Privacy4Marketers event recordings available!Get the recordings
Contact Us

What is a Consent Management Platform? How to Choose and Setup

Improve your SEO & CTR
Will Rice
Google Analytics , Google Tag Manager
Will Rice
First published April 4th, 2024
Last updated April 21st, 2024
Learn how Consent Management Platforms ensure compliance with privacy laws, and learn to choose and set up the right CMP for your needs.
What is a Consent Management Platform? How to Choose and Setup

Consent has become a top priority for businesses with the emergence of data laws such as GDPR and CCPA. A consent management platform (CMP) should be an essential part of your compliance checklist. But how do you choose a consent management platform and set one up?

 

This is a webinar write-up of Dr John Woods’ talk at Privacy4Marketers. You can get the slides here. You can purchase the recordings (8 in total) or get them for free by signing up to a paid Cookiebot plan using our referral link. Just make sure to send a screenshot of the billing confirmation to william@measuremindsgroup.com.

 

What is a consent management platform?

A consent management platform (CMP) helps to ensure you can collect data without falling foul of legislation. A CMP helps you track data from the moment a user opts in until the data is deleted.

To better understand this process, take a look at the diagram below. On the left of the image, we see the browser that an individual uses to interact with your website. The device contains a series of cookies that help us to track their activities.

On the right of the image, we’ve highlighted aspects of a website that are pertinent for compliance.

There is a consent notice that users have to interact with when they come to a site. We have documentation regarding the use of cookies and a web server that reads and sets cookies that are subject to legislation.

Finally, we have third-party tools like Google Analytics, live chat plugins, etc. As these read and write cookies, they are also subject to legislation. And, if you’re using a tool to handle these, this is another pertinent component. You might need to carry out a Google Tag Manager audit, for instance, to ensure compliance.

what happens when some user's browser access to a website

The image below demonstrates how this process is handled once a CMP is introduced. The most obvious factor is that the tool provides a cookie banner for new visitors to your site. This will manage the process of users providing or declining consent and store their consent state.

The CMP also helps with the cookie policy by providing documentation on compliance. This lists the cookies used on your site and the purposes of each cookie.

The padlock icon below shows that the CMP introduces control mechanisms for elements in your tech stack that read and write cookies. This ensures that these elements align with user consent settings.

Lastly, at the bottom diagram, we see that we have an auditing capability. In short, your tool should help you avoid the legal jeopardy of privacy laws. This is the most important part of a CMP, giving you peace of mind about your data collection.

How CMP helps you track data from the moment a user opts in until the data is deleted.

 

Do you need a CMP?

Yes! We might have answered this question differently a few years ago. Legislation was more relaxed, and CMPs had a long way to go. Today, though, compliance is a top business priority. Unfortunately, compliance involves a great deal of technically complex procedures.

Luckily, CMPs have come on a lot in recent years. Whilst building your solution isn’t practical, there are a large number of useful and affordable third-party platforms that can help us.

Don’t think that the ICO will overlook you just because you’re running a small business. Lots of smaller organisations are already encountering legal issues relating to compliance. So, if you don’t have a CMP, now is probably the time to invest in one.

 

Choosing a CMP

Your choice of consent management platform is important – switching between CMPs can be tricky.

Sadly, most CMP vendors don’t support migration. If you have thousands of consent records on your existing CMP, these must be gathered again. This means disrupting the user experience as users have to choose a consent option again.

So, consider your choice of CMP carefully, and bear the following factors in mind.

 

User experience considerations

Your CMP will provide and manage the consent banner that a user interacts with on your website. For the sake of user experience, it’s useful to look at the context of real user journeys. To put this into perspective, follow along as we look for office spaces to rent on Google.

The first banner that we’re met with is Google’s consent notice. As you can see, this is a very conspicuous and intrusive consent banner. Although we can see a page in the background, we can’t interact with it.

consent banner by google

We accept Google’s consent and select sites to open in new separate tabs.

On the first site, we have a very similar banner to Google’s. It’s a strongly modal design with a greyed-out background (although this time, we can scroll).

consent banner of a site but the website itself remained scrollable

In the second example, we have a very different design. You could be forgiven for missing this banner, as it’s hidden at the bottom left of the screen. It matches the brand’s colour and feel and could be mistaken for another piece of content. Unlike the previous example, we can interact with the page.

Cookie banner at the bottom of the screen

Lastly, a very inconspicuous cookie banner is hidden at the bottom of the screen.

Website page with cookie banner hidden at the bottom of the screen

Understanding the different banner options

We have four very different approaches. But why has each site chosen such a different approach?

For Google, the answer is clear. Everyone knows the company offers an extremely useful user experience. We need the platform to carry on our journey and reach the sites we seek. We’ve no choice but to interact with the consent banner.

The same is arguably true for the second site, Rightmove. It’s a well-known brand with few equally comprehensive listing sites. Users are motivated enough to click through the banner and continue their journey.

This arguably isn’t true for the remaining sites. They’re less well-known brand names and contain fewer listings. It’s more important they opt for optimised user journeys. If they provided a strongly modal design that prevented users from interacting with the site, they might go elsewhere.

So, when choosing our banner, we have several considerations:

  • Should a banner be highly branded, brand compatible (similar but not the same as the look and feel of the website), or completely distinctive from brand identity?
  • Do you want an intrusive, modal design that forces interaction or a non-intrusive option with the least impact on user experience?

Whichever options we choose will have implications for user experience and conversion optimisation. They’ll also impact page speed and core web vitals.

 

Which cookie banner should you choose?

