The European Union’s General Data Privacy Regulations (GDPR) and the California Consumer Privacy Act (CCPA) get the headlines, but two-thirds of countries globally have enacted their own privacy regulations.
Another 10% of countries worldwide have pending legislation. In the US, more than a dozen states have recently passed or are considering legislation.
These laws create a complex web of compliance regulations that are constantly evolving. Already, the CCPA has been amended by the California Privacy Rights Act (CPRA). In legal test cases, the Court of Justice in the EU has broadened interpretations of the GDPR.
The Privacy Shield framework, developed jointly by the EU and US for US companies to process data for EU citizens, was struck down in court.
Trying to stay on top of this ever-changing landscape can be a nightmare for publishers, especially when there are significant penalties for failing to comply. Up to the beginning of 2021, EU regulating bodies have assessed €272 million ($322 million) in GDPR fines.
Let’s take a look at what is CMP, who needs it, and why it matters to publishers by answering some of the most frequently asked questions.
FAQs: Privacy Consent Management
- What is a consent management platform (CMP)?
- How do privacy consent management platforms work?
- Why is consent management important?
- Can we handle privacy consent compliance in-house?
- What is the Transparency and Consent Framework (TCF)?
- Won’t my third-party vendor take care of compliance for me?
- What is the impact of CMP on revenue for publishers?
- Will a CMP help with adblockers?
- How can I launch a CMP on my site?
What is a Consent Management Platform (CMP)?
A consent management platform (CMP) is an easy way for websites to protect data privacy for users to remain compliant with privacy laws.
A CMP obtains user consent for collecting tracking data during a visit. By automating the process, and taking appropriate action if a user does not consent, brands and publishers can more easily manage the entire compliance process.
A CMP informs visitors about what data will be collected and how it will be used. A CMP also creates an audit trail showing user consent and provides a framework for GDPR compliance, such as requests for alterations, access, or erasure of data. EU courts have called for increased GDPR monitoring, and continue to raise the bar for privacy consent requirements.
Recent updates and related FAQ:
- Google requires publishers to use a Google-approved CMP.
- TCF 2.2 FAQ: IAB has updated the TCF with key changes necessary to meet EU regulations.
- Global Privacy Platform: IAB has launched the GPP to provide a framework that can manage US privacy requirements on a national level.
- CCPA and CPRA FAQ
How Do Consent Management Platforms Work?
A CMP provides four core functions:
- Consent: CMP provides consumers with the appropriate notice required for the collection and processing of personal data.
- Privacy: Gives consumers the option to exercise consent and interest preferences at a granular level rather than saying yes/no to blanket requests.
- Capturing: Records consumer preferences in a compliant format to share with any approved partners
- Audit: Creates the required audit logs to prove compliance with regulations.
A CMP supports the entire lifecycle for website visitors. At the first interaction, it informs visitors that the website collects data and provides details on how the information will be processed. Users can opt in or out at a granular level.
After collecting the consent, the CMP will record user selections, including data such as:
- Who provided the consent (email, device ID)
- Timestamp of consent
- Details of use consent
- Any notice of changes to consent or withdrawal of consent
Since users under the GDPR can withdraw their consent at any time, you also need to provide the tools for consumers to change their consent settings.
Why Is Consent Management Important?
If EU visitors come to your website, you need a CMP to comply with the GDPR. You are required to obtain consent before you collect, store, or use consumer data. If you want to collect data for personalization or advertising purposes, for example, you need a CMP to automate the process for you.
GDPR does not specifically require a CMP to be in place for compliance. Most publishers and brands do not have the resources to build their own consent management platforms.
While the GDPR has the most stringent regulations, other pieces of legislation apply similar — but different — rules. Managing all of the nuances is nearly impossible for in-house teams, even with significant budgets at their disposal. Additionally, privacy laws can have relevance beyond the webpage, such as GDPR implications for email newsletters.
Can We Handle Consent Management Compliance In-House?
Some large enterprises do choose to build and manage an in-house consent management platform, but it’s not the best solution for most brands and publishers. The costs to build, maintain, and manage such a platform on your own can be significant with dedicated engineering teams and compliance managers monitoring and keeping the platform up to date.
Even some large companies struggle when using in-house CMPs. Oracle and Salesforce were hit with class-action suits over their tracking consent practices. A French company was sued because their language was unclear, opt-ins had pre-checked boxes, and failed to provide the granular control that is required.
It can be complex to even find all the cookies and trackers on your website. According to a 2020 study published by Cornell University, 72% of cookies are hidden inside other trackers. 18% of trackers load as many as eight additional cookies. Half of these hidden cookies change upon repeat visits.
