What are CMPs?
CMPs are software platforms that help website and mobile app publishers provide privacy notifications, obtain necessary consents from users, and record and share consent signals with third parties.
Why do we need one?
The need for a CMP is driven by both e-Privacy and GDPR requirements on providing notice and obtaining valid consent from users.
These requirements have previously been addressed by a mixture of cookie notices, pop-ups and banners, as well as through privacy notices. For the most part, these mechanisms don’t result in valid consent.
With a significant increase in scrutiny on the adtech industry from regulators, consumer groups and privacy activists, we are starting to see greater usage of website and mobile app CMPs.
Top tips when implementing a CMP:
Understand your website/app
First, do a mini-audit of the cookies, pixels and other tracking technologies used on your website or app, and of how user data (including cookie IDs, IP addresses and similar data) is shared with third parties. This will help you determine what type of CMP you need and the level of detail to include in your cookie and privacy notices.
Remember the strict GDPR consent requirements
Whatever CMP you use, remember the core requirements for a valid GDPR consent. In particular, keep in mind:
- consent must be active, and should not be inferred from inaction or from continued use of the website;
- don’t set non-essential cookies unless and until a user has given consent;
- users should be able to easily change their consent options;
- third party vendors relying on the consent must be named; and
- pre-ticked boxes or toggles should not be used.
Consider the Transparency and Consent Framework (“TCF”)
Currently the most detailed framework for website and mobile consent management is the Interactive Advertising Bureau’s TCF. This is an industry-led initiative designed to enable publishers to give notice, and obtain consent, at both a purpose and vendor level.
This means that users can be presented with granular choices about the different uses and purposes of cookies and other tracking technologies.
The TCF also allows publishers to pass “consent strings” to the third party vendors that place cookies on the user’s browser, or otherwise process user personal data.
The TCF is not a perfect solution, and is still subject to significant scrutiny from regulators in the EU. However, as it currently stands, it is probably the best option for publishers looking to demonstrate a more compliant approach to consent management.
Consider a third party CMP provider
Publishers can either use in-house CMP software or embed software from third party CMP providers.
What is appropriate for you will clearly depend on your in-house capabilities, the resources available for development of a CMP, and the complexity of the tracking and data use in place on your website and mobile app.
Another factor to consider is whether there is much regulatory scrutiny on an aspect of your CMP. It may be better to have implemented a third party product used by multiple parties, than to be defending your own separate arrangement.
Layer your consent arrangements
Whilst a TCF-compliant CMP requires a high level of granularity of user choice, you can and should still layer the consent options presented to users. Users should therefore still be able to “Accept All” after seeing a high level summary pop-up, as well as being able to dig into the detail and make selections if they choose to do so.
Don’t forget your cookie and privacy notices