As CMPs for website technologies are a recent development, below are some objective criteria resulting from legal and technical implications that should be considered when selecting a CMP.
Criteria for selecting the right Website Consent Management Platform
A simple situation that becomes complex under the GDPR is visiting a website. If a website has integrated tags (cookies, pixels, fingerprints, and similar technologies), it needs the prior consent of the website visitor if its purpose is something like tracking, retargeting or profiling, as the data collected by tags is considered personal data under the GDPR.
Obtaining and documenting that consent of website visitors requires a technical solution. This can be done in-house, but as it is a whole product of its own requiring a lot of maintenance, monitoring of jurisdictions and entails high liability risks, it does make sense to outsource consent management to a specialised provider.
Documentation and storage
Resulting from the obligation to document and proof the consent, server-side and not client-side storage of consents is important. If possible, the consent data should be stored on servers in the EU. The CMP should also be able to offer on-premise hosting of consent data.
The user should initially be given both the option of accepting and rejecting. A cookie wall that leaves the user with no other option but to agree does not comply with the requirements of a freely-given consent.
It should be possible to choose to load technologies requiring consent, only after an opt-in. After an opt-out, technologies should not be loaded anymore, not even the opt-out itself. Sending the user to an external third-party provider website for an opt-out does not constitute an easy withdrawal.
It is very important to be able to control and change the rules for loading tags. In some cases, a company might want to implement ‘soft’ settings – e.g., to load certain technologies such as pure web analysis tags without consent. However, if the verdict of a data authority is to prohibit that, a quick switch to a zero-cookie load setting must be possible.
Consent has to be concrete and therefore granular, so on the website there must be consent to certain technologies. Resulting from that and the principle of data minimalism, consent should only be obtained for technologies that are actually in use on a website.
Subconsents, consent-sharing and piggybacking cases
The CMP should also cover subconsents and consent-sharing, e.g. for affiliated companies within a group, as well as detect piggybacking cases, such as a tag on the website which automatically transfers data to other piggybacked tags that are not on the website themselves, e.g., affiliate tags, which are partially reloaded.
Other third-party technologies
The requirement of consent is not only applicable for tags, but also for other web technologies such as plug-ins and integrated content (e.g., embedded YouTube videos and Google fonts). The obligation for consent might result from factors such as if they entail a data transfer to a third country, such as the US.
Privacy by design
To prevent the CMP from becoming the next ‘data octopus’, client data should be stored separately during the processing. That can be retrieved by not tracking and connecting user agent data, meaning, if the identical user gives consent on one website, the CMP should by default not be able to map that consent to consent on another website, as this would be profiling pursuant to GDPR, which itself requires consent.
IAB Transparency and Consent Framework
The IAB Transparency and Consent Framework is the first industry standard proposing a format of how consent can be transferred programmatically. The selected CMP should support the IAB standard, as in the future personalised advertising will only be controlled with ConsentID in the bid request.
The CMP software should be developed agnostically, so that it is compatible with any tag management and website system.
Design and UI/UX
Complete customisation of the frontend is a key feature of the CMP, as it must be ensured that website visitors do not feel irritated and annoyed by cookie messages – which would destroy any CI and UI/UX efforts.
Business purpose of the CMP provider
The sole business purpose of the provider should be to obtain consent so that the use of the CMP can be based on Article 6 (1) c GDPR. If a provider pursues further business purposes, it might be assumed that consent data will be used for business purposes. Therefore, either a proprietary development with a separate neutral company, or an external provider with privacy-by-design is recommended.
Usercentrics is the leading independent Consent Management Platform for obtaining, managing, documenting and transferring the consent of users across platforms. The solution is IAB-certified, fully customizable and easy-to-implement. The German company is headquartered in Munich and processes several million consents per second.
About the author
Lisa Gradow is Co-Founder of Usercentrics. Prior to that, the data protection and information security expert implemented GDPR and ISO 27001:2013 at Scalable Capital, one of Europe’s largest digital investment managers.