Implement your organization’s consent practices in a compliant way

A recent study by a U.S. university has raised important questions about how companies are using consent management platforms (CMPs) to implement their GDPR-compliance. The research article and some press coverage has implied that CMP providers are somehow encouraging brands to implement their consent practices in a non-compliant way. While we can’t speak for other vendors, we’d like to emphasize that Crownpeak’s offering ships a compliant platform out-of-the-box – our default configuration is set up to enforce prior consent, the strict legal interpretation approach – which aims to encourage our customers to not only be compliant, but to use good privacy practices as a competitive advantage. However, ultimately the end client chooses how to respond to regulation. We want to provide balance to this one-dimensional story and explain why this issue is more nuanced than the research would lead you to believe.   

For years, even before GDPR became law in May 2018, we (and other vendors) have been preparing brands and publishers on how to become compliant with new regulations, not only to support the changes the brands’ businesses may go through as a result of the laws, but also ensure the brands’ customers have privacy preferences protected, while still enjoying a positive online experience.   

Embracing privacy 

Our perspective has always been to encourage clients to embrace the regulations beyond what is necessary from the law, not only to avoid the risk of a penalty but because it is in the interests of their customers. Moreover, research shows that consumers buy more from businesses that put privacy at their heart, so it makes financial sense too.  

As mentioned, our default configuration is set up to enforce prior consent – the strict legal interpretation approach – and at this point the client can make changes on the advice of their lawyer to move to more of an implied consent approach if they so wish. Often this is due to a client balancing the functionality needs of their site to provide consumers with an unbroken experience, and the interpretation of the law to ensure they are compliant.  

Moving to an implied consent approach, which is what the research highlighted, is often based on a client’s legal team’s stance on risk and their interpretation of the law and it is this decision that ultimately is decided by the client not a vendor.   

As the first major privacy law, many regulators in Europe have been going through a transition period as they – and businesses – adjust to the new processes. Some might say that enforcement has been slower than expected and perhaps created an environment of risk tolerance within organizations. If a client takes a risk tolerant approach, as a vendor you have very little leverage to push them into doing something they aren’t prepared to do. You can make it simple and easy to be compliant, which we’ve done at Crownpeak.  

Building better user relationships 

What else can we as vendors do? We see the implementation of regulations as a positive progression to build better user relationships. The education on this must continue and we hope that a combination of vendor guidance, consumer pressure, and product changes from companies like Apple – which is really doubling down on privacy as a brand value – will make brands more receptive to do the right thing for the right reason. Then we can move faster to a world where consumers can have their faith and trust restored in brands – and have transparency and control of all their data as the norm.