The General Data Protection Regulation (GDPR) came into effect on the 25th of May last year, requiring publishers and other web-based businesses to follow a set of rules pertaining to the collection, storage, and use of data collected from EU residents, or risk paying heavy fines.
After GDPR came into effect, companies started scrambling to ensure compliance. However, this was not easy, given the complexity of GDPR. Freelance developer Owen Williams started collecting the most embarrassing, silly, and lame attempts by companies trying to comply. “The big challenge is that GDPR is very specific legislation that has a lot of nitty gritty, in-the-weeds details, but not a lot of information about how to comply,” Williams said.
In the aftermath, some companies (Instapaper, Chicago Tribune, LA Times, NPR, USA Today) began to block EU users entirely or redirecting them to stripped-down versions of their websites in order to reduce their liability. Yet others (Klout, several online video games) completely shut operations citing operational burdens imposed by the regulation.
Suddenly there were thousands of websites that needed to comply with GDPR, and this led to the rise of Consent Management Platforms (CMPs). In this post, we’ll look at what CMPs are, how they work, frequently asked questions, and the best CMPs in the market right now.
What is a Consent Management Platform?
Consent Management Platforms are companies that specialise in helping online businesses achieve GDPR compliance. Most CMPs operate on IAB’s transparency and consent framework.
Let’s talk about what user consent means in this context. Whenever a user interacts with your website, data about the user is collected both actively (pop-ups, sign up widgets, lead generation forms) and passively (by using cookies). Some of this data may contain Personally Identifying Information (PII) such as name, address, phone number, etc.
Without privacy laws and regulations, the companies that collect user data cannot be held accountable, can freely share data with third-parties, and also claim limited or no liability in case of a data breach. Regulations such as GDPR are aimed at protecting the privacy of internet users by giving them the power to manage their consent.
In the post-GDPR world, when a user visits a new website, the website has to seek and record active consent on what data is being collected, who it is being shared with (analytics services, ad networks, social plugins, payment processors), and how long it will be stored for. Meaning, consent is something that needs to be actively managed. Most publishers don’t have the technical wherewithal and systems to methodically record and manage user consent, and that’s what CMPs help them do by providing the necessary tools, consultation, and framework.
How Does a Consent Management Platform Work?
A consent management platform should support the the entire lifecycle of a website user starting from recording their consent to handling their data access requests. Here are three distinct functional parts that all good CMPs must cover.
1. Collection of user consent
2. Recordkeeping of consent
fter collecting the consent, the next step is to record it. Most CMPs provide an admin panel where the website owner can review the database of recorded consent. Since websites are liable to be audited for compliance under GDPR, CMPs have to ensure that this database is maintained in a format specified within the regulation, including details like:
- Who gave consent (email, cookie, device ID)
- When was the consent given (timestamp)
- What the user consented to (list of specific purposes for using personal data)
- Whether, and when, the consent was withdrawn or changed
3. Processing user requests
Consent is not permanent under GDPR and users may withdraw their consent at any time. Users should have access to tools that enable them to rectify or erase their data and / or change their consent settings. Under right to access data, all the data collected on a user must be supplied in a structured, commonly used and machine-readable format on request.
Consent Management Platforms FAQs
Q. Haven’t consent tools been around before GDPR?
Yes, they have been. Ever since the EU Cookie Directive went into effect in 2011, websites have had to display cookie-serving notices on their websites. There are a lot of WordPress plugins and third-party tools that enable publishers to serve these notices. However, GDPR is an entirely different beast that requires comprehensive consent management beyond just cookie storage, and therefore we now have consent management platforms.
Q. Does GDPR require publishers to use a CMP?
Not at all. The regulation says very little about the actual implementation of the consent management framework, so publishers are free to build their own solutions if they have the technical bandwidth to do so—and many big publishers have done that. However, most small and medium publishers don’t have the resources to build their own consent management solution, and CMPs offer an out-of-the-box solution that they can simply pay to use.
Q. Are consent management platforms GDPR-compliant?
This is a tricky one. GDPR actually requires consent to be recorded for every vendor with whom user data will be shared. That list can run into hundreds, so most consent management platforms have instead decided to club them into broad categories. Users typically have the option to dive deeper and opt out on a micro-level, but it’s difficult to say how many top CMP vendors that follow IAB consent framework are actually GDPR-compliant if you go by the book.
Q. Are all CPM’s the same?
No they’re not, CMPs vary vastly in their capabilities and offerings. Google’s attempt at creating a consent management framework, Funding Choices, is free to use for Google publishers but lacks many essential features, and is limited to listing 12 vendors. On the other end you have enterprise solutions that can cost lot but provide features such as multi-site implementation, privacy control center for users, and white-label consent pop-ups.
GDPR gets a bad rap because it requires rethinking and reorganising how online businesses deal with user data. However, the regulation enables end users to take control of their privacy. Ad tech in specific has an even more strained relationship with GDPR because it has thrived on lack of transparency. But given how disgruntled users are with intrusive advertising, in the long run, GDPR will help, not harm, ad tech.
Despite the initial hiccups, consent management platforms have proven to be effective. According to Mediavine, CPMs were 52% higher for sites that implemented a CMP, and fill rates were 39% higher. This means that just because users are being asked for consent does not mean a drop in engagement.