Consent is at the heart of modern privacy compliance. In this article, we look at how to build robust consent frameworks for laws like GDPR and CCPA.
Consent and an effective consent management platform (CMP) are foundational to modern privacy compliance. For a growing number of privacy regulations worldwide, explicit consent from a user is needed to process their personal data.
Consent might look like a simple yes/no question, but there are important nuances. For instance, if you process personal data for marketing and customer service – you might need distinct consent questions for each of those use cases. You also must inform users of what these use cases actually mean for their data, in plain terms. Further, you need to implement users’ consent choices so that your data flows actually reflect and respect users’ preferences.
Checking off all the legal and technical details of consent management might seem overwhelming, but fear not: a solid understanding of consent management platforms will give your team the know-how to implement the best solution for your compliance ops.
A consent management platform is a toolkit with two overarching objectives: properly requesting users’ consent and meaningfully enforcing users’ preferences throughout data systems. An effective consent management platform is central to regulatory compliance and to building respect for users’ data.
Consent is a common thread throughout the world’s most prominent data privacy regulations. Article 6 of the European Union’s General Data Protection Regulation (GDPR) and Article 7 of Brazil’s LGPD make clear that, outside of circumstances like contractual or legal necessity, data processing requires user consent. In the US, regulations like California’s CCPA and Virginia’s CDPA also codify consent in personal data processing. Different regulations approach user consent from unique frameworks, as we explore below, but the upshot is this:
thorough and transparent consent underpins 21st-century data privacy.
As new privacy regulations pop up across the globe, data processing activities are bound to evolve with emerging technologies. However, a consent management platform that integrates with your tech stack to enforce user consent is crucial for compliance today and tomorrow. Let’s explore what consent means in regulations and then see how consent management platforms can satisfy your team’s compliance needs.
Consent is one of the most extensively documented aspects of privacy law, and for good reason: consent is key to basic privacy and respect for users’ data. In this section, we will address fundamental questions and concepts in consent.
Legal definitions of consent vary by law and jurisdiction. However, in the context of data privacy and data rights, similarities emerge across legal frameworks. Consent is an unambiguous affirmation from a user, given freely. That is, a user is not coerced or intimidated into saying “yes” to a data processing activity. And the user who had previously consented should be allowed to withdraw consent at a later time without penalty.
A core component of consent is that it is informed consent.
When presented with a request for consent, the user must understand what the request itself means. For teams to meet users where they are at and to keep information accessible, plain-language explanations are crucial. Otherwise, a user might unknowingly consent to something they are opposed to, posing legal issues for your team.
Additionally, consent in data processing should be specific. With the rapid pace of technology, data systems are becoming more complex. As your tech stack expands, your company might intend to use users’ personal data for multiple processes like behavioral marketing and data sales. If you request consent from a user to simply “use their data,” the request does not provide the needed level of detail. Instead, list out each of the specific cases in which you intend to use the user’s data. This specificity goes hand-in-hand with informed consent.
To process personal data, consent is often, but not always, required. For example, GDPR establishes six legal reasons for personal data processing. To paraphrase that regulation’s six reasons, personal data processing requires one of the following:
User consent is just one piece of the data processing puzzle. But it is a big piece. The other five legal bases for data processing apply to specific, strict circumstances. Consent collection from data subjects is a far-reaching legal basis that many teams will be virtually unable to avoid if they intend to process users’ personal data.
GDPR has been a model for many other privacy regulations. For instance, Brazil’s LGPD follows a similar approach to legal bases for data processing, including consent as one such basis. While each regulation has its own nuances, GDPR compliance gets teams close to most modern consumer data privacy requirements.
Looking to US regulations, state-level measures like California’s CCPA and Virginia’s CDPA embed consent into the sale of personal data. For instance, a business might want to sell users’ site data to an advertiser to present more relevant ads to the user. Before a business can do this, it must disclose these plans to both Californians and Virginians with the option for them to withhold their consent. Virginia’s CDPA further builds on this right to withhold consent to activities like targeted advertising and user profiling.
GDPR differs from the CCPA and CDPA in that it follows an opt-in approach to user consent. That is, a business only satisfies consent requirements when the user opts into the processing. In contrast, the CCPA and CDPA generally follow an opt-out approach: unless the user explicitly withholds their consent, data processing can proceed. Both frameworks require that users receive clear explanations of businesses’ intended data processing. However, opt-in sets privacy as a default, with businesses needing users to actively consent to processing.
Opt-out is not the universal approach in the CCPA and CDPA. The regulations’ consent requirements are opt-in when it comes to the processing of children’s personal information.
