Consent management has become important over the last few years due to recent privacy laws popping up all over the world, namely the EU’s GDPR. You are now required to obtain consent before collecting and processing the personal information of users and customers, even if your local jurisdiction doesn’t have its own privacy law.
Therefore, it’s important for software developers and product owners to understand consent management. You’ll need to put a plan in place to collect and manage consents in order to be compliant with laws and regulations. Plus, users and customers simply want to work with software products that respect their data.
In this article, we explain everything you need to know about consent and implementing your own consent management program.
What is Consent Management?
Consent is an affirmation from the user or customer, given freely, uncoerced, that gives you permission to collect and use their data. Data privacy laws typically require organizations to collect consent before handling personal information.
Consent management, therefore, is the practice of giving customers control over the data you collect and how you use it. It means explaining how and why you use their data and then giving them the chance to grant or deny you consent over their personal information.
According to the GDPR, there are six lawful bases to process user data. Consent is one of those bases. So if a user gives you permission to process their data, you can do so legally.
Image: Exponea/Bloomreach
In most situations, consent is the easiest way to protect yourself. If a customer objects to your use of their data, you can point to where they consented to it.
The clearest example of consent is the cookie consent box you’ve undoubtedly seen all over the web. They look like this (with some variation, depending on the site):
In other cases, consenting to data processing is a little more involved. Some applications give users a dashboard where they can toggle their consent for different types of data collecting and processing. If you have a contract with your customer, it should spell out exactly the types of data you’ll collect and how you’ll process it.
“From a technical perspective, every CMP looks different, so the way it looks or is implemented will vary depending on what tool you are using,” says Steve Pritchard, managing director of It Works Media. “Some may be highly technical, whereas other, more simple tools may just work through a [check] box process.”
Consent management is not the same as preference management. Preference management is the process of letting customers decide how they interact with your company. For instance, you might let them choose how often they receive your emails or the topics those emails cover. Preference management is useful, but you have to get their consent first.
Consent Management and Compliance
Consent management can seem like a lot of work, but it’s an important part of GDPR compliance. If you ignore it, you’ll face the GDPR’s authority body, which has the power to level fines that can reach £20 million or 4% of a company’s annual global. Fines were bigger than ever in 2020.
A £16.7 million fine was given to mobile telecommunications operator Wind Tre for creating a confusing interface to gather user consent, using personal data without consent, and ignoring data privacy guidelines.
A £1.24 million fine was given to AOK Baden-Wurttemberg, a German health insurer for sending marketing messages without consent.
Fines aren’t the only penalties, however. Users and customers look poorly on companies that don’t take their data privacy seriously. If you get sanctioned for failing to acquire consent, you’ll undoubtedly lose customers who may take some time to regain their trust.
Article seven of GDPR explains the required conditions for consent and how companies can stay compliant. Here’s a brief summary:
If you collect and process customer data based on their consent, you must be able to prove that the customer consented.
If the request for consent is part of a broader document (with more terms), the request must be clearly distinguishable from the other parts.
The customer can withdraw consent at any time. Withdrawing should be just as easy as consenting (i.e., if they consent with a click, they should be able to withdraw with a click).
Just because you have a contract with the customer doesn’t necessarily mean the customer gives blanket consent.
You still have to deal with consent management even if your local jurisdiction doesn’t have a data privacy law that deals with it. Data privacy legislation applies to anyone who collects and processes data of a local resident. For instance, you could violate the GDPR if you process an EU resident’s data incorrectly. As of 2020, 66% of countries are directly covered. That percentage grows larger every year.
There’s no comprehensive data privacy law in the United States, but California and New York (two of the States’ biggest economies) have their own. If you have users and customers in either state - or the European Union - you need to take consent management seriously.
Consent Management Programs
Your consent management program is the system that logs and tracks your users’ and customers’ consents. You need this information on hand to avoid potentially large fines and the damage to your brand that may come with those fines.
The simplest way to stay compliant and ensure you have everyone’s consent to collect and process their data is to use a consent management platform that handles it for you. A consent management platform serves two important purposes:
Requesting users’ and customers’ consent, and
Enforcing their preferences throughout data systems.
Consent management platforms automate the process of informing users/customers, requesting their consent, and logging their acceptance or decline. These services offer different ways to integrate with your website, apps, and tech stack. They handle the consent for you (collection and logging). They also update as data privacy laws change so you don’t have to stay on top of it.
Like a lot of organizations, you probably have data all over the place - web analytics, email marketing, SMS marketing, a CRM, and other places. It’s challenging to manage the consent in all of these places, especially if they link together, so there’s a growing burden to ensure that personal data only flows to apps and systems in accordance with user consent.
The best consent management platforms integrate completely with your tech stack, thereby giving your users total control over how you process their data. If they change their mind later, their revocation should cascade through all of your systems.
That said, while a consent management platform helps you comply with the GDPR and similar data privacy laws, using one doesn’t absolve you of your responsibility. Plus, data privacy laws have other compliance requirements beyond collecting consent.
Keep in mind that running a consent program isn’t just for compliance. It’s also a key way to build trust with users. People view companies favorably when they appear to be in compliance with data privacy regulations. It makes people feel like you respect their data.
Take Data Privacy Seriously
As the data privacy landscape changes, users and customers are becoming more aware and concerned over how businesses use their data. They want the freedom to keep their data private. Consent management is how we govern that process and let their wishes be known and avoid the penalties of noncompliance.
