Since 2018 and the General Data Protection Regulation (GDPR) in the European Union (EU), an ever-increasing number of countries and now U.S. states are passing comprehensive consumer privacy regulations requiring businesses to collect user consent for data collection and usage.

 

For many organizations, consent management is still a nebulous concept that comes with an array of challenges, be it legal or technological.

 

In this article, we go over what a Consent Management Platform (CMP) is, why you might need one, and how to pick the best solution for your organization.

 

Summary

 

 


 

Context around data privacy, the GDPR, and the advent of consent banners

 

To understand what a Consent Management Platform (CMP) is and how it's used, it's important to know where it comes from. CMPs are a very contextual technological solution, which came as an answer to regulatory requirements and legal obligations.

 

In 2016, the European Union (EU) introduced the General Data Protection Regulation (GDPR), a new regulation on data protection and privacy in the EU and the European Economic Area (EEA), aiming to enhance individuals' control and rights over their personal data and to simplify the regulatory environment for international business.

 

The GDPR reinforced the definition of consent, and introduced a number of provisions and requirements related to the processing of personal data of individuals (formally called "data subjects") who are located in the EEA and apply to any enterprise—regardless of its location and the data subjects' citizenship or residence—that is processing the personal information of individuals inside the EEA.

 

This, along with the e-privacy directive that requires organizations to obtain consent before dropping cookies, caused a major shift in how user data can be collected, introduced protocols for organizations handling personal information, and established new definitions for personal data, consent, accountability, and all parts of processing data.

 

Internet users worldwide have been exposed to these changes because, since the implementation of the GDPR in 2018, any website that gets EU visitors and processes personal data (or works with a third-party service that does) must comply with the regulation, and part of complying means asking each user for permission to access and use their data, hence the rise of cookie banners (also called consent notices). 

 

Fast forward to 2023, and while consent banners have become a mainstay for most European internet users, they are experiencing a renewed interest worldwide as new, GDPR-inspired data privacy laws are constantly being introduced outside the EU.

 

That's when consent management platforms come in.

 

What is a Consent Management Platform (CMP), and why would you need one?

 

A consent management platform is a software solution allowing organizations to:

 

  • Provide notices to their users about what data is processed, which specific entities process the data, for which purposes, under which legal basis, and other legal requirements required by various privacy regulations.

  • Offer a dashboard for users to grant, refuse, or revoke consent.

  • Create and share granular consent records with entities relying on CMP data, such as advertising and publishing partners, to enable and demonstrate lawful data processing.

 

Simply put, a CMP is a technology helping companies collect and store user consent legally, and leverage that consent through their tech stack in compliance with data privacy regulations. 

 

Our CEO and co-founder, Romain Gauthier, explains it in simple terms: 

 

"A Consent Management Platform (CMP) is a key component of any comprehensive data privacy strategy. Not only is it mandatory to implement a consent banner under a number of data protection laws worldwide, but a CMP allows organizations to ensure that the choices collected from users are stored and leveraged in a compliant way in case of an audit.

One of the critical yet complex aspects of a CMP is the distribution of the consent status to a wide range of systems and vendors that critically need this signal to perform their tasks. Most importantly, it communicates to your customers that you care about their privacy and value their trust."

 

 - Romain Gauthier, Co-founder and CEO at Didomi

 

Not only is a CMP pretty much a requirement under data protection laws such as the GDPR, but it has also become a beacon for transparency in the eyes of customers, partners, and organizations worldwide.

 

By transparently communicating with their users what data they collect, for what purpose, and why, companies have the opportunity to showcase their commitment to data privacy and to build a relationship based on trust with their customers.

 

For a deeper dive on the topic, check out this whitepaper co-written with software company Hubspot, which explores the power of combining growth and privacy for marketing teams to build highly personal, tailored campaigns while complying with data collection and personal data processing best practices:

 

Didomi and Hubspot - Business Growth and Privacy whitepaper

 

 

So far, we've mostly talked about the EU, but you might wonder: Do I need to use a consent management platform outside Europe and the GDPR?

 

Using a Consent Management Platform (CMP) for compliance in the United States

Gartner predicts that by the end of 2024, over 80% of companies worldwide will be impacted by at least one data privacy regulation.

 

In the United States, consumer data privacy laws have been popping up seemingly every other week for the past year, resulting in a compliance patchwork that can be confusing for many businesses:

 

Didomi - U.S. data privacy law state map (July 2023)

 

While collecting user consent isn't as much of a requirement in the United States as it is in Europe - a lot of U.S. states still rely on an opt-out system - implementing a CMP is still an important step to inform users of the types of data collected, give them an opportunity to opt-out, and help businesses with recollecting consent, especially when initiatives like Global Privacy Controls (GPC), of which Didomi is a founding organization, allow customers to automatically opt-out from their browsers.

 

Depending on which state you operating in, a Consent Management Platform might be mandatory, or simply a recommended step into providing best-in-class privacy experiences to your customers. 

 

At the time of writing this article, current active data protection laws in the U.S. are:

 

 

To learn more and access the full list, check out our article about data privacy laws in the United States, including a regulation tracker for you to download:

 

Learn more about Data Privacy in the U.S.

 

How to select the right Consent Management Platform (CMP)?

 

There is no universal answer to this question, as selecting a Consent Management Platform (CMP) is a highly strategic decision that will ultimately be specific to your unique organization, expectations, and requirements.

 

That being said, there are some industry standards you can trust when it comes to CMPs.

