A Major Milestone for Osano...and the Industry
When we founded Osano, our goals were ambitious. We wanted to...Read Now
April 1, 2022
Using the internet to do business isn’t new. But as people increasingly share personal data online — whether through online shopping, education, banking, bill paying, social media, or even just browsing — consent management has become a buzzword that can’t be ignored.
For companies, the discussion on consent management has centered around rapidly evolving data privacy laws and how to maintain compliance as the landscape changes. Adding to the complexity is that most online businesses no longer cater to a specific geographical region. It can be challenging to understand what data you can collect and whether and how to store it.
Increasingly, the conversation has expanded to how much control a customer has over their own online footprint, how they can safeguard it from use and update their preferences as they wish.
Collecting customer data for advertising or other services creates a web of personal data. In this guide, we outline consent management in its various forms and how companies can benefit from building a solid consent management framework, along with the difference between consent management in the US and the EU, what a cookie consent management platform is, and the benefits of using a consent manager.
At its most basic level, consent management informs users how your business collects and uses data and provides them with the opportunity to consent or refuse such use. This can be a process, system, policy, or set of policies, and compliant consent management generally consists of implementing more than one best practice.
The key to a consent management framework is ensuring compliance with existing data privacy laws such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Passed in 2016 and 2018 in the European Union and in California, respectively, both govern how personal data can be processed and transferred. They started a sweeping movement for companies to implement and adhere to consent management, as non-compliance can (and has) result in serious fines and penalties.
While other data protection laws are springing up, such as Brazil’s Lei Geral de Proteção de Dados (LGPD), most take inspiration from their predecessors — GDPR and CCPA.
The European Union (EU) has led the charge with privacy regulations and still has the strictest laws with the steepest penalties. Designed to “protect fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data,” the GDPR is regarded as the most significant model legislation throughout the world.
The legislation outlines protection and accountability principles related to data processing and security not just for countries in the European Union but also for all companies that serve users in EU member countries. It lists instances in which it’s legal to collect and process personal data and transparency around this information.
The Cookie Law requires businesses to inform users about cookie use, as well as provide them with an opportunity to refuse the files. When the directive went into effect, several solutions to meet the regulation popped up, including things like plug-ins for websites. Many companies still use these tools today; however, they’re generally not sophisticated enough to meet the stringent rules of the GDPR, which has specific language around gaining opt-in consent (we’ll get to types of consent later).
Soon to be replaced by the California Privacy Rights Act (in 2023), the California Consumer Privacy Act also established data privacy rights that enable users to request data be deleted or corrected. Like the GDPR, the regulation applies to all businesses that have users in the state, not just businesses headquartered there.
Businesses are required to provide certain notices to consumers before collecting personal data, allow consumers to opt-out, and provide a “Do Not Sell My Personal Information” link. Many of the other stipulations mimic the GDPR, but unlike the GDPR, some businesses are exempt based on size, how much data they buy, receive, sell, or other factors.
There are many reasons every company should take consent management seriously:
The GDPR allows the EU’s Data Protection Authorities to issue fines of up to $24.1 million (€20 million) or 4% of annual global turnover, whichever is higher. Businesses in violation of the CCPA are subject to fines of $2,500 for each violation or $7,500 for each intentional violation if it fails to remedy the violation within 30 days of notification of noncompliance.
There are three approaches to the type of consent a company provides: opt-in, opt-out, or hybrid. All share a common thread in that they obtain consent to collect, use, and disclose personal information.
Most commonly recognized by US consumers, opt-out is a method in which companies divulge that they collect and use data and allow users to opt-out if they wish. With this option, a user must take an action, like unchecking a pre-checked box or filling out a form to withdraw their consent for data to be collected and used.
An article published by the Information Technology & Innovation Foundation suggests that “the overwhelming evidence shows that in most cases opt-out rules for data collection and sharing are better for innovation and productivity while still protecting privacy.”
The CCPA requires websites to disclose the information they collect and its purpose, but it doesn’t stipulate the method in which this is achieved.
It’s important to note that the opt-out method is no longer accepted in the European Union, making opt-in the go-to method for companies who operate internationally as they work to maintain compliance with privacy regulations. The GDPR requires that users opt in and out of the use of data, and if you’re processing sensitive personal data, explicit consent via an opt-in method is required.
With opt-in consent, users must take an action to confirm their consent to collect and use information. Companies use this method for opting in to cookies, subscriptions, and more. This option is less common in the US because it makes companies responsible for obtaining consent before processing, rather than users granting consent by default. As states and other geographic regions implement data privacy and management policies, relying solely on this type of policy will become more challenging. Doing so could put a company at risk of falling out of compliance.
Requiring users to manually consent to some or all of a company’s data collection and use policies gives consumers greater control over their data and its use, and having a user-friendly policy can help build trust and loyalty.
GDPR requires consent to be opt-in, while the CCPA only stipulates that consumers have the right to opt out, “meaning, the right to tell a business to stop selling their personal information,” the California Department of Justice notes.
Because the privacy landscape is rapidly evolving, sometimes the answer to “which option is right for my company?” isn’t clear. A hybrid approach incorporates elements of both opt-in and opt-out models, depending on the type of data being collected and how that data is being used.
An example of a hybrid model would be a company using an opt-out method unless it's collecting sensitive personal information. In that instance, the company would switch to opt-in and receive a user’s explicit consent to collect and process personal data. A hybrid model can provide companies with a solution to be legally compliant with GDPR, CCPA, and other standards while giving users control of their data privacy — a win-win.
As its name implies, a consent management platform (CMP) is a tool that collects and manages user consent and passes the information downstream to third-party vendors. CMPs automate the consent process, obtain permission for using cookies to track data, and allow users to update their preferences easily.
CMPs comply with ever-changing data privacy laws, helping businesses stay compliant while meeting their business goals. For example, if a company uses third-party apps, such as pixels or social media, scripts are blocked until the user consents to cookies. This keeps third parties from unintentionally making a website non-compliant with privacy regulations.
CMPs can track and record visitors, and they can alert companies to issues that could put them at risk of violating various data privacy regulations. In addition, CMPs can display easy-to-understand cookie banners that request consent for data collection and provide information to users on what information is collected and how it will be used, building transparency and trust from the first time a visitor opens the webpage.
Other benefits of using a consent management platform include:
We get it. Data privacy laws, data collection, and cookie and consent management can leave your mind swimming, especially if you’re not an expert in these fields. And it can feel like a moving target to try and comply with the laws of more than 40 countries while also running your business.
A consent management platform can give both customers and business owners peace of mind. Not only are you ensuring your business is compliant with GDPR, CCPA, and other regulations, but you’re also guaranteeing vendors and others you do business with aren’t putting your company at risk of noncompliance.
Osano has intelligent consent, which automatically displays and enforces consent requirements based on the geolocation of each visitor to your website. With 40+ supported languages, third-party blocking, and alerts for issues that pop up, business owners can sleep well knowing Osano has got their back.
We hope we’ve answered your questions about consent management platforms, but if you have more questions. You don’t have to try and navigate complex policies and regulations alone.
Are you interested in a demo or free trial? Sign up or compare plans.
Get answers to some of the most frequently asked questions about cookie consent in this free FAQ.Download Now
The Osano staff is a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet. Occasionally, the team writes under the pen name of our mascot, “Penny, the Privacy Pro.”