What Is Consent Management? The Ultimate Guide
By Carl Bleich
Oct 13, 2022
18 min read
What Is Consent Management? The Ultimate Guide
Table of Contents
With non-compliance fines soaring and customers more concerned about their personal data than ever, consent management should be on top of the priority list for every company in today's market.
Whether it’s for your customer data platform or a similar tool, it is important to have a comprehensive consent management plan that is easy for your customers to understand and compliant with necessary laws and regulations.
Keep reading for everything you could possibly need to know about consent management and how it will affect your company.
What Is Consent Management?
Consent management is a system or process for allowing customers to determine what personal data they are willing to share with a business.
It has become so important worldwide because of the lawful requirement for websites to obtain user consent for collecting data through cookies while browsing. Businesses all across the world are now responsible for collecting and managing customer consent and adhering to personal data processing standards.
Bloomreach breaks things down into three consent categories that make up consent management:
- general consent
- legitimate interest
These must be considered before putting any customer's personal data to use and embarking on marketing campaigns or email communication efforts.
Consent management truly is a process that guides compliance by informing users about data collection and usage practices. A good consent management process logs and tracks consent collection so that companies do not need to worry about being in compliance with worldwide laws and regulations. It enables brands to obtain explicit consent from their consumers, facilitates consent collection, and keeps all steps in line with data privacy laws.
What Is a Consent Management Platform?
Many businesses rely on a consent management platform, or a marketing platform that incorporates consent management capabilities, to organize and monitor their customers' personal data.
Consent management platforms are built to handle all aspects of compliance, helping brands automate the consent process, gain permission to track first-party data, and allow users to update their preferences easily. They enable you to glean insights from the moment a customer opts in, letting you track, monitor, and respond to the data subject’s requests and consent preferences.
What Is the Difference Between Consent and Preference Management?
While consent management and preference management might sound the same, there are very distinct and important differences between the two. Both are critical parts of creating a privacy-first and customer-centric strategy but it is important for businesses to understand the difference between the two concepts.
Marketers ask for customer consent in the consent management process to do things like collect, store, and process personal data. That personal data is then used for personalized marketing campaigns like retargeting and email campaigns.
Consent collection is also commonly known as “subscribing” or achieving "opt in" consent to receive communications from a company. If customers no longer want to hear from a company, they would change their “opt in” consent to an “opt out” and revoke consent for marketing communications.
Consent management governs this collection of customer wishes and ensures that companies are staying GDPR-compliant by not contacting customers who do not wish to be contacted any longer.
While it might sound similar, preference management actually refers to giving users the ability to make choices about the frequency of communication and topics, as well as which channels they’d like to receive communications on. Customers can also freely give zero-party data in the preference management process.
While preference management is important, consent management is the topic at hand and it is important to understand when you must collect consent from customers.
When Should You Use Consent Management?
According to GDPR, consent is one of six lawful bases to process customer data.
In most situations, the most optimal way for a business to process a customer's personal data is to obtain consent. However, should that not be an option, GDPR does allow five other ways for a business to process collected data. They are:
- Performance of contract. If your business is providing a good or a service to a customer, for processing of a customer’s data that you need for the performance of such a contract, the contract is the legal basis you rely on rather than consent. For example, if a customer orders a t-shirt from your e-commerce store, your business will need the customer’s address to deliver the t-shirt and complete the order process. The customer does not need to explicitly consent to the processing of delivery data as the contract in place covers it.
- Performance of public tasks. Authorities performing duties that are within their everyday job descriptions do not need to comply with these consent management standards when they carry out tasks in the public interest or exercise official authority. However, unless you work for the government, the police, a hospital, or a school, it is likely this basis does not apply to you.
- Legitimate interest. This basis involves some gray areas. Your company may process a customer's personal data without consent when there is a “genuine reason” to do so. What that specifically means is up for legal interpretation and has already been debated in court.
