Anurag Chaudhary

Streamline privacy and consumer trust with Consent Management Consent management is the process of collecting and managing users’ consents for advertising and marketing purposes while complying with consent collection regulations. It goes hand in hand with Identity and Access Management (IAM). Complications associated with identity landscape propels the need for consent management. Consent management facilitates end-users to opt-in or out-out of cookie categories (preferences, statistics, and marketing) listed on a website and again, revoke consent at a whim. In short, consent management entitles data subjects (users) to anonymize or deanonymize their personal data. Need for Consent Management Just a few years back, data-driven marketing was an unmanaged one. Data handlers and tech giants were at large. Threats arising from third-party cookies’ ability to track, personalise, and retarget users escalated concern regarding misuse of personal information at individual level. As a result of unrestricted use of personal data of users by businesses, regulatory bodies popped up, introducing strict compliance mandates to control the way businesses harvest and harness data. At the crux, all regulatory bodies mandate businesses to obtain explicit consent from consumers before using their personal information for monetising methods. Now when non-compliance fines are making headlines, obtaining user consent for data collection through cookies is more important than ever. Keeping user consent a top-tier priority, to date, more than 100 countries worldwide have enacted data privacy laws. Top names that strictly ask for user consent are: ● GDPR (EU's General Data Protection Regulation) ● CCPA (California Consumer Privacy Act) ● PDPA (Singapore Personal Data Protection Act) ● APP (Australia's Privacy Principles) Consent Management Platform CMP is a software or tool that automates the consent collection and management process. It provides transparent information on the use of cookies. Marketers identify and target consumer data with the help of cookies, which are name-value pairs unique to a user and respective website. A consent management platform gathers and segregates users who agree to provide consent for marketing efforts and those who do not. It saves and deletes the data for accepted and denied categories, respectively. For the consented categories, it picks the personal data of the user and drops it in a folder of shared interest, for data processing. What does a CMP do? A consent management platform covers the entire life cycle of users on a website, ranging from collecting consent to handling their data-subject request. Collects Consent Users should be explicitly informed of the data type being collected and its underlying purpose. The privacy policy should reflect detailed information covering the scope of data processing. Simultaneously, it's also crucial to let users decide if they agree to the purposes of data processing. As GDPR has set no specific format for accepting consent requests, a cookie banner acts as the industry standard, which covers permission for storing, processing, and sharing personal data. Consent management should abide by the following principles: ● User's grant of consent should be a free choice; access to the website can't depend on obtaining consent for remarketing. ● Consent should be granular, allowing users to selectively decide types of tracking and analytics that apply to their private data. ● Info containing preferred choices is stored in a first-party cookie. If the user deletes browser cookies or visits the website using another device or browser, consent will be requested again. Maintains a record of personal data ● ● ● ● ● An identifier for consent (like email address, IP) Data consented by the user (and intended purposes for using personal data) Timestamp of consent (when it was given, changed, or withdrawn) Secure storage; documentation of the obtained consent (as per Data Respecting Subjects' Rights under GDPR) Renewable cycle (expiration date of consent--annually or frequently) Facilitates a medium to change and move the data ● ● A CMP should avail options for rectifying, revoking, and erasing the personal data of a user. Abiding by the right to data access under GDPR, upon request, the personal data of a data subject must be presented to the specific user in a structured, machine-readable format, which the user keeps the right to transfer to another data controller. Importance of using a CMP ● It's a cost-efficient method for data handlers and publishers to stay up-to-date with the evolving privacy sphere, which otherwise maintaining on their own can be challenging. It safeguards against consumer data privacy allegations. ● A consent management platform helps a data handler in maintaining a record of a consent database and responding to audits when required, automating decision making, and transferring data overseas. ● In the backend, a CMP equips data handlers with an admin panel for achieving business-related goals. It centralises the consent data of an organisation and streamlines stakeholders’ access to regularly updated consent data for driving deeper insights. ● A CMP helps a data controller automate the use of scripts for general and special purposes. Conditionally, a data controller can disable and enable the use of tracking tags on web pages, with varying compliances. ● IAM (Identity and access management) permission errors put an organisation vulnerable to a potential data breach. Implementation of consent management keeps IAM permission errors at bay and, therefore, protects against breaches. Personal Data Protection Bill (PDPB) PDPB has been formulated by the Ministry of Electronics and Information Technology and is currently in draft form, waiting for approval in Parliament. It provides for the protection of the privacy rights of individuals, and it serves to establish a Data Protection Authority of India for matters related to safety of the personal data of an individual. PDPB approves a consent valid only if it is free, informed, specific, clear, and capable of being withdrawn. Rules for consent collection and processing are almost identical to GDPR. Consent-related key points of PDPB: ● ● ● ● ● Data fiduciaries--one who determines the purpose and means of the processing of personal data--can process data of the individual only after consent is provided. Given explicit consent by an individual, sensitive personal data may be transferred overseas for processing; however, a copy of that data should reside in India, too. Right to be forgotten of a data principal prevents the processing of personal data by a fiduciary once consent is withdrawn. Explicit parental consent should be obtained for processing sensitive data of children. The draft bill exempts obtaining consent for data processing in a situation if: ❏ It is in the public interest, like legal proceedings, medical emergencies, etc. ❏ The data helps a government streamline services and policy formulation.