Trying to stay on top of this ever-changing landscape can be a nightmare for publishers, especially when there are significant penalties for failing to comply.
The European Union’s General Data Privacy Regulations (GDPR) and the California Consumer Privacy Act (CCPA) get the headlines, but two-thirds of countries globally have enacted their own privacy regulations. Another 10% of countries worldwide have pending legislation. In the US, more than a dozen states have recently passed or are considering legislation.
These laws create a complex web of compliance regulations that are constantly evolving. Already, the CCPA has been amended by the California Privacy Rights Act (CPRA). In legal test cases, the Court of Justice in the EU has broadened interpretations of the GDPR. The Privacy Shield framework, developed jointly by the EU and US for US companies to process data for EU citizens, was struck down in court.
Trying to stay on top of this ever-changing landscape can be a nightmare for publishers, especially when there are significant penalties for failing to comply. Up to the beginning of 2021, EU regulating bodies have assessed €272 million ($322 million) in GDPR fines.
Obtaining privacy consent and consent management has become a top issue for publishers. To manage consent compliance, publishers have turned to consent management platforms (CMP). Let’s take a look at what is CMP, who needs it, and why it matters to publishers by answering some of the most frequently asked questions.
What is a Consent Management Platform (CMP)?
A consent management platform (CMP) is an easy way for websites to protect data privacy for users to remain compliant with privacy laws.
A CMP obtains user consent for collecting tracking data during a visit. By automating the process, and taking appropriate action if a user does not consent, brands and publishers can more easily manage the entire compliance process.
A CMP informs visitors about what data will be collected and how it will be used. A CMP also creates an audit trail showing user consent and provides a framework for complying with tenets of the GDPR, such as requests for alterations, access, or erasure of data.
How Do Consent Management Platforms Work?
A CMP provides four core functions:
- Consent: CMP provides consumers with the appropriate notice required for the collection and processing of personal data.
- Privacy: Gives consumers the option to exercise consent and interest preferences at a granular level rather than saying yes/no to blanket requests.
- Capturing: Records consumer preferences in a compliant format to share with any approved partners
- Audit: Creates the required audit logs to prove compliance with regulations.
A CMP supports the entire lifecycle for website visitors. At the first interaction, it informs visitors that the website collects data and provides details on how the information will be processed. Users can opt in or out at a granular level.
After collecting the consent, the CMP will record user selections, including data such as:
- Who provided the consent (email, device ID)
- Timestamp of consent
- Details of use consent
- Any notice of changes to consent or withdrawal of consent
Since users under the GDPR can withdraw their consent at any time, you also need to provide the tools for consumers to change their consent settings.
Why Is Consent Management Important?
If EU visitors come to your website, you need a CMP to comply with the GDPR. You are required to obtain consent before you collect, store, or use consumer data. If you want to collect data for personalization or advertising purposes, for example, you need a CMP to automate the process for you.
GDPR does not specifically require a CMP to be in place for compliance, most publishers and brands do not have the resources to build their own consent management platforms.
While the GDPR has the most stringent regulations, other pieces of legislation apply similar — but different — rules. Managing all of the nuances is nearly impossible for in-house teams, even with significant budgets at their disposal. Additionally, privacy laws can have relevance beyond the webpage, such as GDPR implications for email newsletters.
Can We Handle Consent Management Compliance In-House?
Some large enterprises do choose to build and manage an in-house consent management platform, but it’s not the best solution for most brands and publishers. The costs to build, maintain, and manage such a platform on your own can be significant with dedicated engineering teams and compliance managers monitoring and keeping the platform up to date.
Even some large companies struggle when using in-house CMPs. Oracle and Salesforce were hit with class-action suits over their tracking consent practices. A French company was sued because their language was unclear, opt-ins had pre-checked boxes, and failed to provide the granular control that is required.
It can be complex to even find all the cookies and trackers on your website. According to a 2020 study published by Cornell University, 72% of cookies are hidden inside other trackers. 18% of trackers load as many as eight additional cookies. Half of these hidden cookies change upon repeat visits.
More troubling from the study is that the researchers revealed that 93% of the websites they analyzed had embedded content from third parties that are located in an area that does not comply with the current legal framework.
If you do choose to create your own CMP, you will also need to register it with the Interactive Advertising Bureau (IAB) Europe and confirm compliance with the Transparency and Consent Framework (TCF).
What is the Transparency and Consent Framework (TCF)?
A coalition of 27 national IABs and 500 companies, IAB Europe manages the TCF, which is a set of standards for meeting the GDPR and other data privacy laws in Europe.
Brands and publishers need to comply with the IAB’s TCF, but also manage both IAB and non-IAB-approved vendors. Not every CMP can do that.
The TCF is another example of how vigilant brands and publishers must be when it comes to evolving compliance regulations. TCF v1.1 was launched in 2018 and revised with v2.0, which took effect in 2020. Publishers and brands complying with v1.1, however, had to completely overhaul their compliance as v2.0 was not backward-compatible.
Won’t My Third-Party Vendor Take Care of Compliance for Me?
Many advertising platforms are still not providing the clear and unambiguous consumer consent required by regulations such as the GDPR. As the Cornell study showed, cookie banners, for example, do not carry consent signals consistently to downstream vendors or maintain the audit trail you need to certify compliance.
A fascinating study by Fou Analytics tracked what happened when someone visited the New York Times website. On August 24, 2021, a visitor to the home page launched 254 ad server requests, which triggered a downstream flow of 127 tracking requests and 92 additional requests across more than 50 different third-party providers.
As a publisher, you have the ultimate responsibility to comply with legislation. If a third-party provider fails to do so, you are liable. By using a CMP instead of relying on vendors, you are better protected.
What Is the Impact of CMP on Revenue for Publishers?
While compliance is a challenge, there is some good news to report. Publisher rates for visitors providing consent are leading to higher CPMs.
When visitors provide affirmative consent, you can trust the data. First-party authenticated user data allows you to customize content and marketing, thereby creating a better experience for the consumer and premium inventory for the publisher.
A study published in Ad Exchanger reported ad rates for publishers using a CMP saw an overall 9% lift in CPMs and a 5% increase in fill rates post-GDPR. Those publishers that did not use a CMP saw ad rates drop precipitously.
- Publishers without CMPs lost the ability to track ads effectively and saw CPMs drop by more than 40% and fill rates fell by more than 30%.
- Publishers implementing a CMP rather than sticking with what they already had in place saw the biggest benefits. CPMs grew by 52% and fill rates increased by a third.
VP Marketing, Admiral
Admiral helps digital publishers grow visitor relationships via adblock recovery, per-site subscriptions, multi-site subscriptions, email subscriptions, social subscriptions, privacy consent and more, powered by Admiral’s one-tag, one-vendor, one visitor experience Visitor Relationship Management (VRM) platform.