Streamline privacy with consent management
Streamline privacy and consumer
trust with Consent Management
Consent management is the process of collecting and managing users’ consents for
advertising and marketing purposes while complying with consent collection regulations. It
goes hand in hand with Identity and Access Management (IAM). Complications associated
with identity landscape propels the need for consent management.
Consent management facilitates end-users to opt-in or out-out of cookie categories
(preferences, statistics, and marketing) listed on a website and again, revoke consent at a
whim. In short, consent management entitles data subjects (users) to anonymize or
deanonymize their personal data.
Need for Consent Management
Just a few years back, data-driven marketing was an unmanaged one. Data handlers and
tech giants were at large. Threats arising from third-party cookies’ ability to track,
personalise, and retarget users escalated concern regarding misuse of personal information
at individual level.
As a result of unrestricted use of personal data of users by businesses, regulatory bodies
popped up, introducing strict compliance mandates to control the way businesses harvest
and harness data. At the crux, all regulatory bodies mandate businesses to obtain explicit
consent from consumers before using their personal information for monetising methods.
Now when non-compliance fines are making headlines, obtaining user consent for data
collection through cookies is more important than ever. Keeping user consent a top-tier
priority, to date, more than 100 countries worldwide have enacted data privacy laws.
Top names that strictly ask for user consent are:
● GDPR (EU's General Data Protection Regulation)
● CCPA (California Consumer Privacy Act)
● PDPA (Singapore Personal Data Protection Act)
● APP (Australia's Privacy Principles)
Consent Management Platform
CMP is a software or tool that automates the consent collection and management process. It
provides transparent information on the use of cookies. Marketers identify and target
consumer data with the help of cookies, which are name-value pairs unique to a user and
respective website.
A consent management platform gathers and segregates users who agree to provide
consent for marketing efforts and those who do not. It saves and deletes the data for
accepted and denied categories, respectively. For the consented categories, it picks the
personal data of the user and drops it in a folder of shared interest, for data processing.
What does a CMP do?
A consent management platform covers the entire life cycle of users on a website, ranging
from collecting consent to handling their data-subject request.
Collects Consent
Users should be explicitly informed of the data type being collected and its underlying
purpose. The privacy policy should reflect detailed information covering the scope of data
processing. Simultaneously, it's also crucial to let users decide if they agree to the purposes
of data processing.
As GDPR has set no specific format for accepting consent requests, a cookie banner acts as
the industry standard, which covers permission for storing, processing, and sharing personal
data.
Consent management should abide by the following principles:
● User's grant of consent should be a free choice; access to the website can't depend
on obtaining consent for remarketing.
● Consent should be granular, allowing users to selectively decide types of tracking
and analytics that apply to their private data.
●
Info containing preferred choices is stored in a first-party cookie. If the user deletes
browser cookies or visits the website using another device or browser, consent will
be requested again.
Maintains a record of personal data
●
●
●
●
●
An identifier for consent (like email address, IP)
Data consented by the user (and intended purposes for using personal data)
Timestamp of consent (when it was given, changed, or withdrawn)
Secure storage; documentation of the obtained consent (as per Data Respecting
Subjects' Rights under GDPR)
Renewable cycle (expiration date of consent--annually or frequently)
Facilitates a medium to change and move the data
●
●
A CMP should avail options for rectifying, revoking, and erasing the personal data of
a user.
Abiding by the right to data access under GDPR, upon request, the personal data of
a data subject must be presented to the specific user in a structured,
machine-readable format, which the user keeps the right to transfer to another data
controller.
Importance of using a CMP
●
It's a cost-efficient method for data handlers and publishers to stay up-to-date with
the evolving privacy sphere, which otherwise maintaining on their own can be
challenging. It safeguards against consumer data privacy allegations.
●
A consent management platform helps a data handler in maintaining a record of a
consent database and responding to audits when required, automating decision
making, and transferring data overseas.
●
In the backend, a CMP equips data handlers with an admin panel for achieving
business-related goals. It centralises the consent data of an organisation and
streamlines stakeholders’ access to regularly updated consent data for driving
deeper insights.
●
A CMP helps a data controller automate the use of scripts for general and special
purposes. Conditionally, a data controller can disable and enable the use of tracking
tags on web pages, with varying compliances.
●
IAM (Identity and access management) permission errors put an organisation
vulnerable to a potential data breach. Implementation of consent management keeps
IAM permission errors at bay and, therefore, protects against breaches.
Personal Data Protection Bill (PDPB)
PDPB has been formulated by the Ministry of Electronics and Information Technology and is
currently in draft form, waiting for approval in Parliament. It provides for the protection of the
privacy rights of individuals, and it serves to establish a Data Protection Authority of India for
matters related to safety of the personal data of an individual.
PDPB approves a consent valid only if it is free, informed, specific, clear, and capable of
being withdrawn. Rules for consent collection and processing are almost identical to GDPR.
Consent-related key points of PDPB:
●
●
●
●
●
Data fiduciaries--one who determines the purpose and means of the processing of
personal data--can process data of the individual only after consent is provided.
Given explicit consent by an individual, sensitive personal data may be transferred
overseas for processing; however, a copy of that data should reside in India, too.
Right to be forgotten of a data principal prevents the processing of personal data by a
fiduciary once consent is withdrawn.
Explicit parental consent should be obtained for processing sensitive data of children.
The draft bill exempts obtaining consent for data processing in a situation if:
❏ It is in the public interest, like legal proceedings, medical emergencies, etc.
❏ The data helps a government streamline services and policy formulation.