Why Having a Consent Management Platform is Not Enough

Post by
Kate Reinmiller
Why Having a Consent Management Platform is Not Enough

The use of consent management solutions and single opt-out options for data sharing has increased exponentially since the introduction of GDPR in 2018. But just because you have a consent management platform in place doesn't mean you can kick back and relax. 

Assuming CMPs are infallible could be detrimental to your data privacy efforts, resulting in broken relationships with your consumers, damaged business reputations, and hefty fines. All of this can be avoided by having the necessary processes in place to keep your consumers' data safe. 

The conversation around data privacy compliance has developed dramatically in the past few years following the introduction of the California data privacy law (CCPA) and in the current run-up to new U.S. privacy laws arriving in 2023 from Colorado, Virginia, Connecticut, and Utah. Consumers are savvier than ever before about how their personal information is being collected and used. Respecting consumer consent and keeping the personal information you’re entrusted with safe is now the bare minimum that companies should be doing, and are only one piece of the solution.

What is a Consent Management Platform

A CMP is a system that allows you to request, collect, store, and manage the permissions given (and denied) for your user’s personal data. These platforms automate your consent management process to free up your time and supposedly reduce the margin for error.

For example, cookie bars on websites ask for consent to share user data because the business wants to retarget using digital advertising. A consent management platform logs the user's choice to accept or deny this request.

The goal is to make it easier for businesses to manage customer data in ways that are compliant with regulations like GDPR and CCPA, without requiring them to build their own systems from scratch.

Data privacy and consent: when is user consent required?

The first step in getting consent is knowing what you can ask for. There are three categories of data that you need to be aware of:

  • Personal data, which refers to information that can identify a specific person
  • Anonymous or non-personal data, which is not associated with any single person
  • Pseudonymised data, which is personal data that can only be identified with the use of additional information.

Personal data can include anything that identifies a specific person, such as their name, email address, phone number, or IP address. You also need to be careful about collecting information that could identify someone indirectly, like their place of work or the name of their school.

Consent is required for tracking and targeting that uses personal and pseudonymised data. This includes tracking across multiple devices, as well as sharing information with third parties or other entities within the same company (such as a marketing team). If you engage in any of these activities, you must obtain explicit user consent before proceeding with the activity.

Consent Management and the Law

Gaining consent from users is not a courtesy anymore, it’s a must-do under data privacy law in the U.S, EU, and Britain.

It is predicted that 75 percent of the world's population will be under consent-based privacy laws by 2023, so getting it right should be a priority. We already have some relevant laws and regulations in place, including GDPR in the EU and The California Consumer Privacy Act (CCPA), but four new US state laws are arriving in 2023, and many more are likely to follow suit.

As mentioned earlier, lengthy discussions around these new laws are starting to change how we think about consent management and why having a CMP isn't enough on its own.

Consent Management is More Than Just Cookie Consent

Web cookies often monopolize the data privacy conversation, but they are just one form of gathering users’ personal data. Cookies can constitute personal data subject to GDPR, CCPA, and potential future regulations. Therefore, deploying a cookie banner on your website is important, but the compliance work for businesses cannot end there.

Under CCPA, the term “sell” is defined as making data available "for monetary or other valuable consideration." Retail giant Sephora is the first company to be fined under CCPA after failing to tell its customers they were selling their data, and not respecting opt-out requests. The company is required to pay $1.2m in penalties and is under an injunction to report back annually on errors processing opt-outs and steps taken to fix those errors. 

In a nutshell, any personal information passed between entities without explicit consent, regardless of the collection method, is in violation of the regulation.

Consent Management Does Not Complete Privacy Compliance

The good news is that a CMP gives you some control over your data than you wouldn't have otherwise. The bad news? A CMP is not enough on its own. In fact, if you are running programmatic retargeting campaigns, they don’t even cover the minimum requirements.

When an auditing or enforcing entity examines your company’s digital properties, they will care about the end result, which is your ability to either comply or not. The onus is on your company to ensure that your CMP investment is actually functioning properly and that signals are passed properly beyond your website.

There are three challenges to be aware of when managing your CMP:

  1. CMP signal failure

Unfortunately, 37% of CMP signal routinely fail. When a user opts in/out, consent signals are sent to the CMP, which then dictates how that information is used moving forward. However, these consent signals fail over one-third of the time. Our team worked with a health content publisher whose consent failures exceeded 51%! These are known as dark signals.

