While CMPs excel at consent collection and management, user privacy and data regulation require more robust, real-time insight writes The Media Trust's Kay Crawford
In the wake of Europe’s General Data Protection Regulations (GDPR) and other emerging data privacy requirements, Consent Management Platforms (CMP) provide publishers flexibility in being and demonstrating compliance while also monetising users. But as CMP use proliferates throughout the digital advertising ecosystem, so have great misconceptions about the breadth of the tool’s capabilities.
At heart, CMPs are extremely useful tools for automating consent collection and management, but they’re not comprehensive solutions for protecting user privacy - or ensuring regulatory compliance. Publishers need to reinforce their CMP’s consent management prowess with robust security and data compliance monitoring tools that will offer users peace of mind, and keep publishers on the right side of regulators.
What a consent management platform actually does
Implemented by publishers on their websites and mobile apps, CMPs inform, document, and manage a consumer’s consent choices prior to any data collection, sharing, or selling of the consumer’s information harvested from the publisher properties.
CMPs provide end-users with detailed information on how their online behaviour may be tracked, the purposes for which that information is collected, and the specific vendors and entities requesting to use the information. It also serves as the interface for user consent. Individual site visitors can select the ad tech providers with whom the publisher can share data regarding the individual’s online activity, and the CMP passes the resulting consent strings to these ad tech partners.
What a Consent Management Platform does not do
1. Ensure regulatory compliance
CMPs facilitate the consent process and, therefore, only do what they’re told. If there’s an error in the consent collection process, a CMP won’t see it. While claiming capture of all executing code, many CMPs miss the fourth-, fifth- and nth-party vendors (i.e., the partners of partners of partners) associated with serving an ad. And what about non-advertising code? Code that executes outside the advertising supply chain can still collect user data.
Compounding the issue, the IAB TCF 2.0 introduced the Global Vendor List (GVL), and a cursory review of a dozen EU-based publishers reveals 50% of executing vendors are not on it. If any of those vendors drop cookies understanding how the CMP is honouring user consent is critical.
2. Identify comprehensive tracking risks
Although cookies aren’t the only technology used to track users, most CMPs are exclusively focused on them. The ubiquity of fingerprinting, JavaScript code, and local storage identifiers should also be addressed, as these tracking technologies can violate a publisher’s regulatory compliance standing - and the use of them is likely to increase with the sunset of third-party cookies sunsets.
3. Evaluate risks associated with cookies
The various attributes associated with a cookie provide insight into more unauthorised activities that can lead to tracking risks. Of the various attributes, three are critical:
- Samesite: the strict setting only allows cookies to be sent in a first-party context and will not respond to third-party initiated requests, i.e., won’t send data to a domain that is not the website operator
- Value length: larger values can function as an identifier, as the more information stored, the easier it is to identify a user
- HTTPOnly: by setting the flag to ‘true’, this tag protects a first-party cookie by preventing client-side scripts from accessing cookie-specific data, thereby thwarting cross-site scripting attacks
If not properly managed, these cookie attributes enable tracking without publisher knowledge.
4. Safeguard users from malware or redirects
By their nature, CMPs only manage consent. They do not detect and block malware, redirects, or any other unwanted activity. With a 2X increase in malvertising since 2017, securing the user experience has never been more important. User privacy surely isn’t being protected if credit card skimmers or phishing attacks are finding their way into user browsers via the ad pipes.
5. Drive revenue optimisation strategies
Who said protecting user privacy didn’t mean making money? To keep revenue channels open and operating in a regulatory-compliant manner, publishers need to be able to identify frequently offending vendors and work to remove them from their digital advertising supply chain. This is not in a CMP’s repertoire, nor should it be. But, many data privacy issues can be isolated to specific vendors. As a bonus, more compliant partners tend to also be the more premium partners, and the ones that bring in more revenue.
The holistic approach
While CMPs excel at consent collection and management, user privacy and data regulation require more robust, real-time insight and resolution of not only compliance but also security. Your CMP has been filling its role spectacularly when it comes to consent, but it’s time to fill out your compliance and privacy program.
Posted on: Monday 19 April 2021