Lacking Privacy: Consent Management Platforms are Only Part of the Privacy Picture
The adoption of data regulations around the globe, particularly the GDPR in the EU and California’s initial regulations, the CCPA, means organizations are now required to present a legal basis for data processing. Since user consent is one of the six legal bases outlined in Article 6 of the GDPR, companies almost always choose that route to justify collecting and processing user data.
All those pop-ups and bottom bar notices about cookies and data collection you see when you go to a new website? That’s the end result of how companies are managing consent and trying to comply with data regulation requirements. There is of course much more going on under the surface than that, but the bars are what consumers can see.
To help make that complex process smoother, Consent Management Platforms (CMPs) have emerged to document and manage user consent choices. With user consent, companies can then (within predefined and necessary purposes) legally collect, share, or sell user data they get from online sources like websites and apps.
Although the wording and clarity of some consent notices can be argued, especially given the GDPR explicitly defines lawful consent requests, their presence is a step forward and net positive in the privacy world for both companies and consumers. Because of this, some companies may think a CMP is the only privacy feature they need to become compliant, but that is not universally correct, and in most other cases will not lead to an effective privacy program within an organization.
In reality, CMPs only cover a limited part of the privacy spectrum and don’t act as a failsafe to stop organizations from reneging on any promises to not track, process, or sell data. Here is a breakdown of the tasks CMPs do and don’t fulfill:
What CMPs do:
- Inform users in detail of how and why their data is being collected and who will potentially have access to it, before offering them an opt-in or opt-out
- Allow companies to track and manage all user consent choices
What CMPs don’t do:
- Prevent companies from illegally or unethically collecting or using personal data
- Foster data transparency throughout an organization
- Manage or classify data after it is collected
- House the data securely or track where it is housed
- Allow organizations to delete already-shared data when a user withdraws consent
- Satisfy other GDPR requirements like Record of Processing Activities (RoPA) Reports and Risk Assessments
In fact, Consent Management as both a privacy feature and a basis for CMPs will likely undergo significant change in the next few years, as Google has long stated its intent to get rid of cookies. Although Google has delayed that initiative several times, and now until late 2024 to ensure it protects user privacy rights, the day will eventually come when cookies are no more.
That is a problem for CMPs, since cookie-based tracking is a big part of how they typically operate. This reality already diminishes their effectiveness, since many users have disabled cookies in their browsers, making tracking and managing those users’ consent a complex task.
Seeing as Consent Management already has trouble with cookie tracking and fails to help cover such a wide range of data privacy initiatives, it cannot be the only privacy feature in an organization’s stack.
For the limitations listed above, there are other features that complement Consent Management to ensure robust and healthy data governance: Data Subject Request (DSR) Management and Data Mapping.
The former is another GDPR requirement, as individuals have the right to contact organizations and request to see and delete the data said organization has on them. If Consent Management handles the start of data collection, DSR Management handles the end of the cycle, when individuals take back their data that companies no longer need or are justified to hold.
The majority of Data Protection Officers and data privacy employees will be much more experienced in DSRs and privacy requests than consent requests, considering DSRs are ongoing while consent is more static.
Data Mapping, while not a data regulations requirement, has come to be perhaps the most comprehensive solution for establishing a good privacy program and ensuring full compliance. It does this by providing an accurate overview of where data is housed and who has access to it, which also makes it easier to know why the data is there at all.
Data Mapping, when done well, also carries the added advantage of easing the burden on DPOs, who can use the insights to help complete GDPR requirements like the aforementioned RoPA reports and risk assessments without painstaking manual processes.
When taken together, Consent Management, Data Mapping, and DSR Management make for a strong and transparent culture of compliance.
A single privacy feature on its own will handle a specific task, but cannot cover multiple regulatory requirements. This is especially true of Consent Management, which gets a lot of attention since it provides a legal basis for and represents the start of a data cycle.
While not all companies have come around to the vital role data privacy and compliance play in today’s business environment, the truth is that businesses that are blasé about privacy and satisfy only the bare minimum requirements will fall behind as privacy becomes more top of mind for consumers and governments alike.