7 features of a CMP that can ensure your regulatory compliance and a smoother user experience
20/03/2019 |
How can you comply with the GDPR without compromising the user experience? This challenge is precisely the job of a Consent Management Platform.
While CMPs are a relatively new phenomenon, they have already caused some buzz in the Martech industry and will go on doing so. The three letters represent a new generation of solutions for managing consent, aptly named Consent Management Platforms. These tools were developed in the wake of the GDPR (General Data Protection Regulation) to collect, record and manage consent given by users of a website or app. A key issue, since activating tags and using cookies are both directly linked to such consent being given.
Nevertheless, the CMP must not be confused with the ‘cookie notice’, still prevalent on many websites. This banner simply informs visitors that by continuing to browse the website, they accept the use of their personal data. It goes without saying that such a method is not compliant with the GDPR, which requires a clear explication of the purpose for collecting data, and more importantly, consent to be explicitly given.
The purpose of a CMP is to ensure compliance with regulations without ruining the user experience. A delicate mix of ingredients that vary from business to business and user to user. That is why a CMP must allow for extensive customisation. But that is only one of its 7 features…
1) A CMP does not enforce its own interpretation of the law
There are several ways you can interpret the GDPR. And how it is done so varies slightly from country to country, as does the tolerance towards various practices. There is also a good chance that the text’s interpretation will change over time as the market develops new tools and matures on the subject.
Here’s a concrete example: while simply scrolling down the page as a way of accepting the use of data is currently tolerated in France, it’s not certain that it will be for much longer. In fact, it wouldn’t be surprising to see the regulation take a stricter tone. It’s therefore not the job of the CMP to interpret the text, but rather that of those managing the websites and apps to decide on their interpretation and configure the tool accordingly. A CMP must be capable of adapting to a large range of scenarios.
2) A CMP works with all vendors (IAB or not)
The IAB framework has got tongues wagging, and rightly so. It has already united over 400 vendors from the Martech industry. By following its principles, they all agree to use tools to obtain the user’s choice concerning consent, as stipulated by IAB, to know whether or not they have the right to process the collected data.
Besides the fact that this framework is based on an objective understanding (as it’s designed for vendors) of the GDPR, it doesn’t cover all the solutions available. Not all the vendors are registered with IAB. In other words, a CMP that only works with the IAB framework is not able to communicate with non-IAB vendors.
3) A CMP truly disables unauthorised tags
In the IAB model, whether a user gives their consent or not, the tags are still loaded; it is then the vendor’s responsibility to process (or not) the data based on whether consent is given. This method raises a valid question: why not just disable tags by default as long as the user has not given their consent?
Such an approach appears both more logical and safer, but not all CMPs offer it. There are two ways to block tags before receiving consent:
- By manually adding a trigger in the tags’ code so that they only fire when the user accepts the processing of their data;
- By combining the CMP with a TMS (Tag Management System) so that the first tells the second to load tag containers when consent is given.
Commanders Act’s CMP, coupled with the Tag Commander TMS, works using the second model. No tag is activated without the user’s approval. Once consent is given, the tag container is automatically loaded in the background (without waiting for the next page to load).
4) A CMP allows for customisation
Why must your website’s consent pop-in be the same as your competitor’s? Why does the privacy center, the page where all the cookies you use are listed, not match your visual identity?
When you consider that it is actually the first element that a new visitor will probably come across, it’s important that the consent pop-in (on a site) or screen (on an app) resembles you. From the language to the visuals, the CMP must give you the possibility to customise the consent interface with your own branding.
5) A CMP covers websites and apps, and tailors the UX to the device
Consent management not only applies for the internet, but also for mobile apps. Some added complexity to deal with, especially for the user experience, since you cannot display the same consent interfaces for a website viewed on a desktop computer, on a mobile or via an app. While it is recommended to not hide the content behind a pop-in on a website, it is much more acceptable on a mobile screen. No question that the CMP must be able to tailor the UX to the device.
6) A CMP closely measures performance
Customising the consent pop-in with the brand’s identity, testing different sizes of consent screen, measuring the impact of different language…All these best practices must be implemented provided that you can measure their success.
The aim is to conduct A/B Testing of the different formulas and measure the impact on consent rates and even the user journey. Even though the CMP is primarily marketed as a tool for regulation compliance, it is also a Martech solution, and, consequently, its performance must be measured.
7) A CMP archives consent
One of the key principles of the GDPR is accountability. Put simply, the GDPR requires companies to not only collect personal data lawfully and honestly, but also prove they did so further down the line.
That is why it is essential to accurately archive the consent choice (was consent given for a specific purpose? Or for all purposes?) and the subsequent action taken. In the event of an inspection, this archive will act as proof that personal data was handled in accordance with the GDPR’s principles. Commanders Act’s CMP performs such archiving, a key feature for many clients.