Regulations such as the GDPR, CCPA, and frameworks such as IAB TCF, have dramatically changed the digital privacy landscape for the better. They set the standard that continues to this day for providing transparency and choices for how their data is used and shared with third-parties.
Additionally, today’s consumers are increasingly concerned with protecting their personal data. Additionally, customers also demand more personalized experiences. This creates a challenge for marketers, advertisers and publishers to respect their customers’ privacy while also capturing consent driving opt-ins, and delivering compelling user experiences. OneTrust provides the toolset for companies to bring privacy and personalization together through transparency, choice, and trust.
Companies have an opportunity to embrace the new norm the digital privacy transformation has ushered in and give themselves a competitive edge by doing so. In fact, 70% of customers say trusting a brand is more important now than ever before. For every dollar spent on consent and preference management, businesses see an average 40% return.
Understanding Regulatory Requirements
Growing concerns over consumer privacy have inspired global regulations that govern how businesses capture and share customer data. The GDPR and CPRA are the most well known.
Among other requirements, these data privacy regulations obligate businesses to collect user consent for data gathering, storage, and use. The way organizations must do this is through the deployment of a cookie banner or consent management platform across their digital properties.
Although the requirement to gather consent via a cookie banner is shared by all privacy regulations, there are differences in application with them all, too. For example, how to display a cookie banner on a website — and what the content should say inside of it — varies by law.
These nuanced obligations can be confusing for privacy professionals and marketers. Navigating them to execute a well-rounded privacy and consent management program is necessary, but tricky.
The best way to prepare is to understand what’s required under the GDPR and CPRA, the two major privacy laws. These are the most conservative and detailed of the existing and planned privacy legislations. Meeting their requirements will best help you prepare to comply with future legislation.
GDPR and Consent Management
For businesses operating in the European Union (EU), the GDPR provides consumers with control over how their data is collected, stored, and shared by using an explicit opt-in model.
The GDPR is strict when it comes to consent management. Consent must be specific, clear, and in plain language. It’s not allowed to be hidden in legal notices or in groups of other notices. Your organization also has to be able to prove to the governing authorities in detail that users have given you consent to collect, store, and manage their data.
The GDPR sets a high bar for consent management that the CCPA — and its upcoming version the CPRA— used to fashion their own legislation.
CCPA/CPRA and Consent Management
In the United States, the California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. Following the lead of the GDPR in the EU, it’s the most comprehensive law on consumer privacy regulations to date in the U.S.
Unlike its European counterpart, the CCPA follows an opt-out model when it comes to consent management. Users are able to opt out of the sale of their personal information. Also, organizations must present a clear and easy way for them to do so.
Now organizations are preparing for CCPA 2.0, the stricter California Consumer Privacy Act (CPRA) that will go into effect in 2023.
Knowing what regulatory requirements your organization falls under and what each one requires is an important first step in consent management. But you must also be aware of how third-party decisions — such as browsers phasing out the use of third-party cookies — affects your use of cookie banners.
Regulations Growing Rapidly
Although the CCPA and GDPR have received most of the attention when it comes to privacy regulations, other countries and U.S. states have also passed major pieces of similar legislation in the recent past.
- Brazil has enforced its LGPD
- Italy has passed its AEPD
- Virginia’s CDPA has passed into law
- Colorado has passed its CPA
It’s important for companies doing business in these locations to understand the implications of these laws. In fact, it’s essential organizations stay abreast of the regulations that are pending or have passed in their part of the world and in their part of the country.
The Tech Industry’s Role in Consent Management
While privacy legislation has played a significant role in shaping consent management, outside forces have also contributed. The tech industry is setting new standards and requiring organizations to adapt to their changes.
Facebook designed their LDU feature to help advertisers stay compliant with the CCPA. By adding a line of code to the Facebook tracking pixel already installed on your website, the LDU feature will automatically detect if a user is a California resident.
It will then automatically limit the way that user’s data is stored and processed in a Facebook advertiser account.
The benefit to advertisers is the manual process of identifying these particular users in order to comply with this specific legislation is lifted off their shoulders.
Apple iOS 14.5
In April 2021, Apple released one of the largest privacy upgrades to its software: iOS 14.5.
The update addressed one of the most heavily leaned on features of mobile advertising to date. Known as Identifier for Advertisers (IDFA), it’s responsible for tracking users across apps to personalize ads and shed light on attribution.
Instead of IDFA being automatic, App Tracking Transparency — the new privacy feature in the iOS 14.5 update — requires apps to request permission from its users to be tracked across other apps and websites.
Now users have the option to reject upfront, which impacts tracking capabilities for publishers and advertisers.
In 2023, Google is planning to deprecate the use of third-party cookies on its Chrome browser. This feature has also been a mainstay of online advertising for at least a decade. Losing it as an option forces advertisers to consider other avenues of gathering data and customizing messaging, such as seeking first-party data by building trust and transparency with users.
Global privacy control
The Global Privacy Control (GPC) was developed by a combination of publishers, tech companies, and browser developers to create a global setting in browsers, allowing consumers to use it as a method to opt out of the sale of personal information. OneTrust is one of the first consent management platforms that allows customers to integrate GPC into their CMP and as a result, websites automatically accept the visitor’s signal preferences.