 

Industry Standards for consent management platforms

First, you have the Transparency and Consent Framework (TCF), which has been described as "the global cross-industry effort to help publishers, technology vendors, agencies and advertisers meet the transparency and user choice requirements under the GDPR."

 

Created by IAB Europe, this framework is a standardized, organized way for players in the digital advertising industry to provide the right level of transparency to users while giving the appropriate level of control to publishers. Didomi is fully TCF compliant, and our solutions allow our users to easily enable other third-party frameworks, such as IAB GPP and GPC, without additional integration or development. 

 

Additionally, and intrinsically linked to the recent launch of the TCF 2.2, Google introduced in May 2023 its new CMP requirements for publishers and developers partners running advertising campaigns in the European Economic Area (EEA) and the United Kingdom (UK).

 

At Didomi, we are proud to be one of the first Consent Management Platform (CMP) providers to be certified by Google.

 

Best practices and tips to select the right consent management platform for your business

Beyond industry standards and frameworks, selecting the right CMP will require a significant amount of research to make sure whichever consent management solution you choose ticks all your boxes.

 

Some important things to keep in mind when selecting a CMP include:

 

  • Figuring out it will address local and international regulations

  • Understanding the complexity associated with the implementation

  • Ensuring it will integrate with your existing tech stack

  • Verifying that it provides the appropriate amount of customer support

 

And much more. For the full list of considerations you should be aware of and a deep dive into how to select the right consent management platform, read our complete guide:

 

How to select the right CMP?

 

How can Didomi help with your consent management needs?

 

Didomi - Updates on CPRA Console

 

Didomi has been working since 2017 to build comprehensive solutions for organizations facing compliance and regulatory challenges, starting with the GDPR and rapidly expanding towards multi-regulations management.

 

Beyond our status ad a Google-certified CMP mentioned above, we are also ISO 27001-certified, compliant with the Transparency and Consent Framework (TCF) 2.2, and were ranked #1 CMP in the industry on G2's 2023 Summer Report.

 

Among the specificities of our CMP, here are some of the areas we particularly stand out from the competition, based on our customers' verified reviews and feedback:

 

  • Industry-recognized expertise, fueled by years of handling consent and driving innovation

  • Privacy-first experiences, placing customer choices at the forefront to build long-lasting relationships based on trust

  • World-class support and onboarding, with a highly specialized privacy tech team

  • Multi-regulations, providing the right consent notice for each user, worldwide

  • Ultra personalized banners, creating experiences that are unique to your brand

  • Advanced analytics, giving the right metrics to make the right decisions

  • Versions and proofs, to access consent history and specific consent UI versions agreed to by any user, at any point in time.

 

We pride ourselves in providing top-of-the-line Global Privacy UX Solutions, with a strong emphasis on empowering organizations to build exceptional user experiences.

 

 “Data privacy is a complicated industry to navigate for many of our customers, and we are very aware that compliance can be a stressful topic. It is paramount for us at Didomi to deliver the most user-friendly experiences possible, in order to alleviate that anxiety and help our customers focus on their business first and foremost.”

 

- Jeffrey Wheeler, Vice President of Product Development at Didomi

 

Whether you're shopping around for a CMP ahead of the wave of upcoming data privacy laws in the United States or are looking to migrate from your current consent management solution, Didomi can help. Book a call with the team to discuss your privacy challenges today:

 

Talk to an expert

 

Frequently Asked Questions (FAQ)

 

What is a Consent Management Platform (CMP)?

Simply put, a CMP is a software solution that helps organizations legally collect consent, store it, and leverage that data within their tech stack, in compliance with global privacy laws.

 

Can you build your own Consent Management Platform (CMP)?

Consent management today is a lot more than a cookie pop-up warning, a consent banner, or legal compliance. It is a process that impacts many stakeholders within an organization, including legal, IT, data, and marketing teams - as well as your customers and regulators. 

 

No matter what size or industry your business operates in, you are liable for customer data privacy, and for respecting customer choices about data usage. Data privacy issues can result in legal trouble and potentially damage your hard-won brand reputation. Using consent management solutions can help alleviate that risk.

 

That being said, it is possible to build your own consent management platform, with a lot of resources, effort, and time. It's ultimately up to you to decide whether this is worth it for your organization, or whether you should partner with experts that can do the heavy lifting for you.

 

Are there specific requirements and industry standards for Consent Management Platforms (CMP)?

There are various industry standards you can rely on when making a decision. The Transparency and Consent Framework (TCF) is one of them.

 

Created by IAB Europe, this framework is a standardized, organized way for players in the digital advertising industry to provide the right level of transparency to users while giving the appropriate level of control to publishers. Didomi is fully TCF v2.2 compliant.

 

Additionally, in May 2023, Google introduced new Consent Management Platform (CMP) requirements for publishers and developers partners using the company's AdTech solutions to run advertising campaigns in the European Economic Area (EEA) and the United Kingdom (UK).

 

At Didomi, we are proud to be one of the first Consent Management Platform (CMP) providers to be certified by Google. Learn more. 

 

Other frameworks you might want to look into include third-party frameworks like Global Privacy Controls (GPC) and Global Privacy Platform (GPP), which Didomi also integrates with.

 

What is the best Consent Management Platform (CMP)?

There is no universal answer to this question, as choosing a CMP requires a thorough evaluation of the criteria, expectations, and overall requirements for your business. A great place to start is this guide on selecting the right Consent Management Platform (CMP).

 

How to migrate to Didomi from another consent management solution?

Even if you've already implemented a different consent management system, be it a different provider, a homemade solution, or an alternative, migrating to Didomi is easy. Head to our migration page, where we explain the process in detail.