A Guide to Continuously Monitoring Your Consent Management

ObservePoint’s Sr. Director of Product Strategy, Cameron Cowan, and OneTrust’s Director of Strategy, Alex Cash, recently hosted an IAPP web conference called “Beyond Setup: Key Steps to Continuous Compliance in Consent Management.” 

We’ve taken highlights of that conversation below to give you a framework for organizing consent management validation: how often you should audit, what to look for, and how to remediate issues. 

We’ll start with some background on the laws we’re trying to comply with and the reasons why you should monitor your CMPs, before getting into the 5 vectors of ongoing consent management validation.

GDPR vs U.S.

A lot of the U.S. privacy laws take cues from Europe’s GDPR. But before GDPR, in 2002, the ePrivacy Directive was passed in Europe, and in Article 5 it prohibits:

“...listening, tapping, storage or other kinds of interception…without the consent of the users concerned…This paragraph shall not prevent technical storage which is necessary for the conveyance of communication…”

What this law means in practice is that businesses in Europe have been required to capture consent from users for storing or reading data to and from a device of any type that’s not technically necessary for the website to function, the email to send, or the app to open. The law did not say anything about cookies at the time. 

Then GDPR went into effect in 2018 with very specific definitions of consent: 

Article 4: Definition of the term consent

Consent must be:

• Freely given
• Specific (for a particular business reason, this is why CMPs have categories)
• Informed
• Unambiguous 
• Given through a clear affirmative action (this is why the default is “opted-out” in Europe)

Article 7: Conditions of consent (user experience)

Controllers must be able to demonstrate that they have obtained valid consent for the processing of this data to be legal and compliant:

• Clearly distinguishable from other matters (can’t be baked into Terms of Use agreement)
• Intelligible and easily accessible form (that’s why there are hovering buttons in footers)
• Clear and plain language
• Right to withdraw consent
• Performance of a contract cannot be conditional on consent, if processing is not necessary for the contract

In Europe, the law focuses on the technical storage mechanism (reading and writing to the device), while the U.S. approaches it more from a business activity and process angle. 

Does it Make Sense to Abide by the Strictest Law?

Figuring out website privacy for multiple regions is complicated and difficult to do. The question that often comes up for multinational companies is: should we choose the highest common denominator and abide by the strictest law we encounter? 

For simple websites, it might be the best return on investment to use the highest common denominator approach. For example, it would be the cheapest to implement and simplest to design a California-specific set of consent preferences if you’re a U.S.-only company. 

For organizations that have other complicated privacy concerns like HIPAA for those in the medical verticals or sensitive personal information for financial institutions, leaning towards even stricter policies by region might make more sense.

For other companies, such as an advertising publisher that relies on ad revenue or a major consumer goods brand, a 2% change in opt-outs could cost millions of dollars in revenue. So, it depends on what your company wants to prioritize. 

Why Monitor Consent Management Platforms

Since the initial rush to implement Consent Management Platforms in 2018, CMP adoption has continued to increase.

A quick scan of ObservePoint customers showed that: 

• 42.3% of customers have OneTrust, up from 34.6% six months ago
• 61.9% of customers have any CMP, up from 50.5% six months ago

But, laws continue to increase, technology has changed, and the digital landscape continues to experience seismic shifts such as the ongoing deprecation of 3rd-party cookies, which all exacerbate privacy compliance. So even if in-house privacy professionals had the funding to create the kind of robust privacy program they wanted when they first set it up, they would still need to be constantly updating things.

Aside from outside legal and technical issues, the most direct reason to monitor CMPs is because websites change all the time. Websites are living, breathing ecosystems that can change monthly, daily, or even hourly. 

When organizations think of ALL the things on their website, the CMP often gets deprioritized because it’s not the most expensive technology they’re employing. But this is a trap because a CMP is integrated with every other product and technology on your website. 

Ongoing auditing and maintenance are essential. 

Alex Cash said you can’t just deploy a CMP and then hope that it’s fine; it needs to be part of a program that has:

• Joint ownership, usually between the privacy team and the marketing/digital team
• Periodic re-auditing, which can be event-driven (pushing a new version of the site live) or time-based (every week/month/quarter)
• Auditing in pre-production/staging

And Cameron Cowan expanded with the following.

5 Vectors of Ongoing Consent Management Validation

• Cadence - The question you should ask: How long would I be ok being in the dark about a major breach in privacy, a gap in measurement, or dysfunction in a customer journey? ObservePoint tends to recommend scanning your homepage, your checkout flow, and other most important pages at a high frequency, like every day. You can scan other pages less frequently, like weekly, every month, or once a quarter.
• Geos -  All the geographic locations your organization does business in create different consent groups. Make sure to test from those different geos, to see if your website reacts accordingly. 
• Consent States - Test states like opt-out of all, opt-in to everything, but also all the different partial consent permutations: yes to functionality and performance but no to advertising. Check for GPC and other browser-based signals as well.
• Not Just Cookies - As alluded to before, cookies are not the only things that collect and send data. You should audit tags, local and session storage, and anything that could legally be considered a “tracker.”
• Not Just on Page Load - Are you auditing on-page actions that might fire JavaScript or drop a cookie like clicking on a button, playing a video, or filling out a form?

The scale of testing required for these different permutations is why ObservePoint developed automated auditing that can scale. OneTrust’s audits tend to be more about finding everything possible, focusing on breadth, while ObservePoint also has depth through such things as journey-building for very specific conversion paths or deep contextual information in origin stories for cookies.

How to Investigate 

What should you do when you find an error with your CMP or an unapproved cookie or tag? First answer these questions:

1. How did this load on my website? Was it my team? Was it loading from a 3rd-party or did it piggyback off of something else? Look at the initiator chain and your tag management system. This will help determine if you have to talk to someone internally or a vendor.
2. What actually is this technology? Is it a well-known application like Google or something more obscure? This will help you find out what the purpose of the technology is. You can look at OneTrust’s database of cookies and tags called Cookiepedia or ObservePoint’s library.
3. Once you know where it’s coming from and what it’s doing, you can put it in the right consent category (this could be different by region: an advertising cookie in Europe or part of “do not share” in California), update your website or your standards by blocking it or approving it, and working with the web or dev team to get it into any TMS if you’re integrating it.

Google’s Consent Mode V2

And finally, we wanted to touch on a recent development affecting CMPs that’s been in the news. Google worked with a number of CMP vendors to launch a partner program. Consent Mode V2 provides a framework designed to support the integration of CMP signals into Google products like Tag Manager, Analytics, and Floodlight. It allows CMPs to capture consent and then map those signals into the context of Google.

Google has had a European Union consent policy in place for a long time. V2 makes it easy for companies doing business in the European economic area and the UK to deploy a CMP that integrates with these Google products.

In practice, companies need to be on a certain version of the OneTrust CMP and make some config changes. If you’re already deployed, then it’s a super easy process: Read a doc, toggle a check box, and click publish.

This affects any company that works with Google technology on their website in Europe, so a vast majority.

We hope you found this post informative and practical. If you need help auditing your CMP, try out a free privacy sample audit. If you’re already a customer, please reach out to your customer success manager.