Criteria for a CMP

Consent in daily life appears to be simple: it’s a Yes or No question. Consent in legal terms and in particular, the consent introduced by GDPR, is rather complex. Strict requirements are tied to a valid consent imposing practical challenges on what appear to be simple daily life situations.

One such simple daily life situation that becomes complex under GDPR, is visiting a website. If a website has integrated tags, they need the consent of the website visitor, if their purpose is e.g. tracking, retargeting and profiling, as the data collected by tags are considered personal data under GDPR.

Obtaining and documenting an informed, freely, concrete, explicit, prior and easy-to-opt-out consent of website visitors requires a technical solution. This can either be done in-house, but as it is a whole product of its own requiring a lot of maintenance, monitoring of jurisdictions and entails high liability risks, it does make sense to outsource Consent Management to a specialised provider.

As CMPs for website technologies are a recent development, we have put together objective criteria resulting from legal and technical implications that should be considered when selecting a CMP.

Resulting from the obligation to document and proof the consent, server-side and not client-side storage of consents is important. If possible, the consent data shall be stored on servers in the EU.

The user should initially be given both the option of accepting and rejecting. A cookie wall that leaves the user with no other option but to agree, does not comply with the requirements for a freely given consent.

It should be possible to load the technologies that require consent, only after a valid opt-in.

After opt-out, the technologies should not be loaded anymore, not even the opt-out itself. Sending the user to an external third party provider website for an opt-out is not reasonable and does not constitute an easy withdrawal.

The consent management platform should also detect and cover piggybacking cases, meaning if a tag on the website automatically transfers data to other piggybacked tags, that are not on the website themselves, e.g. affiliate tags, which are partially reloaded.

The consent management platform should offer to customize the frontend, because this is the only way to ensure that website visitors do not feel irritated and annoyed by cookie pop ups and banners which would thwart the laborious designed CI and UI/UX efforts.

The requirement of consent should not only be considered for tags, but also for other web technologies such as plug-ins and integrated content (e.g. embedded YouTube Videos, Google Fonts). The obligation to obtain consent might result from factors such as if they entail a data transfer to a third country such as the US. In any case, are they subject to the information obligation pursuant Art. 13 GDPR.

To prevent the CMP from becoming the next ‘data octopus’, the client data should be stored separately during the processing. That can be retrieved by not tracking and connecting user agent data, meaning, if the identical user gives consent on one website, the CMP should by default not be able to map that consent to a consent on another website, as this would be profiling pursuant to Art. 21 which itself requires consent.

The iab Transparency and Consent Framework is the first standard of how a consent can be transferred globally. The selected CMP should support the iab standard, because in the future personalised advertising will only be controlled with ConsentID in the bid request.

The CMP software should be developed agnostically, so that it is compatible with any tag management and website system.

As the controller has to comply with the information obligation, it is useful to be able to integrate the legally relevant texts of the web technologies (automatically) into the general Privacy Policy, e.g. through an iFrame.

It is very important to be able to control and change the rules for loading tags. In some cases, a company might want to implement a ‘soft’ settings – e.g. to load certain technologies such as pure web analysis tags without consent. However, if a verdict of a data authority will prohibit that, a quick switch to a zero cookie load setting has to be possible.

The sole business purpose of the provider should be to obtain consent so that the use of the CMP can be based on Art. 6 c GDPR. If a provider pursues further business purposes – it can be assumed that the consent data will be used for these business purposes. Therefore, either a proprietary development with a separate neutral company, or an external provider with privacy-by-design is recommended.

The principle of concreteness can be interpreted as a requirement for a granular consent to certain technologies used on the site. Also, resulting from the principle of minimalism, a consent should only be obtained for a technology that is actually in use on the website. Obtaining consent for a complete list of over 350 vendors as the iab solution imposes, is difficult to justify.

Organizations located in the EU / EEA obviously have to comply with GDPR and the above described rules on the use of cookies and similar technologies. However, under Art. 3 (2b) of the GDPR, generally all websites globally have to comply with GDPR where tracking or profiling technologies are applied on EU users. All organizations globally that use such technologies will need a consent management solution – either to comply with GDPR or to block EU/EEA-users and stay out of GDPR.

Reviewing possible consent management platform providers and implementing such a solution now will be the right step also in preparation for the ePrivacy Regulation that will write Chapter II in the book of EU data protection reforms.