There is no single ‘correct approach’. If you’re a publisher with compelling content, you might opt for a modal banner. Whereas you might choose a non-modal banner if you’re focused on a competitive industry like search marketing.

There may be some pages on your site where you take one approach and others where you take a different approach. It’s always best to look for a consent management platform that offers flexibility over your banner’s look and feel.

 

How to control what cookies are placed based on consent status

We’ve gathered consent and understand a user and their consent state. The tags that read and write cookies now need to be able to proceed based on that state. There are three ways of handling that control process.

control process once poeple give consent

The first option is ‘manual’. Here, the CMP doesn’t impose any controls at all. You and your developers can modify the code of the web server’s front or backend functionality. You can query users’ consent status via an API and change site behaviour accordingly.

The second approach is known as ‘script blocking’. Ideally, under this approach, everything that needs consent is blocked by default and only enabled when the CMP recognises that consent has been granted.

Unfortunately, script blocking doesn’t actually block everything. If cookies are read and written, server-side script blocking is ineffective. The method has a place but shouldn’t be relied upon exclusively for compliance.

The final approach is to integrate with a tag management platform. Luckily, you don’t need to be a Google Tag Manager expert to do this – (although they can be helpful!). The process can be handled easily using ‘consent mode’.

If you’re looking to implement a CMP and don’t yet have a tag management implementation, handling these three methods together is a good idea. If you implement a CMP and then implement tag management, you’ll find many aspects of your CMP need to be redone.

Even though it might complicate a project, it’s a good idea to look at the implementation of a CMP with a refresh of your tag management stack. At the same time, look at how you’ll use consent mode with tag management.

 

Policies and localisation

In some jurisdictions, to be fully compliant, you need to provide an excruciating amount of detail about which cookies you’re using.

You won’t want to handle this process or even employ someone to oversee it. The technical complexity involved makes it an almost impossible task. It’s also dull and extremely unrewarding. A CMP should handle this process for you automatically.

During your evaluation of potential CMPs, consider the following factors.

  • Do you need your cookie policy to be written in multiple languages?
  • Do you need different policies for different locales? For example, if you’re doing business in various parts of the world and want to apply different approaches to compliance.
  • Are your legal team happy?

 

Auditing

The auditing capability of your chosen consent management platform is essential. When you are initially implementing a CMP, a good audit tool will help you identify compliance issues. It will help you map out strategies for overcoming these problems.

Inevitably, however careful you are, something will slip through. Mistakes are a natural part of implementation – the process is complicated!

Even if you do catch all issues during implementation, things will change. Let’s say in the future that a user adds a piece of content that embeds a third-party media player. A small change such as this can be easy to miss and result in non-compliance.

You need a strong auditing capability to overcome these problems and a process for using the auditing tool. Make sure you test these capabilities before buying the CMP.

 

Admin, pricing, contracts…

As with any piece of technology that you invest in, the commercial side of things matters. It’s important to consider the following when choosing a tool:

  • Is the price acceptable?
  • Does the pricing model work for you ( you may be charged for subdomains/pages/visits/etc)?
  • Do you need “enterprise”-type features (e.g. multiple user roles, review/approve, audit trails…)?
  • Is customer support available in your language and time zone?
  • Are the contractual terms acceptable? No CMP vendor will take liability for you being taken to court by the ISO!

There are also some additional considerations, such as logging user-level auditing. Can you prove that individual users have consented? You also should consider cross-domain consent if you’re managing multiple websites.

Remember, when you make these choices, you will likely be stuck with a CMP for some time!

 

Key takeaways

Let’s quickly recap some of the key aspects of this article.

  • The CMP’s audit capabilities are ESSENTIAL (and differ greatly between CMPs).
  • Each CMS will have different issues, and you probably have more CMSes than you realise (landing pages/marketing automation/shopping carts / etc)!
  • Expect to spend some time chasing down the last few non-compliant components.
  • Some surprising things cause problems (e.g. big-name media players).
  • You cannot rely on script blockers, but a selective one is great.
  • Tag Management integration and Consent Mode are worth the effort.
  • GTM preview mode will be very helpful for implementation complexity.

 

Need help with compliance?

Navigating the minefield of GDPR compliance can be tricky – it’s understandable if you need extra help. MeasureMinds offers GDPR compliance services to ensure your site is GDPR & cookie-compliant. From auditing Google Analytics and Tag Manager to setting up compliant tracking, we’ll assist you at every step of the journey.

Why not get in touch today and get a quote?

 

About John Woods

Dr John Woods is a founder of specialist B2B digital agency SharpAhead. He’s a numbers guy: trained as an astrophysicist and worked in bio-informatics… before founding one of the UK’s FIRST web analytics start-ups called iJento.

He’s a regular speaker at MeasureCamp and MarketingSummit and loves helping clients improve their Paid search using Data.

LinkedIn

image8

Will Rice
Follow me
Latest posts by Will Rice (see all)
0 0 votes
Article Rating
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments
Contents
What is a consent management platform?
Do you need a CMP?
Choosing a CMP
User experience considerations
Understanding the different banner options
Which cookie banner should you choose?
How to control what cookies are placed based on consent status
Policies and localisation
Auditing
Admin, pricing, contracts…
Key takeaways
Need help with compliance?
About John Woods
Articles from our Blog
How to Implement Consent Mode with Cookiebot CMP
Read more
User-Data Sessionisation
Read more
An Overview of Data Privacy in 2024: Roles, Responsibilities and Risk from the GDPR to the AI Act
Read more
0
Would love your thoughts, please comment.x
()
x