More troubling from the study is that the researchers revealed that 93% of the websites they analyzed had embedded content from third parties that are located in an area that does not comply with the current legal framework.
If you do choose to create your own CMP, you will also need to register it with the Interactive Advertising Bureau (IAB) Europe and confirm compliance with the Transparency and Consent Framework (TCF).
See also: Best Practices for Choosing a CMP
What is the Transparency and Consent Framework (TCF)?
A coalition of 27 national IABs and 500 companies, IAB Europe manages the TCF, which is a set of standards for meeting the GDPR and other data privacy laws in Europe.
Brands and publishers need to comply with the IAB’s TCF, but also manage both IAB and non-IAB-approved vendors. Not every CMP can do that. Admiral Consent is the first blocker-aware CMP and one of the few available under TCF that can handle both IAB and non-IAB vendors.
The TCF is another example of how vigilant brands and publishers must be when it comes to evolving compliance regulations. TCF v1.1 was launched in 2018 and revised with TCF v2.0, which took effect in 2020. Publishers and brands complying with v1.1, however, had to completely overhaul their compliance as v2.0 was not backward-compatible.
See more: TCF v2.2 framework and frequently asked questions.
Will My Third-Party Vendor Take Care of Compliance for Me?
Many advertising platforms are still not providing the clear and unambiguous consumer consent required by regulations such as the GDPR. As the Cornell study showed, cookie banners, for example, do not carry consent signals consistently to downstream vendors or maintain the audit trail you need to certify compliance.
A fascinating study by Fou Analytics tracked what happened when someone visited the New York Times website. On August 24, 2021, a visitor to the home page launched 254 ad server requests, which triggered a downstream flow of 127 tracking requests and 92 additional requests across more than 50 different third-party providers.
"...the home page launched 254 ad server requests, which triggered a downstream flow of 127 tracking requests and 92 additional requests..." - from study by Fou Analytics
As a publisher, you have the ultimate responsibility to comply with consent legislation. If a third-party provider fails to do so, you are liable. By using a CMP instead of relying on vendors, you are better protected.
What Is the Impact of CMP on Revenue for Publishers?
While compliance is a challenge, there is some good news to report. Publisher rates for visitors providing privacy consent are leading to higher CPMs.
When visitors provide affirmative consent, you can trust the data. First-party authenticated user data allows you to customize content and marketing, thereby creating a better experience for the consumer and premium inventory for the publisher.
A study published in Ad Exchanger reported ad rates for publishers using a CMP saw an overall 9% lift in CPMs and a 5% increase in fill rates post-GDPR. Those publishers that did not use a CMP saw ad rates drop precipitously.
- Publishers without CMPs lost the ability to track ads effectively and saw CPMs drop by more than 40% and fill rates fell by more than 30%.
- Publishers implementing a CMP rather than sticking with what they already had in place saw the biggest benefits. CPMs grew by 52% and fill rates increased by a third.
Related: How GDPR Can Boost Your Business
Will a CMP Help with Adblockers?
For many adblock users, privacy and consent are key motivators for their behaviors. Studies have shown a positive correlation of known and/or consenting users to CMP rates, as well as greater conversions to paid subscriptions and more. Admiral's Visitor Relationship Management platform provides a unique engagement and automation layer to leverage the knowledge of both the user's consent choices and value-exchange choices, to maximize long-term average revenue per visitor (ARPV).
For example, Admiral politely asks consumers to turn off adblockers before granting access to content. Surveys show that nearly a third of consumers are unaware they are blocking ads. Many are happy to pause adblocking on their favorite websites when asked. (See: The Unaware Adblocker)
When people do turn off their adblocker, you can serve more customized content based on first-party data and this is the best way to maintain or grow higher CPMs.
If consumers choose to keep blocking ads and opt out of customized content, you can also use ad reinsertion to recover some of the potential revenue loss. Ads served using ad reinsertion will generate revenue, but lower CPMs are more similar to remnant inventory rates.
The best practice for the highest revenue recovery is to use multiple adblocking methods. (See: Adblock Recovery Methods Comparison Case Study)
How Can I Launch a CMP on My Site?
Admiral makes it easy to launch a CMP on your website. With our industry-leading CMP platform, you get:
- Certified CMP consent management. A Google-approved CMP for GDPR compliance.
- Single tag installation, with built-in adblocker monitoring
- Configurable messaging and consent types to maximize transparency and conversion
- Targeting and segmentation including location-based and site-specific traffic
- Reporting to help monitor conversion tracking and GDPR revenue impacts
- Cross-platform support including mobile web
Admiral is GDPR, GPP, CCPA, and IAB TCF compliant to assure you deliver an optimal customer experience and remain compliant with evolving data privacy rules.