Web cookies are just one form of gathering users’ personal data. Cookies can constitute personal data subject to GDPR and potential future regulations. However, as we explain in the context of the CCPA, a cookie consent banner is far from sufficient in covering your bases. In a nutshell, cookies offer only a very limited window into the ways in which personal data can be gathered. Cookie consent banners fail to capture the data processing that happens in backend business systems.
of the largest GDPR fines between January 2020 and January 2021 involved some violation of proper consent collection. (Source: Tessian )
of consumers in 2020 reported that trust in companies matters more than it did in 2019. (Source: Salesforce )
of consumers view “control over what data is being shared” as a key factor in deciding whether to share personal information with a business. (Source: EY Canada)
Data privacy is about more than just avoiding legal fines for non-compliance. However, the latest trends in privacy law enforcement point to how seriously regulators take proper consent management. Failing to be GDPR compliant in consent management was a component of 6 of the 14 largest GDPR fines issued between January 2020 and January 2021. GDPR authorities categorize regulatory violations into two categories: less severe and more severe. Consent violations fall into the more severe category, and they come with a steeper fine. A business found in violation of conditions for consent could face a fine of up to €20 million or 4% of global annual revenue, whichever is the larger amount.
Those figures for consent violations can be daunting. Their magnitude shows that consent is central to compliant privacy ops. But there’s a positive flip-side to this topic of consent violations: consent compliance is a key opportunity to show users that you respect their data. Consider consent management a chance to build trust with your users, an increasingly precious asset across industries.
A consent management platform can empower users to understand and exercise their data rights, and it can make your brand stand out as a champion for users’ privacy.
Understanding user consent throughout your company’s data flows is essential to any privacy compliance ops. The best consent management platforms will translate these legal requirements into your tech stack. When done successfully, users have a seamless experience in exercising their consent rights, and you rest assured that your data systems indeed follow users’ specific preferences.
Companies’ tech stacks engage more tools and apps than ever before, and that trend has numerous upsides. For instance, a new SMS marketing tool might provide the needed analytics insight to increase your conversion rate. However, this expanded set of tools also increases the complexity of your data flows. There are more places in which users’ personal data resides, and your team faces a growing burden to ensure that users’ personal data only flows to systems in accordance with users’ data rights and the relevant regulations.
In turn, enforcing users’ consent choices throughout an expanding tech stack can become a Herculean task. Besides becoming more technically complex, the rising tide of data privacy regulations raises the compliance stakes for your team. And consent management is not a one-time event; it is a continuous monitoring and updating. Under regulations like the CCPA, a user can change their consent preferences after their initial encounter with your company. When a consent update arrives from a user, your team must revisit the data flow to adjust where that particular user’s data is permitted to travel.
The right consent management tool will fit neatly into your tech stack and streamline any downstream consent updates submitted by users. Given basic information about your company’s use cases, the platform should take each user’s specific consent choices and restrict the data flows accordingly.
Any modern privacy solution depends on clear communication. To distill complex legal and technical requirements into plain terms, teams must prioritize clarity in designing the consent process for users. While simplicity and clarity might seem at odds with the importance of being specific in listing all of your intended use cases for users' data, you can strike the needed balance. A consent management platform should clearly display the use cases with the option for users to further read the details of each activity. And of course, a consent management platform needs a straightforward tool for toggling consent preferences.
As a part of your company’s website, the consent management panel should be user friendly and reflect your company’s brand. Watch for the design customization options with a consent management platform. The top performers will give your team the bandwidth to tailor the look of the consent management panel. That way, users get clear signals that they are still interacting with your brand. Just like any other aspect of the customer success process, consent management is an opportunity to build users’ trust.
Fides' consent management platform does the heavy lifting for you and your users. In mapping users’ consent preferences to specific data categories and use cases, a user’s consent choice on your website automatically governs downstream data flows involving that user’s data.
With support from Fides’ privacy pros, your company sets up the consent mechanisms in a custom Privacy Center. The Privacy Center offers a dashboard for users to toggle their consent choices and perform data subject requests. You customize the user interface according to your company’s specific data use cases. For each data use case, you plug in basic legal information:
From there, you can assign consent flags to each use case. Consent flags tell your underlying data systems how personal data is sent or withheld from any third parties, according to users’ consent preferences.
For a visual depiction of how consent choices with Fides propagate throughout your data systems, check out this infographic below. Your users indicate their consent choices in the Privacy Center. Those choices tell your core applications and services whether those users’ data is shared with third-party ad platforms.
Fides empowers users and companies alike to make user consent accessible. With a focus on simplicity for end-users, Fides works with your company to build a branded Privacy Center that combines understandable consent requests with transparent explanations.
A longtime user wants to change their existing consent preferences? That’s no problem with Fides. The user can return to the Privacy Center at a URL of your choosing – like privacy.yourcompany.com – and adjust their preferences. From there, the new consent preferences automatically update throughout your organization.
Regulations like GDPR and the CCPA require that companies record consumer requests, including data subject requests as well as consent requests. Your team will be ready for audits and regulatory requirements with Fides’ consent reporting. These automatic reports update in real time and document the following information:
Exportable and comprehensive record-keeping of users’ consent activities sets your team up for compliance success, even with the strongest privacy laws.
To learn more about Fides’ consent management platform in action, book a demo and see how you can implement best-in-class user consent management.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!Get a Demo