consent Manager provides an admin panel where you can observe and examine all the consents and data-subject requests. (Source: Piwik PRO Consent Manager)
In addition to the widgets and pop-ups displayed to users, Consent Manager provides an admin panel where you can observe and examine all the consents and data-subject requests. (Source: Piwik PRO Consent Manager)Documentation of consent information has a twofold benefit. As a data processor or controller, it serves as a means to:
- Demonstrate in front of the authorities that you have a system that keeps consent information in a single place.
- Process data respecting subjects’ rights under the GDPR, such as: right of access (Art. 15), right to rectification (Art. 16), right to erasure (right to be forgotten) (Art. 17), right to restrict processing (Art. 18), right to data portability (Art. 20) and right to object to processing (Art. 21).
Offering Users a Way to Change Their Consent and Move the Data
Collecting consent, however, is only one of the duties the GDPR imposes on the data controller. A CMP must provide for situations when users want to exercise their right to rectify and erase their data – i.e. revoke the consent or adjust their consent status as they see fit.
CMPs offer a means to handle consent-decision changes. (Source: Piwik PRO Consent Manager)
A consent-management platform should give users free access to the consent pop-up, letting them adjust consent decisions for specific purposes and exercise other user rights at any time.
According to the GDPR, and upon user request, the personal data concerning a data subject must be made available to the user in a structured, commonly used and machine-readable format. This is known as the right to data access; the user must have the right to easily transmit such data to another controller.
What Are the Additional Benefits of Using a CMP
On the backend side, a CMP should offer an admin panel that allows the data controller to achieve three goals:
Adjusting the Mechanism of Firing Tracking Tags for Specific Pages
GDPR compliance should be disabled on a particular page. New visitors to this section of the website will be opted in by default, otherwise new visitors will be shown a consent pop-up.
Deciding Which Types of Tracking Codes Require Consent
The data controller can decide which scripts are fired automatically for every visitor, and which will be fired only upon receiving user’s consent.
Composing a Pop-Up Message
A CMP should offer a user-friendly editor allowing data controllers to create a pop-up that matches their website’s design. The pop-up will be shown to first-time visitors or those who have already been there but haven’t selected their consent settings.
The IAB’s GDPR Transparency and Consent Framework
The IAB GDPR Transparency and Consent Framework is used by AdTech vendors as a reference for sharing the consent information between each other and proposes ways to collect it.
It standardizes the process of getting Internet users’ consent for data processing and regulates how this information is relayed further down the advertising supply chain. Think of it as a book of good practices for collecting and sharing consent information. However, the framework does not provide many specific guidelines concerning handling data-subject requests (right of access, right to rectification, right to erasure, etc.) or keeping proper records of consents.
We’ve written about the IAB’s GDPR Transparency and Consent Framework in more detail in another post on the Clearcode blog detailing its benefits and pitfalls.
Final Thoughts
Companies wanting to respect users’ privacy and remain GDPR-compliant cannot ignore the importance of consent collection. Unrestrained advertising and analytics with unlimited processing of user data – something that yesteryear’s AdTech took for granted – is no longer legally viable without cookies.
Collection of user consent is the pillar of lawful data processing and is required for almost every effective marketing and advertising purpose. Implementing a consent-management platform is the most sensible decision a business can take to stay on top of the GDPR game.