The General Data Protection Regulation (GDPR) has been in effect for almost a year, and as you might imagine, companies have started taking consumer consent far more seriously with regards to data collection, storage and usage. For smaller sites and businesses, habits needed tweaking. For larger sites with high volumes of traffic, a more methodical approach was required to remain GDPR compliant. That’s where a consent management system comes in handy.
What Is a Consent Management (CMP) Platform?
Consent management refers to a process that allows a website to meet GDPR regulation by obtaining user consent for collecting their data through cookies during their visit. A consent management platform (CMP) enables brands to automate their consent management process, making it easier to be GDPR compliant.
Steve Pritchard, managing director of It Works Media, explained how a CMP works in the case of a corporate website. “A CMP is used to inform visitors about the types of data they’ll collect and what they will use it for. They store visitor consent data and deal with visitor’s requests to make alterations about the data the website has collected about them, including requests to access and erase this data. It is a necessary platform for websites to meet EU regulations for data collection,” explained Pritchard.
When collecting consent, visitors will often see a pop-up form appear when the website initially loads up that will request them to specify what data can be collected before continuing on to the website. Pritchard also explained that every CMP is different. “From a technical perspective, every CMP looks different, so the way it looks or is implemented will vary depending on what tool you are using. Some may be highly technical, whereas other, more simple tools may just work through a [check] box process.”
Related Article: What We Can Learn From the GDPR's First Fines
Why Should Brands Invest in a Consent Management Platform?
Helen Amour, marketing manager at Really Simple Systems CRM, explained that you will need a CMP if your consumer base is in the EU. “If your customer base includes EU citizens, you’ll need to comply with GDPR and collect consents before you can mail your contacts. A CMP helps you to comply but doesn’t absolve you of your responsibilities as there are other compliance requirements beyond simply collecting consents. Pritchard agreed, but added that if you want to collect data for the purpose of analytics and personalization you will need a CMP. Failure to do so, will be “a major breach EU and GDPR regulations.”
But it is not just about complying to GDPR for EU citizens. Since GDPR’s introduction back in May 2018, many states have followed suit and introduced their own data privacy regulations that followed a similar model to GDPR. “Just last year, the GDPR established stringent consent requirements for businesses collecting any and all personal data from EU-based users,” said KJ Dearie, product specialist and privacy consultant for Termly. “Within months, California followed suit by passing the California Consumer Privacy Act — a law that plays off the GDPR and adopts some of its consent management requirements.”
Dearie shared that this month, the US Government Accountability Office (GAO) released a 56-page report that advocated the adoption of a “federal legislation that mimics the mandates of the GDPR.”
As more privacy laws are being introduced right across the world, Dearie urged brands to incorporate a CMP. “With the rapid institution of privacy laws around the world, there’s hardly a company, website or circumstance that will remain exempt from the need to obtain consent,” said Dearie. “Any company that collects data from users, or participates in the sharing, buying or selling of consumer data, [will need] a dedicated solution to obtaining and managing consents.”
Under the GDPR, When Is User Consent Required?
According to GDPR regulation, there are five specific conditions that allow you to process user consent. There are:
- Contractual requirement - On supplying goods and services, consent may be a prerequisite to fulfilling the order. For example, the user must provide their address to have their products delivered to them.
- Legal obligation - For processing a type of data there may be legal information required, such as criminal records.
- Vital interest - When processing data is required or "vital" for the protection of one’s life, then you do not need consent. Healthcare and insurance providers don’t ask for consent.
- Performance of public tasks - Authorities who perform tasks or functions in the public interest do not need to comply with consent collection process. These include schools, hospitals, government departments and the police.
- Legitimate interest: Personal data is processed without consent if there is a genuine reason to do so. This will vary legally from case-to-case as there will be different interpretations to consider.
“There are a few exceptions which allow you to process personal data without consent,” Pritchard said. “This includes things like "vital interest" which allows you to process data when it is vital for the protection of someone’s life, or when processing data is necessary for legal reasons,” he continued.
Pritchard added that if you are not sure whether consent is needed or not, it would be “wise” to utilize a CMP to be on the safe side.