These technical mistakes have implications beyond your own business. If a consent signal fails when your user opts out of cookies and third-party tracking, your CMP won’t log this action. This means you will transmit that personal information to your data partners without permission, and leave you open to third party skimming, putting your brand at risk.

  1. Flawed Integration from your CMP to Ad Serving Partners

One of the lesser understood challenges is the transmission of data from the CMP into the advertising ecosystem. Even if your data is collected accurately and stored in your CMP, there is additional risk when that data leaves the safety of your internal systems and is used in offsite programmatic advertising.  

IBA, interest based advertising, is dependent on the signals provided to deliver targeted advertising. If the signal from your CMP breaks as it’s transmitted to your demand-side platform (DSP) or  supply-side platform (SSP) during ad delivery, visitors who have opted-out, can be incorrectly shown a retargeted ad. On the flip side, a user that has consented to targeted advertising might not be served an ad, which is a missed opportunity. 

Advertisers and publishers are accountable for ensuring that these signals stay intact, even if break downs are unintentional – which can be challenging given the vast number of technologies, auctions, and network requests that are required during the ad delivery process. 

  1. Lack of time and/or expertise

The hardest part about data compliance is understanding exactly what should and shouldn’t be done, and what risks exist within your current advertising and data sharing practices. Privacy compliance is often pushed to the bottom of the to-do list or tagged onto a current workers’ job description to tick a box. 

The challenge with CMPs is that they often leave clients to design what users see when they visit a website. Businesses often obfuscate opt out buttons on cookie banners to make opting-out less obvious. This is called a dark pattern. Because they’re purposefully deceptive, it is a practice in direct conflict with the CCPA, and using them also puts you in the firing line of the FTC.

The second challenge is that giving users too many choices degrades the user experience, leading to high opt out and abandonment rates, but too few choices limit the ability to legally process without clear consent.  Without the right internal guidance, these mistakes can be problematic.

 

Audit your data sharing for four areas of risk.

As part of a more comprehensive compliance framework, businesses should audit their data sharing at the four critical checkpoints.

It will soon become a requirement under the CPRA (the amended CCPA coming into force on January 1st 2023) for brands, agencies, and publishers to ensure that consent signals are handled properly throughout the ad delivery chain.

With more clarity around compliance expectations, it's easier than ever for brands, agencies, and publishers to take steps to avoid fines and protect their consumer reputation. There are 4 key checkpoints compliance teams should be monitoring:

  • Verify consent: verify your CMP is handling opt-out and opt-in requests properly. 

It’s typically very difficult to know if your CMP is receiving/sending signals correctly, and therefore consumers often know before you do. This can lead to damaged relationships and loss of customers, affecting your brand image and bottom line.

  • Verify collection: monitor on-page data leakage

This activity is hard to detect, because without a tool like Boltive Privacy Guard™️, you can't keep track of how your data “hops” down the line. Our tool maximizes lawful collection so you can keep your consumer data as safe as possible and reduce the risk of errors that need fixing in the future.

  • Verify vendors: highlight vulnerabilities

Under the CPRA, you must regularly audit data partners for unknown data leaks and malicious practices. This means you are responsible for how others use the data you’ve collected after it has left your internal systems. Business can no longer turn a blind eye, or rely on contract clauses, to distance themselves from the bad practices of partners.  

  • Verify targeting: detect mishandled retargeting

Retargeting consumers who have opted out is a big no-no. Incorrectly sharing their data to a partner who then targets them with ads is an even bigger problem under the CCPA and new regulations. 

Comply with Regulations & Protect Your Reputation

If the thought of potential regulatory action and a huge fine isn’t enough to push data protection to the top of your priority list, perhaps the thought of regularly losing business and damaging your reputation will be. Often, consumers know before you do that their data is being used without their permission and, according to the 2022 Adobe Trust Report, 69% of them will stop buying from you.

You need a solution, and not one that simply tallies privacy risks without mechanisms for remediation. Boltive Privacy Guard is the only solution on the market to audit your set up and alert you to third parties that aren't compliant with expected regulations. 

Boltive puts the power back in your hands. We emulate your customers using synthetic user personas following your opt out flow and then, capturing the ads served to ensure customers aren't being targeted without consent. This methodology confirms that the CMP is handling opt in/out signals correctly, verifies data collection, identifies weak links, and detects incorrect retargeting by you and your data partners. Importantly, we actively seek out this bad activity, rather than stumbling across it, so you can fix it quickly.

For full compliancy without the complicated systems, trial the industry's most comprehensive ad quality solution.