Back to Member Vault

Consent management platforms are just a start

Tags:

Regulatory Affairs
Regulatory Affairs

This content was created by an IAB UK member

Members of IAB UK can contribute to the Member Vault. Log in to submit your content.

While CMPs excel at consent collection and management, user privacy and data regulation require more robust, real-time insight writes The Media Trust's Kay Crawford 

In the wake of Europe’s General Data Protection Regulations (GDPR) and other emerging data privacy requirements, Consent Management Platforms (CMP) provide publishers flexibility in being and demonstrating compliance while also monetising users. But as CMP use proliferates throughout the digital advertising ecosystem, so have great misconceptions about the breadth of the tool’s capabilities. 

At heart, CMPs are extremely useful tools for automating consent collection and management, but they’re not comprehensive solutions for protecting user privacy - or ensuring regulatory compliance. Publishers need to reinforce their CMP’s consent management prowess with robust security and data compliance monitoring tools that will offer users peace of mind, and keep publishers on the right side of regulators.
 

What a consent management platform actually does

Implemented by publishers on their websites and mobile apps, CMPs inform, document, and manage a consumer’s consent choices prior to any data collection, sharing, or selling of the consumer’s information harvested from the publisher properties. 

CMPs provide end-users with detailed information on how their online behaviour may be tracked, the purposes for which that information is collected, and the specific vendors and entities requesting to use the information. It also serves as the interface for user consent. Individual site visitors can select the ad tech providers with whom the publisher can share data regarding the individual’s online activity, and the CMP passes the resulting consent strings to these ad tech partners.  
 

What a Consent Management Platform does not do

1. Ensure regulatory compliance

CMPs facilitate the consent process and, therefore, only do what they’re told. If there’s an error in the consent collection process, a CMP won’t see it. While claiming capture of all executing code, many CMPs miss the fourth-, fifth- and nth-party vendors (i.e., the partners of partners of partners) associated with serving an ad. And what about non-advertising code? Code that executes outside the advertising supply chain can still collect user data. 

Compounding the issue, the IAB TCF 2.0 introduced the Global Vendor List (GVL), and a cursory review of a dozen EU-based publishers reveals 50% of executing vendors are not on it. If any of those vendors drop cookies understanding how the CMP is honouring user consent is critical. 

2. Identify comprehensive tracking risks

Although cookies aren’t the only technology used to track users, most CMPs are exclusively focused on them. The ubiquity of fingerprinting, JavaScript code, and local storage identifiers should also be addressed, as these tracking technologies can violate a publisher’s regulatory compliance standing - and the use of them is likely to increase with the sunset of third-party cookies sunsets.

3. Evaluate risks associated with cookies

The various attributes associated with a cookie provide insight into more unauthorised activities that can lead to tracking risks. Of the various attributes, three are critical: 

  • Samesite: the strict setting only allows cookies to be sent in a first-party context and will not respond to third-party initiated requests, i.e., won’t send data to a domain that is not the website operator 
  • Value length: larger values can function as an identifier, as the more information stored, the easier it is to identify a user
  • HTTPOnly: by setting the flag to ‘true’, this tag protects a first-party cookie by preventing client-side scripts from accessing cookie-specific data, thereby thwarting cross-site scripting attacks

If not properly managed, these cookie attributes enable tracking without publisher knowledge. 

4. Safeguard users from malware or redirects

By their nature, CMPs only manage consent. They do not detect and block malware, redirects, or any other unwanted activity. With a 2X increase in malvertising since 2017, securing the user experience has never been more important. User privacy surely isn’t being protected if credit card skimmers or phishing attacks are finding their way into user browsers via the ad pipes.

5. Drive revenue optimisation strategies

Who said protecting user privacy didn’t mean making money? To keep revenue channels open and operating in a regulatory-compliant manner, publishers need to be able to identify frequently offending vendors and work to remove them from their digital advertising supply chain. This is not in a CMP’s repertoire, nor should it be. But, many data privacy issues can be isolated to specific vendors. As a bonus, more compliant partners tend to also be the more premium partners, and the ones that bring in more revenue.
 

The holistic approach

While CMPs excel at consent collection and management, user privacy and data regulation require more robust, real-time insight and resolution of not only compliance but also security. Your CMP has been filling its role spectacularly when it comes to consent, but it’s time to fill out your compliance and privacy program.

By Kris Crawford, VP Marketing

The Media Trust

The Media Trust is on a mission to fix the digital ecosystem. We help clients protect their digital revenue with powerful tools to regain control of their digital ecosystem and effectively manage their digital supply chain. Our clients gain actionable intelligence on all code that runs on their websites and mobile apps - including each code’s source - and are able to enforce their digital policies by collaborating with trusted digital partners.

More than 600 premium enterprises, media publishers, ad networks/ exchanges, and agencies - including 40 of comScore's AdFocus Top 50 websites - rely on The Media Trust to identify and address digital security, privacy, and quality issues that can erode the online user experience, put their company at odds with privacy regulations, depress inventory value, and diminish their brand. Learn more at MediaTrust.com

Posted on: Monday 19 April 2021