Using the internet to do business isn’t new. But as people increasingly share personal data online — whether through online shopping, education, banking, bill paying, social media, or even just browsing — consent management has become a buzzword that can’t be ignored.
For companies, the discussion on consent management has centered around rapidly evolving data privacy laws and how to maintain compliance as the landscape changes. Adding to the complexity is that most online businesses no longer cater to a specific geographical region. It can be challenging to understand what data you can collect and whether and how to store it.
Increasingly, the conversation has expanded to how much control a customer has over their own online footprint, how they can safeguard it from use and update their preferences as they wish.
Collecting customer data for advertising or other services creates a web of personal data. In this guide, we outline consent management in its various forms and how companies can benefit from building a solid consent management framework, along with the difference between consent management in the US and the EU, what a cookie consent management platform is, and the benefits of using a consent manager.
What is consent management?At its most basic level, consent management informs users how your business collects and uses data and provides them with the opportunity to consent or refuse such use. This can be a process, system, policy, or set of policies, and compliant consent management generally consists of implementing more than one best practice.
The key to a consent management framework is ensuring compliance with existing data privacy laws such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Passed in 2016 and 2018 in the European Union and in California, respectively, both govern how personal data can be processed and transferred. They started a sweeping movement for companies to implement and adhere to consent management, as non-compliance can (and has) result in serious fines and penalties.
Regulations leading the wayWhile other data protection laws are springing up, such as Brazil’s Lei Geral de Proteção de Dados (LGPD), most take inspiration from their predecessors — GDPR and CCPA.
GDPR in a nutshell:The European Union (EU) has led the charge with privacy regulations and still has the strictest laws with the steepest penalties. Designed to “protect fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data,” the GDPR is regarded as the most significant model legislation throughout the world.
The legislation outlines protection and accountability principles related to data processing and security not just for countries in the European Union but also for all companies that serve users in EU member countries. It lists instances in which it’s legal to collect and process personal data and transparency around this information.
The Cookie Law requires businesses to inform users about cookie use, as well as provide them with an opportunity to refuse the files. When the directive went into effect, several solutions to meet the regulation popped up, including things like plug-ins for websites. Many companies still use these tools today; however, they’re generally not sophisticated enough to meet the stringent rules of the GDPR, which has specific language around gaining opt-in consent (we’ll get to types of consent later).
A brief CCPA explanation:Soon to be replaced by the California Privacy Rights Act (in 2023), the California Consumer Privacy Act also established data privacy rights that enable users to request data be deleted or corrected. Like the GDPR, the regulation applies to all businesses that have users in the state, not just businesses headquartered there.
Businesses are required to provide certain notices to consumers before collecting personal data, allow consumers to opt-out, and provide a “Do Not Sell My Personal Information” link. Many of the other stipulations mimic the GDPR, but unlike the GDPR, some businesses are exempt based on size, how much data they buy, receive, sell, or other factors.
Why does consent management matter?There are many reasons every company should take consent management seriously:
Consumers demand transparency in data and privacy:Perhaps most importantly, privacy and even internet access are considered basic human rights. While many privacy rights were established well before laws about data and online privacy, consumers increasingly demand transparency in their online activities.
Noncompliance can come with legal trouble and fines:No company is exempt from privacy regulations, but mega-corporations have been repeat offenders in terms of privacy violations. The GDPR is the strictest data protection law and has been used to levy hundreds of fines for companies that operate in the EU. The biggest on record is the $877 million fine issued to Amazon in 2021 for issues related to cookie consent.
The GDPR allows the EU’s Data Protection Authorities to issue fines of up to $24.1 million (€20 million) or 4% of annual global turnover, whichever is higher. Businesses in violation of the CCPA are subject to fines of $2,500 for each violation or $7,500 for each intentional violation if it fails to remedy the violation within 30 days of notification of noncompliance.
It builds public trust:Research in North America has shown that consumer data breaches have eroded people’s trust in companies and their ability to protect sensitive data.
A report by McKinsey on consumer data and privacy has shown that even consumers who weren’t impacted by breaches watched how companies responded to them. The same report highlighted that 87 percent of respondents said they would stop doing business with a company if it gave away sensitive data without permission. “Because the stakes are so high—and awareness of these issues is growing—the way companies handle consumer data and privacy can become a point of differentiation and even a source of competitive business advantage,” it notes.
While a proposed federal law gives users more substantial privacy rights, the United States doesn’t have a comprehensive national law on data privacy. States and companies at an individual level are left to address privacy independently.
Types of consent: opt-in, opt-out, or hybridThere are three approaches to the type of consent a company provides: opt-in, opt-out, or hybrid. All share a common thread in that they obtain consent to collect, use, and disclose personal information.
Opt-out consentMost commonly recognized by US consumers, opt-out is a method in which companies divulge that they collect and use data and allow users to opt-out if they wish. With this option, a user must take an action, like unchecking a pre-checked box or filling out a form to withdraw their consent for data to be collected and used.
