With non-compliance fines soaring and customers more concerned about their personal data than ever, consent management should be on top of the priority list for every company in 2021.
Whether it’s for your customer data platform or a similar tool, it is important to have a comprehensive consent management plan that is easy for your customers to understand and compliant with necessary laws and regulations.
Keep reading for everything you could possibly need to know about consent management and how it will affect your company in 2021.
Table of Contents
What is consent management?
Consent management is a system or process for allowing customers to determine what personal data they are willing to share with a business.
It has become so important worldwide because of the lawful requirement for websites to obtain user consent for collecting data through cookies while browsing. Businesses all across the world are now responsible for collecting and managing customer consent.
Exponea, a Bloomreach company, breaks things down into three consent categories that make up consent management:
- general consent,
- and legitimate interest.
These must be considered before embarking on marketing campaigns or email communication efforts.
Consent management truly is a process that guides compliance by informing users about data collection and usage practices. A good consent management process logs and tracks consent collection so that companies do not need to worry about being in compliance with worldwide laws and regulations. It also of course facilitates the collection of consent.
What is the difference between consent and preference management?
While consent management and preference management might sound the same, there are very distinct and important differences between the two. Both are critical parts of creating a privacy first and customer-centric strategy but it is important for businesses to understand the difference between the two concepts.
Marketers ask for customer consent in the consent management process to do things like collect, store, and process personal data. The data is then of course used for marketing campaigns like retargeting and email campaigns.
Consent collection is also commonly known as “subscribing” or “opting in” to receiving communications from a company. If customers no longer want to hear from a company, they would change their “opt in” to an “opt out” and revoke consent for marketing communications.
Consent management governs this collection of customer wishes and ensures that companies are staying compliant by not contacting customers who do not wish to be contacted any longer.
While it might sound similar, preference management actually refers to giving users the ability to make choices about the frequency of communication, topics, and which channels they’d like to receive communications on. Customers can also freely give zero party data in the preference management process.
While preference management is important, consent management is the topic at hand and it is important to understand when you must collect consent from customers.
When should you use consent management?
According to GDPR, consent is one of six lawful bases to process customer data.
In most situations, the most optimal way for a business to process customers’ data is to obtain consent. However, should that not be an option, GDPR does allow five other ways for a business to process customer data. They are:
- Performance of contract. If your business is providing a good or a service to a customer, for processing of customer’s data that you need for the performance of such a contract, the contract is the legal basis you rely on rather than consent. For example, if a customer orders a t-shirt from your e-commerce store, your business will need the customer’s address to deliver the t-shirt and complete the order process. The customer does not need to explicitly consent to the processing of delivery data as the contract in place covers it.
- Performance of public tasks. Authorities performing duties that are within their everyday job descriptions do not need to comply with these consent management standards when they carry out tasks in the public interest or exercise official authority. However, unless you work for the government, the police, a hospital, or a school, it is likely this basis does not apply to you.
- Legitimate interest. This basis involves some gray areas. Your company may process customer data without consent when there is a “genuine reason” to do so. What that specifically means is up for legal interpretation and has already been debated in court.
- Vital interest. If processing customer data is essential in the act of saving someone’s life, such processing is legally mandated under GDPR. Again, this does not apply to your everyday e-commerce business.
- Legal obligation. This basis applies when processing a particular type of data is legally mandated. An example here would be criminal records.
Many of these bases do not apply to typical e-commerce stores. Any business that is not referenced amongst the above exceptions lands right back where we started this discussion: it must obtain consent to legally process customers’ data.
Why does consent management matter?
The million dollar question. Quite literally, for some companies.
Consent management can seem like a big hassle and additional work that can be alleviated if the consent management process is just ignored, right?
Ignore consent management at your own risk. GDPR fines have skyrocketed over the past year as customers have begun to care much more deeply about businesses having their personal data.
GDPR fines can reach £20 million or 4% of the annual global turnover of a company for certain infractions. Here are two examples of GDPR fines that could have been avoided if these business had a better consent management plan in place:
- A £16.7 million fine was given to mobile telecommunications operator Wind Tre, for “unlawful direct marketing practices”. These practices included creating confusing interfaces for users to give consent, using personal data without the consent of the data subject, and willfully ignoring data protection guidelines.
- A £1.24 million fine was levied on German health insurance organization AOK Baden-Wurttemberg in June 2020. It was determined that the company sent marketing messages to 500 people without consent because proper measures were not taken to protect personal data.
Companies won’t just feel the pain of these incidents financially. The “clean up process” from a GDPR fine includes not only fixing the issue a company was fined for, but also earning back the trust of customers who now see the affected brand in a negative light.
That process is easy for some customers and difficult for others. Take the necessary steps of having a reliable consent management program in place to avoid potentially large fines and the decreased customer loyalty that may come with those fines.
Consent management and compliance
Now that you know that it can be disastrous to not be in compliance, how specifically can your business stay compliant with GDPR when it comes to consent?
Article seven of GDPR outlines all of the required conditions for consent and lays out exactly how companies are to stay compliant in this regard.
Here is a brief summary of article seven to save you some technical reading:
- When collecting and processing a customer’s data based on consent, your company must be able to prove that the customer has consented.
- If the customer’s data consent is given in a written declaration that also concerns other matters, the request for consent must be presented in a manner that is easily distinguishable from the other matters.
- The customer has the right to withdraw consent at any time. This will have no effect on the lawfulness of processing prior to consent being withdrawn. The withdrawal of consent should be as easy as the collection for customers. If consent is given with one click, customers should be able to take it away with one click as well.
- When assessing whether consent is freely given, utmost account shall be taken of whether the performance of a contract is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
As the law changes, and new regulations pop up in different corners of the world, the consent process will change as well. That’s why it is so important to have a partner like Exponea, the world’s first GDPR certified SaaS company, on your team keeping you up to date on all things consent management.
Exponea leads the way with consent management
The CDXP allows users to define their own consent categories for customers to subscribe to and set subscriptions based on legitimate interest. The Single Customer View also offers a lifetime overview of the entire consent history for customers so users can see who gave or withdrew their consent when and where.
The customer-facing consent management page is also customizable.
Exponea, a Bloomreach company, is a leader in security in the SaaS space. Need proof? Exponea was the world’s first GDPR certified SaaS company and holds top security certifications to help keep our customers as protected as possible.
Exponea is committed to protecting your data and keeping it secure. If you are ready to see the CDXP in action, watch our short demo video and see how you can compliantly turn your customer data into marketing magic. If you’re interested in learning more about data privacy and security, Exponea Academy’s Privacy Fundamentals course is the deep dive you need to master the topic and become an expert.
INTERESTED IN EXPONEA?
Discover The Next Generation Of CDP
Exponea's CDXP gives marketers the complete toolset they need for creating incredible customer experiences, by bringing together AI-driven marketing automation, real-time analytics and UX optimization with a best-in-class CDP.