Three Things to Consider When Choosing a Consent Management Platform (CMP)

Disclaimer: The information in this blog is not intended to replace legal advice. However, our products help companies comply with global privacy regulations, so we work with a lot of lawyers and that experience has informed this post.

It has now been over two years since GDPR went into effect, and CCPA enforcement date has come and gone, but the consent law landscape is anything but set. Privacy regulations continue to be modified and clarified, and new regions are drafting legislation. Despite this, the consent management platform (CMP) market has gone through some homogenization. There are dozens of vendors, and, ostensibly, they all do the same thing – help you customize a banner, that, when interacted with, lets your site visitors opt out of (or into, depending on your local privacy laws) data collection options. Yet, when you dig in, not all CMPs are equal. There is a wide range of features and functionality on the market, and your vendor decision has a big impact on how compliant your consent notices will be. 

Here are three subjects to think about when choosing a CMP:

Proper GDPR Configuration

In the early days of GDPR, it was common practice for sites in Europe to collect data before any consent was given. The Court of Justice of the European Union (CJEU) made it clear that this type of behavior was noncompliant with the Planet49 decision. They ruled that requiring users to “un-check” pre-ticked checkboxes is not a valid form of consent to the use of cookies, as it’s not an “affirmative” action taken by the user, effectively mandating prior consent under GDPR.

Prior consent, also known as “opt-in” consent, means advertising and marketing cookies aren’t dropped unless the user has explicitly given permission for the website to do so. This varies from the “implied consent” so commonly found across the web that drops cookies on users and suggests that “by using the site, the user agrees to the use of cookies.” This is a core functionality option for most paid CMPs, however some consumer-grade or free options do not offer it. In addition, some lower-end CMPs have prior consent functionality but cannot serve different notices based on region and geography, causing problems for global companies trying to comply with multiple regional privacy laws.

Notice Accuracy

One of the main benefits of leveraging a consent management platform (CMP) vs a home-grown solution is that CMPs automatically scan your site and update your notices to contain current vendor and data-sharing information. However, the frequency of those scans varies greatly from CMP to CMP. Most platforms scan monthly, but due to the complexity of the adtech landscape, data-sharing relationships between vendors change much more often than that. When those relationships change, notices can become outdated and pose a compliance risk. To get around this, more advanced CMPs leverage real-time scanning from actual user and browser data, ensuring the highest level of compliance.

Notice Clarity

GDPR requires that data practices are clear and understandable and are presented in plain language. That covers what you are doing with the data, as well as who you are sharing it with and how they handle it. Providing this transparency can also help you build trust with you visitors. There are a couple things you can do to increase clarity. First, take a vendor-based approach instead of a cookie-based approach. The average site visitor is not technical and cannot make sense of a list of cookies. They need to know who dropped the cookie, as well as contextual information about how that vendor handles the data in order to make an informed decision. 

Vendor based notices
cookie-based notices

Vendor-based (left) vs. Cookie-based (right) notices

Second, leverage categories. Some visitors want to make data access decisions at the individual vendor level, but on sophisticated sites with a lot of martech, that can mean going through dozens of vendors. Data-use categories help bring clarity to your notices and provide a better user-experience by lowering the number of data decisions a user must make. It is also important to be able to customize categories by geography, because regional laws have different requirements for categorization. For example, GDPR notices often categorize by functionality (ex: advertising, analytics, social media) while CCPA requires categorization to be done by type of data (identifiers, geolocation, internet or network activity).

Category-level consent

Category-level consent

In a crowded CMP market, choosing the right solution can be difficult, but if you are looking for the highest level of compliance, the decision becomes easier. Evaluating solutions on scanning frequency, notice clarity, and prior consent capabilities helps narrow the field. To learn how Crownpeak can help you quickly achieve the highest level of compliance, request a demo today.