We learned in Part 1 of this blog post why you can't avoid using a professional consent management solution if you want the management of your users' data and consent to be legally compliant. But how does all of this work and which Consent Management Platform (CMP) is right for you? Let's take a closer look at that now.
In order to collect data from website visitors – whether for personalization or just to improve functionality – you must first obtain consent from your users. This consent is normally collected via a pop-up banner or a cookie wall. Once consent has been given, the cookie that will collect the relevant data may be set. The action that triggers the setting of a cookie is controlled by the CMP. It is important to remember that the cookie may only be set when the checkbox has been clicked and consent given. Until then, it is not permitted under the General Data Protection Regulation (GDPR). As soon as the checkbox has been activated, the cookies can be loaded in the background, depending on the user's selection and restrictions.
To attract the user's attention when they arrive at a website, entry pop-up banners appear in a new window over the web page they're currently browsing. These show an opt-in form that interrupts their browsing.
A cookie wall is similar to a pop-up banner, but explicitly asks the user to accept cookies in order to continue using the website
So much for the technical workflow, but the devil is in the detail here too. The user must be provided with information about what happens in the background, what data is collected and for what purposes – all in a way that is easy to understand. This explanation or consent declaration should ideally be associated directly with the consent. This is the only way you can check and prove which consent is currently valid for which context in the event of an update or change taking place.
Four steps to legally compliant data usage
In the first step, you should think about exactly what data you absolutely need and how you intend to process it, because every change, whether due to new laws or new technical capabilities, alters the procedure for setting cookies. The use of a CMP that is compliant with the requirements of IAB Europe and its Transparency and Consent Framework (TCF) can make things easier and is definitely recommended when using several different vendors for online marketing. Apple recently caused a stir in this regard when it announced a change to its App Tracking Transparency feature (IOS 14 ATT) that not only allows users to set their iPhones to block tracking completely, but also altered or removed relevant identifiers in apps, which means that the entire consent functionality may have to be revised.
From both a technical and data protection perspective, there are some requirements that must absolutely be met when using personal data. Here is a summary of the most important ones:
- Consent before cookie: users must be able to refuse the use of their data at the highest level. However, if cookies have already been set at that point, this will no longer be possible. Therefore always: ask first, then take action!
- Consent must be voluntary and implicit. A preselected checkbox is really only allowed for technically necessary cookies. And these are not really interpretable, but only those that do not collect data for any other purpose except enabling the user to use the site. And no, a personalized landing page with individual offers is not considered technically necessary.
- It must be possible to withdraw consent at any time. What is particularly important here is that, if a user changes their consent, it must be recorded in real time in the CMP and its documentation kept up to date.
- The design of the opt-in and opt-out must be similar; opting out should not be more difficult than opting in.
Which CMP is the right one?
There is no standard method of selecting and implementing a CMP, or one CMP that covers everything and every application. The individual customer touchpoint and the downstream processes influence the decision on whether a standardized or a customised solution is the best choice. In some circumstances, a simple solution that just manages consent may be sufficient. In the case of a webshop or an internet portal that displays third-party advertising, you will be better served with a professional solution, perhaps even one with the Transparency and Consent Framework (TCF) already built in. The benefits are clear: standards are maintained, changes in the market taken into account, and regular updates ensure stable operation. You can rely on being compliant for the foreseeable future. If more channels are added that collect opt-ins or provide opt-outs, other factors come into play. Are both on- and offline channels used? How is the information collected – is a combination of paper-based records, voice-based records and electronic inputs used? If so, it is common to deploy several solutions in combination with each other. To avoid losing the overview and prevent any escalation of maintenance and operating costs, you should clearly define your most important requirements before making a final decision. The question is, therefore, which CMP matches my requirements, and do I need one or perhaps several CMPs that can be combined on a central platform?
In addition to the more obvious requirements, it is important to look to the future and decide on a solution that will last. Don't just focus on the CMP solution itself but also on how it will integrate into your existing infrastructure and process landscape. At b.telligent, we are fortunate to have two specialist competence centres working in this field: Customer Engagement & MarTech and Data Strategy & Governance. We'd be happy to support your requirements analysis and decision-making or even to be directly involved with solution implementation.
Don't hesitate to get in touch and take the first step towards legally compliant data use!