Ever since GDPR went into effect on 25th May 2018 organizations had a clear legislative guideline on how they managed user data and permissions surrounding it. A key piece around GDPR is Consent Management. It refers to the process that allows a website to meet GDPR regulation by obtaining user consent for collecting their data through cookies during their visit.
You have probably noticed it all the time when you open a website, a very conspicuous bar on the top or bottom letting you know that the website is collecting “essential cookies” and providing you with the option to “manage your preferences.” Using this, websites are able to comply with the relevant data privacy laws by giving the user greater control on what data collected from the visit to the website can be controlled.
Without a Consent Management system, websites cannot mail their contacts without breaching GDPR rules. It must be noted that simply having a consent management system on your website does not allow you to collect and use consumer data there are responsibilities and requirements beyond collecting consent that must be taken into account.
Consent Management is not restricted to websites needing to comply with GDPR; as of 2020, 66% of countries around the world have enacted data privacy laws. The CCPA has also clearly outlined how organizations must include consent management within their websites. Here are some of the highlights:
- Notice or Declaration: Companies must provide notice or declare what personal data will be collected on their customers and how said data will be used.
- Choice to Opt-Out: If an organization sells personal information, they must provide users the choice to opt-out of collecting their personal data on any webpage that collects data with a button titled “Do Not Sell My Personal Information” or “ Do Not Sell My Info”.
- Deleting Identifiable Personal Information: According to the CCPA, companies and organizations must provide a two-step process for completing an online request for deletion of their data.
It is interesting to note that deletion can be achieved by either completely deleting PII data from existing systems of the organization or by removing personal identifiers from the data so that it can no longer be linked to any individual.
Both the GDPR and CCPA define specific conditions that allow user data to be processed without consent or unconditionally; these situations include:
- Contractual requirement: When an organization deals in goods or services then there are scenarios such as providing an address for the fulfillment of an order, that do not require consent from the data subject.
- Legal: Certain actions such as processing criminal records would not need consent due to legal obligations.
- Vital interest: If the processing of data can lead to the protection of human life then consent may not be required. Healthcare and insurance sectors, for example, don’t need to ask for consent.
- Public Entities: Govt. bodies performing their official functions do not need to comply with certain consent-collection requirements. This includes schools, hospitals, and the police.
- Legitimate interest: Although this is very much up to legal interpretation, certain tasks like checking children’s age at an online liquor store that has genuine requirements to process personal data without consent may continue to do so.
- Data collected wholly outside of California: Any PII data collected outside the jurisdiction of the state of California makes it exempt from the CCPA. This however does not mean they will be exempt from any national or federal laws that could be relevant to the data that is collected.
- Employee information: Certain personal information falls within the boundaries of employee information and is exempt from the CCPA. Some of this data includes that which is collected from applicants to a job, hired staff members, Independent contractors, and employees (including officers and directors).
- Business-to-Business Relationships: Contact information collected as part of a business-to-business (B2B) relationship may also be exempt from CCPA compliance to qualify for this exemption, the product or service taking place between the businesses must have already been CCPA exempt.
- Warranty and Recall Information: Specific to new car dealers and buyers this exemption rules that vehicle ownership information may be kept and shared between dealers and manufacturers without the need to provide an opt-out option.
Having a good consent management system will allow your organization to scale without compromising the security and privacy of your consumers. When building our new platforms as part of a new service or digital transformation, establishing trust with your consumers is paramount and this can be achieved by being transparent with them on what data is collected on them and how it is used.
Failure to comply with GDPR requirements for consent management can lead to costly litigation if caught, damage to brand image and public trust is also an immediate consequence. Something that is far more difficult to address and not to mention a serious threat to an organization's business as a whole.
A neat by-product of having consent management is the centralization of user consent and data. This data which is useful to multiple teams from engineering and product to marketing and support can now be organized and analyzed in a single location which drives better insights.
Whether you are a small business that is starting out or a Multinational brand, consent management is going to be an important piece of your organization's ability to grow sustainably while building trust within your consumer base.
There are a couple of ways you can have these implemented depending on your use case. While some companies will require only basic consent management pieces that can be written by developers fairly easily, others that use consumer data for analytics and personalization of services might find it more suitable to use a Consent Management platform from a third-party vendor.