Feeling stuck with Segment? Say 👋 to RudderStack.

SVG
Log in

Learning Topics

Subscription

Subscribe

We'll send you updates from the blog and monthly release notes.

What is Consent Management?

Asking your users what data you can collect and what you can do with it isn’t just a regulatory chore. The most accurate data you can obtain — data that can be used to inform your marketing and product decisions — is provided by your users themselves. You must establish trust with them if you want them to willingly provide this information.

Gaining your users’ explicit consent is the first step in establishing this trust. Consent management is the process and tools used to communicate to users what information you require from them and what will be done with it. Careful consent management means communicating the benefits they receive by sharing their data and the measures you will take to ensure their private information is used responsibly and within regulatory limits.

What is “user consent” and why is it required?

A user's consent in the context of data collection and processing is their explicit permission for you to collect, store, process, and potentially further share their data. The user must be made aware of how the data is collected, and what will be done with it. Depending on regulation, you may also be required to notify them about the length of time the data is to be retained.

There are two primary reasons for wanting to gain user consent: to gain their confidence and to remain compliant with regulations.

User confidence and trust is a must for any sustainable brand. Perceived misuse of user data can break this trust, so it is important that users are fully informed about what will be done with the data they provide.

Data used for marketing purposes benefits the user, providing them with bespoke online experiences and targeted offers. Similarly, data collected for product improvement ensures that they are receiving the best service possible. Disclosing why the data is collected and detailing how it benefits the user will encourage consent to its use.

User privacy and data governance is becoming increasingly regulated. GDPR, CPRA, LGPD, and other region-specific privacy regulations affect exactly how you must obtain user consent and how the data can be used.

Your responsibilities for your user data under these regulations will depend on whether you are acting as the data controller or the data processor. If you are the data controller — the party that has collected and is responsible for how the data is handled — you must define clear policies and measures on how, when, and where the data can be used.  If you are a data processor — the party that processes data on behalf of a controller — you must ensure that the policies and measures defined by the controller are met according to regulation.

Data privacy regulations are not consistent with each other, so it can become difficult to ensure compliance if you are providing services to users in different jurisdictions. Choosing tools with built-in compliance measures will go a long way in helping you remain compliant with privacy laws, no matter where you users are located.

What is consent management?

Consent management is the process of gaining users’ consent and allowing them to manage the data they’re sharing and the purpose of sharing it. Consent management includes both the policies you adopt for managing user consent and the technical implementation that allows the user to make decisions about how their data is collected or used.

Implicit consent

Implicit consent is gained on the assumption that the user consents to their data being used in a particular way. For example, if a user signs up for an ad-supported social media service, it could be assumed that they are happy for the data they provide to be used to show them targeted ads hosted on that platform. Historically, many online services felt this (usually in combination with difficult-to-understand privacy policy) was enough for them to use their users' data in any way they saw fit.

It is generally advisable to not rely on implicit consent, as the user may not be clear on what exactly it is they are consenting to, or that they are giving consent at all.

Explicit consent

Explicit consent is when you tell the user exactly what data you're collecting, where it's being stored, how long it is being stored for, and what you plan to do with it — all in language they will understand. The user is fully informed, and must take an affirmative action (checking a box, clicking a button) to confirm that they have read and understand what will be done with the data they share. This consent is then recorded.

When seeking explicit consent, the user is often given some level of granular control over their data sharing. For example, they may be comfortable sharing their browsing behavior to personalize content, but not to personalize ads, and will be able to specify these preferences. This can help establish trust, and encourage users to not blanket-deny the use of their data.

Consent isn't a one-time action

The way that you interact with your users changes over time. A user might arrive at your website through an advertising channel, having consented to share certain information through that channel. They may then go on to sign up for your newsletter, or send you a message, or make a purchase. Your relationship with that user, and the data you will be collecting from them, has changed, and consent must be regained or updated based on the new ways you will be using their data. Failure to account for this can lead to significant legal ramifications.

There are many other factors that might require a user to update their consent. Regulations could state that you may only retain certain data for a "reasonable" amount of time before you have to collect it again. If you are using a phone app, you may be requesting access to personal information provided through the device.

If you change the third parties you work with (for example, adding a new advertising provider to your website), that will also require renewed consent. Keeping up with these changes and communicating them to your users without a centralized framework is time-consuming and technically challenging.

Consent management and first-party data

If you are using third-party tools to gather and process data, you are subject to using it according to their policies and affected by their product decisions. You also risk them mishandling the data they collect on your behalf.