An article published by the Information Technology & Innovation Foundation suggests that “the overwhelming evidence shows that in most cases opt-out rules for data collection and sharing are better for innovation and productivity while still protecting privacy.”
The CCPA requires websites to disclose the information they collect and its purpose, but it doesn’t stipulate the method in which this is achieved.
It’s important to note that the opt-out method is no longer accepted in the European Union, making opt-in the go-to method for companies who operate internationally as they work to maintain compliance with privacy regulations. The GDPR requires that users opt in and out of the use of data, and if you’re processing sensitive personal data, explicit consent via an opt-in method is required.
Opt-in consentWith opt-in consent, users must take an action to confirm their consent to collect and use information. Companies use this method for opting in to cookies, subscriptions, and more. This option is less common in the US because it makes companies responsible for obtaining consent before processing, rather than users granting consent by default. As states and other geographic regions implement data privacy and management policies, relying solely on this type of policy will become more challenging. Doing so could put a company at risk of falling out of compliance.
Requiring users to manually consent to some or all of a company’s data collection and use policies gives consumers greater control over their data and its use, and having a user-friendly policy can help build trust and loyalty.
GDPR requires consent to be opt-in, while the CCPA only stipulates that consumers have the right to opt out, “meaning, the right to tell a business to stop selling their personal information,” the California Department of Justice notes.
A hybrid modelBecause the privacy landscape is rapidly evolving, sometimes the answer to “which option is right for my company?” isn’t clear. A hybrid approach incorporates elements of both opt-in and opt-out models, depending on the type of data being collected and how that data is being used.
An example of a hybrid model would be a company using an opt-out method unless it's collecting sensitive personal information. In that instance, the company would switch to opt-in and receive a user’s explicit consent to collect and process personal data. A hybrid model can provide companies with a solution to be legally compliant with GDPR, CCPA, and other standards while giving users control of their data privacy — a win-win.
Consent management platforms can helpAs its name implies, a consent management platform (CMP) is a tool that collects and manages user consent and passes the information downstream to third-party vendors. CMPs automate the consent process, obtain permission for using cookies to track data, and allow users to update their preferences easily.
CMPs comply with ever-changing data privacy laws, helping businesses stay compliant while meeting their business goals. For example, if a company uses third-party apps, such as pixels or social media, scripts are blocked until the user consents to cookies. This keeps third parties from unintentionally making a website non-compliant with privacy regulations.
CMPs can track and record visitors, and they can alert companies to issues that could put them at risk of violating various data privacy regulations. In addition, CMPs can display easy-to-understand cookie banners that request consent for data collection and provide information to users on what information is collected and how it will be used, building transparency and trust from the first time a visitor opens the webpage.
Other benefits of using a consent management platform include:
- Quickly handling data subject access requests (DSARs). The GDPR provides people with what’s known as “the right to access,” and the CCPA has established similar rights, enabling EU residents to learn what an organization knows about them and how it uses that information by submitting a request. Companies are obligated to respond, which can be burdensome, mainly if there is an influx of requests or information isn’t stored in one place. Automated workflows help companies better manage DSARs.
- Streamlining operations. Companies can create a central repository of compliant consent responses to use across departments and the company overall.
- Spending team members’ time and resources elsewhere. Implementing a CMP can save time and resources because it automates the consent process and stays up to date with regulation changes, no matter where you’re located or where you do business. Company IT departments can rest assured they’re protecting users' data while also meeting global regulations.
- Building trust with customers and potential customers. When customers feel like a company is looking out for their best interests, it creates a positive experience that they tend to share with friends, family, and even strangers.
- Meeting your company’s needs with custom-built solutions. When it comes to consent management, one size doesn’t fit all. That’s why it’s crucial to find a CMP that offers flexibility and can help you meet your goals with minimal (if any) interference with your company’s overall goals and objectives. Features like the ability to change the language of your consent messaging, vendor risk monitoring, policy change detection, and speaking to a team of experts can help make consent management easier to oversee.
Get peace of mind with a CMPWe get it. Data privacy laws, data collection, and cookie and consent management can leave your mind swimming, especially if you’re not an expert in these fields. And it can feel like a moving target to try and comply with the laws of more than 40 countries while also running your business.
A consent management platform can give both customers and business owners peace of mind. Not only are you ensuring your business is compliant with GDPR, CCPA, and other regulations, but you’re also guaranteeing vendors and others you do business with aren’t putting your company at risk of noncompliance.
Osano has intelligent consent, which automatically displays and enforces consent requirements based on the geolocation of each visitor to your website. With 40+ supported languages, third-party blocking, and alerts for issues that pop up, business owners can sleep well knowing Osano has got their back.
Try Osano for FreeWe hope we’ve answered your questions about consent management platforms, but if you have more questions. You don’t have to try and navigate complex policies and regulations alone.
Are you interested in a demo or free trial? Sign up or compare plans.