Consent Management Solutions: Best Practices
Thanks to regulations and the tech industry, today’s consumers are more connected, cautious, and concerned about their privacy than ever before.
As a result of this shift to a privacy-focused world, users now expect brands to provide a level of privacy-controlled personalization. And while many organizations want to support this operational change, it’s often been easier said than done.
In order to master consent management, brands can follow a roadmap of steps that will set them up for success in this area — both now and in the long run.
Audit your website
Understanding what legislation applies to your location is the first step. Next, it’s time to set up your cookie banner. But before you can do that, complete a scan of your website. This will allow you to get a complete view of the cookies, beacons, pixels, and other tracking technologies that live there behind the scenes.
You can’t ensure consumers are opting in to the right things if you don’t have a comprehensive understanding of cookies and tracking technologies. Performing an audit automatically detects and categorizes a complete list of cookies and tracking technology so you’re covered.
Design your cookie banner
Once you know what to include in your cookie banner, it’s time to set one up. Organizations have the ability to make consent banners match their brands and display them in different formats. You can even add code if you want to customize it past the basics.
However you choose to design your cookie banner, your priority should be making it a user-friendly experience. This has been shown to increase opt-in rates with users.
Set up your consent banner
Hundreds of countries have enforced privacy laws for consent management. Your consent banner should support whatever legislation is relevant to the location in which the user is viewing it.
Since you’re displaying a different consent banner for different user locations, it’s also a good idea to set up the banners in that location’s most common language. After all, if users can’t read what they’re opting in for, they’re probably not going to take action.
With that squared away, it’s time to launch your cookie banner.
Most consent management platforms allow you to add a line of script to your website that pushes your banner live. A modern solution will also integrate with your content management system (CMS), tag manager, and other MarTech systems to create a seamless and painless implementation.
Double check logistics
Each piece of your consent management may be ready to go, but without the logistics firing correctly on the backend, you can’t make the right consent banner show to the right person at the right time based on location.
Since most privacy legislation doesn’t allow you to track users until after you’ve gained explicit consent from them, you must block those trackers until that time comes.
This is hard to do without a consent management platform. With one, though, you’ll be able to prevent tracking scripts from loading until the user consents. Typically, there’s little-to-no manual work or extra code required, either.
Just because you think your consent banner is ready doesn’t mean your users do. Optimizing it to increase opt-ins over time is one of the most important aspects of a consent management program.
A consent management platform will continuously gather important data sets for you so you can monitor opt-in rates. You can test templates, layouts, copy, CTAs, text, and design again and again to see if you can resonate with users to earn their opt-ins.
Scale your CMP to Mobile and CTV
Once you’ve set up and optimized your website cookie banner, it’s time to expand your reach. If you use mobile, OTT, or CTV platforms, you’re required to gain consent to capture user data. It’s not hard to do if you have a consent management platform set up. You can create a consistent and one-time consent process across all of these channels.
A Modern Consent Management Platform
Getting your consent management strategy right is an important first step. But without a capable tool to help you execute it, you face the overwhelming challenge of deploying it.
You need to onboard a consent management platform that automatically stays active with regulations and tech requirements, and can be scaled across mobile apps and CTV platforms. It also needs to be able to optimize for opt-ins, track marketing performance, and deliver personalized ads.
You can’t run a modern privacy management program without a consent management platform that can be scaled across domains and devices. There are essential qualities to look for in order to onboard an experienced and competent software partner.
- Audit websites and applications to understand first- and third-party cookies, SDKs, privacy policies, cookie notices, tags, beacons, local storage objects, and other tracking technologies.
- Customize banners for websites and applications using built-in consent approach options.
- Prime Apple iOS 14.5 app consumers with an app tracking transparency pre-prompt before consent for IDFA is captured.
- Share consent signals by syncing with Salesforce DMP, IAB TCF, Google DFP / AdSense / AdX, Google Tag Manager, Adobe DTM and more.
- Centralize consent records across platforms, including web, mobile apps, OTT, AMP and offline consent and preference collection with support for cross-domain consent.
- Drive opt-ins and engagement by tracking and analyzing consent rates with pre-built, real-time dashboards and reporting, A/B testing and monitoring to maximize compliant opt-in rates.
- Integrate with existing tech stack and protect investments with easy integration with Adobe Advertising Cloud, Facebook, FreeWheel, mParticle, Salesforce Audience Studio and more.
- Authenticate known users using an identifier and synchronize consent and preferences to deliver a seamless, personalized experience across devices.
This is a lot to do for one system, especially when you add in the need to automate global compliance with CCPA, GDPR, ePrivacy, IAB Europe TCF v2.0, DAA AdChoices and hundreds of other laws and frameworks.
You’ll need a trusted consent management system that’s helped world-renowned enterprises to small tech startups, large media companies to medium-sized businesses: Robust technology used around the world, across every industry.
The OneTrust consent management platform is designed to do just that.
It leads the consent management market, with over 350,000 websites and applications leveraging its technology to manage users’ consent and preferences. You can operationalize consent management using the most advanced, easy-to-deploy, and scalable solution in the industry.
OneTrust delivers technology that enables companies to empower their customers to take control of their data. This leads to better segmentation and personalization, while making compliance simple.