Recently, European countries have made the use of Google Analytics illegal, finding it in breach of GDPR. In the same period, Google also began enforcing the migration to a new version of its Analytics platform. This left users with no choice but to use a new platform that enforces a maximum retention period for collected data and limits ways that data can be reported.

The best way to ensure you are in full control of your data is to take full ownership of it. By collecting your own first-party data and storing it yourself, you can ensure that it’s retained for as long as you need it, and that you’re not limited in how you can process and report it. Collecting all of your data first-hand also greatly simplifies consent and preference management, as you don’t need to consider the data handling practices of third parties.

Consent management platforms

Consent Management Platform

Dealing with different jurisdictions' ever-changing data regulations, gaining explicit consent as your customer relationships evolve, and recording this consent for compliance purposes is a complex process. Attempting to build your own consent management solution that performs all of these tasks is error-prone, leading to possible accidental data mishandling or regulatory non-compliance.

Consent management platforms do all of this hard work for you. They ensure that you are doing everything you can do to establish user trust and should do from a legal standpoint, ensuring your users are in full control of their choices.

Buy vs. build — managing consent is a big task

You may think of consent management as just being that pop-up you see when you visit a website for the first time, but there is more to it than that. Once the user has made their choices and given their consent, this must be recorded in a way that preserves the lineage and veracity of that choice. You have entered into a legal agreement with the user — an agreement that is only useful as long as its terms and the user’s consenting action are stored precisely.

This requires both front-end and back-end development and infrastructure, with the user's consent choices synchronized across products and devices. Building all of this adds complexity to your development and additional infrastructure overheads.

Consent management platforms are not a technical panacea and one size does not fit all. Work is required to integrate them into your technology stack, as they may not integrate well with the other technologies you’re using.

Features to expect from a consent management platform

Consent management platforms such as OneTrust provide the components required to give your users control over what happens to their data. They should also provide you with tools for compliance, assessing the risk of involved third parties, and managing privacy policies and the limits they set.

The features set out in the table below should all be considered vital when choosing a consent management platform:

FeatureUse case
Centralized complianceYou need a centralized interface to your data, and tools to ensure you are compliant with regulation in the markets you are operating. Different jurisdictions will have different requirements in their local law. An effective consent management platform allows you to ensure that you are fully utilizing the data users have made available to you, while remaining compliant.
Consent management, including mobile and cookie consentYour users should be provided with a consistent consent experience across both the mobile apps and the online services you provide.
Data mapping and discoveryYou must have an inventory of your data so that you know what sensitive data you control and can ensure that it is handled correctly.
PIA (privacy impact assessment) and DPIA (data protection impact assessment)PIAs and DPIAs identify and mitigate potential data protection risks, and are required by GDPR for any high-risk data. Consent management platforms should provide templates and tools to create and manage these assessments.
Policy managementAn online business may have different policies for different products, all of which change over time. Central management of privacy policies means that they are all kept up to date and all users receive notice that a policy has been updated.
Privacy rights requestsUsers have the right to know what data you have collected about them. This data is often stored across a number of different locations. Users submitting SARs (subject access requests) must be able to receive a full copy of all known information about them within a reasonable timeframe. Consent management platforms should provide the tools for cataloging this data.
Privacy and security incident/audit managementPrivacy and security breaches must be investigated and documented, and affected users must be alerted with exactly what information was potentially exposed. Data consent management platforms enable this process by providing tools for auditing and risk assessment, as well as identifying potentially compromised data.
Third-party and vendor risk managementSharing data with third parties comes with risks that must be identified. Third parties may change their data practices over time, and you must track these changes to ensure that you can continue a compliant and beneficial data sharing relationship.

OneTrust also integrates with the Snowflake Data Cloud to ensure that sensitive data can be identified and stored according to the required regulatory standards.

Consent management and customer data platforms

If you want reliable, useful information from your users, you must ask them for it. Implementing the consent management tools required to achieve this is a big task. Given constantly moving regulatory targets, new kinds of user data being made available, and changes to your own data requirements, using a centralized management solution will be preferable to building your own.

Integrating these platforms with your existing data stack will have its challenges. However, by using a customer data platform (CDP) that understands consent management and propagates the consent information collected from an integrated consent management platform, this process can be greatly streamlined.

Further reading

In this article we explained consent management, and why it is required when working with customer data. To find out more about customer data and how a CDP can help you collect data while remaining compliant, check out these articles in our learning center:

Get the Data Maturity Guide

Our comprehensive, 80-page Data Maturity Guide will help you build on your existing tools and take the next step on your journey.

Build a data pipeline in less than 5 minutes

Create an account

See RudderStack in action

Get a personalized demo

Collaborate with our community of data engineers

Join Slack Community