Companies require users’ explicit consent when placing and using cookies that collect personal data. This consent can be obtained with a simple cookie banner - which has advantages and disadvantages - or with a consent management tool, also known as a consent management platform (CMP). We summarise here what needs to be considered.
Active and freely-given consent is always required
For a long time, there were debates whether cookies should only be stored and evaluated after active, informed consent was given (opt-in), or whether information and the offer of consent withdrawal (opt-out) was sufficient (as was the case in e.g. the Californian Consumer Protection Act (CCPA)).
The final judgment of the German Federal Court (BGH) has now clarified this: advertisers need the voluntary, explicit consent of the user when placing any cookies that collect personal data.
The European Data Protection Board (EDPB), which is a body of the EU’s data protection supervisory authorities, also provides guidelines on consent for websites. These state that forced consent for cookie-tracking (cookie walls) is not permitted to allow website visits or website use.
However, not all countries agree on this. In France, for example, the Council of State decided in the summer of 2020 that the local data supervisory authority CNIL should not ban cookie walls, because publishers had the right not to make their content accessible to all users. Definitive guidelines are still pending.
Consent is required for all technologies, not just for cookies
More and more browsers are planning not to allow third-party cookies in future. That’s why alternative tracking methods are already being used and further, new methods are being developed.
But beware: the foreseeable end of third-party cookies doesn’t mean that the aforementioned legal bases and guidelines will soon no longer be important.
The German supervisory authorities for data protection have already clarified: “Those responsible must ensure that consent does not only involve placing of cookies that require consent, but also all processing activities that require consent. In order to meet all legal requirements [...] a complete, well thought-out consent management process is necessary. "
A large number of platforms, so-called consent management platforms (CMP), are available on the market.
Want to find out how Didomi's CMP can ensure data compliance for your company whilst enabling you to continue optimizing monetization?
Choose CMPs with cloud service and a subscription operating model (SaaS)
CMPs are offered either as an installation for in-house operations, or as a cIoud service.
An advantage of relying on in-house operations is that CMP software sold by service providers processes personal data (this means there is an order management process). For this, data privacy regulations require an appropriate level of data protection. As the purchaser of the software, you have to ensure that this is met as you are responsible for data protection.
An advantage of using the cIoud service is that companies don’t have to worry about its installation, operation and maintenance because the CMP is obtained and subscribed to from within the cloud (SaaS).
For data protection reasons, it is particularly important to pay attention to the operating location of the cloud-based CMP solution. It is recommended to choose a server location in the EU, otherwise further tests to check the level of data protection at the server location must be carried out. At Didomi, we store all data at AWS in Frankfurt.
Please also consider the business model of the company that provides you with a CMP. It’s conceivable that you may be offered e.g. one-off licenses that include a maintenance fee per year, or annual fees, or fees based on transactions via the CMP. It is important here to calculate exactly what is better for the company.
Select a CMP that has proven functionality and that can be configured to a large extent
Personalisation of text and design
Among other things, it needs to be clear how the information text for consent is displayed, and whether it can be changed and/or adjusted. Some CMPs, such as Didomi, provide suggested sample templates for this. In some cases, e.g. when transitioning to the TCF v2 advertising standard, standard texts can be used.
There is also, of course, the format. Can the company’s branding be taken into account when adapting the consent information? Are different formats available to obtain consent? Is it possible to A / B-test different formats to optimise the consent rate? This is the case with our solution.
Granularity of consent purpose and consent information
The following factors are also important: does the consent template clearly and transparently inform the user about data recipients, third parties and / or advertising partners with whom a publisher works? Do these partners’ CMPs reflect this, and do they inform users whether these partners are certified (e.g. under the IAB’s Transparency and Consent Framework (TCF))?
Once there is clarity about this, does the CMP inform the user transparently about the purposes for collecting data and about the legal basis that a third party (including Google) would like to rely on? Is granularity of consent for certain purposes possible, e.g. for the personalisation of online content?
This information may not be important for all users, but a good CMP tool like Didomi should make this clear.
Is there reference to the option of consent withdrawal? Is consent withdrawal easy to obtain and is it also technically effective? Very often gaining consent with an "Accept" or "OK" button is much easier than using a "Decline" or "Configure" button. This is understandable for website operators, and still transparent (and perhaps also more trust inspiring) for the user!
Storage and proof of consent
How can consent be verified? Is proof of consent possible on an individual basis? How long will this proof be stored?
Consent must be documented and verifiable, and CMP solutions store consent for different lengths of time. When using Didomi, this length is adjustable. Companies must then check which requirements they have for documentation of consent, i.e. whether consent should be verifiable for short or long periods of time.
Help with implementation and customer service needs
There are also clear differences in terms of service. Here businesses should consider what services they need and whether they should use service partners that are located close by. At Didomi, we work with partners who can help implement a consent strategy and/ or the CMP.
However, this is not absolutely essential as our software is very easy to configure and use. Each customer will be helped individually: our highly-qualified Customer Success Team is responsible for this.
Pay attention to the CMP’s scope and supported technologies
Consent must be obtained and implemented in accordance with data protection regulations not only on websites, but also in apps. Mobile apps are not yet widely supported by CMPs. For any apps, relevant CMP functions should be available.
With its SDK, Didomi’s CMP can be used not only in apps (Android, iOS) but also on mobile websites (AMP) and in 3D-environments and games (Unity). Our customers appreciate this very much because they can equip all their websites and apps by using just one provider.
Can we at Didomi help you collect and share user consent?
Please do not hesitate to contact us.