- Vital interest. If customer data processing is essential in the act of saving someone’s life, such data processing is legally mandated under GDPR. Again, this does not apply to your everyday e-commerce business.
- Legal obligation. This basis applies when processing a particular type of data is legally mandated. An example here would be criminal records.
Many of these bases do not apply to typical e-commerce stores. Any business that is not referenced amongst the above exceptions lands right back where we started this discussion: It must obtain consent to legally process data customers’ data and achieve GDPR compliance.
Why Do We Need Consent Management?
The million-dollar question. Quite literally, for some companies.
Consent management can seem like a big hassle and additional work that can be alleviated if there's no consent management platform in place and the consent management process is just ignored, right?
Ignore consent management at your own risk. GDPR fines have skyrocketed over the past year as customers have begun to care much more deeply about businesses having their personal data.
GDPR fines can reach £20 million or 4% of the annual global turnover of a company for certain infractions. Here are two examples of GDPR fines that could have been avoided if these business had a consent management platform or better consent management plan in place:
- A £16.7 million fine was given to mobile telecommunications operator Wind Tre, for “unlawful direct marketing practices”. These practices included creating confusing interfaces that request consent from users, using personal data without the consent of the data subject, and willfully ignoring data protection laws.
- A £1.24 million fine was levied on German health insurance organization AOK Baden-Wurttemberg in June 2020. It was determined that the company sent marketing messages to 500 people without consent from data subjects because proper measures were not taken to protect personal data.
Companies won’t just feel the pain of these incidents financially. The “clean-up process” from a GDPR fine includes not only fixing the issue a company was fined for, but also earning back the trust of customers who learn about consent violations and now see the affected brand in a negative light.
That process is easy for some customers and difficult for others. Take the necessary steps of having a reliable consent management platform in place to avoid potentially large fines and the decreased customer loyalty that may come with those fines.
Consent Management and GDPR Compliance
Now that you know that it can be disastrous to not be in compliance, how specifically can your business stay GDPR compliant when it comes to consent?
Article seven of GDPR outlines all of the required conditions for consent and lays out exactly how companies are to stay compliant with data subject requests in this regard.
Here is a brief summary of article seven to save you some technical reading:
- When collecting and processing a customer’s personal data based on consent, your company must be able to prove that the customer has consented.
- If the customer’s data consent is given in a written declaration that also concerns other matters, data subject requests for consent must be presented in a manner that is easily distinguishable from the other matters.
- The customer has the right to withdraw consent at any time. This will have no effect on the lawfulness of processing prior to consent being withdrawn. The withdrawal of consent should be as easy as the consent collection for customers. If consent is given with one click, customers should be able to take it away with one click as well.
- When assessing whether consent is freely given, utmost account shall be taken of whether the performance of a contract is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
As the law changes, and new regulations pop up in different corners of the world, the consent process will change as well. That’s why it is so important to have a partner like Bloomreach on your team keeping you up to date on all things consent management.
Bloomreach Leads the Way With Consent Management Platforms
As one of industry-leading marketing platforms, Bloomreach Engagement has top-of-the-line consent management features. We understand how important privacy is to both businesses and consumers, which is why our services are designed to provide your customers with magical experiences driven by the information they are happy to provide.
Bloomreach Engagement allows users to define their own consent categories for customers to subscribe to and set subscriptions based on legitimate interest. And it's all simple to manage in our all-in-one platform — Engagement's single customer view (SCV) not only provides a 360-degree understanding of a customer's preferences and interactions with your brand, but it also offers a lifetime overview of each customer's entire consent history, so users can see who gave or withdrew their consent when and where.
Plus, our platform makes it easy to manage consent, changing consent statuses, and different categories. The customer-facing consent management page is customizable, so you can create and configure consent categories however is best for your brand.
Bloomreach works hard to stay up to date and ahead of the curve in data privacy regulations and consent management, which is why the company is a leader in security in the SaaS space.
Need proof? Bloomreach holds top security certifications to help keep our customers as protected as possible.