What is consent management the ultimate guide.
With fines for non-compliance increasing and customers more concerned than ever about their personal data, consent management should be at the top of the priority list for all companies in 2022.
Whether it is your customer data platform or a similar tool, it is important to have a comprehensive consent management plan that is easy for customers to understand and complies with the necessary laws and regulations.
What is consent management?
Consent management is a system or process that allows customers to determine what personal information they are willing to share with a business.
This has become so important worldwide because websites are required by law to obtain users' consent to collect data through cookies during browsing. Businesses worldwide are responsible for collecting and managing customer consent.
They can be divided into three categories of consent, which constitute the management of consent:
- general consent,
- consent,
- legitimate interest.
These should be considered before embarking on marketing campaigns or email communication efforts.
Indeed, consent management is a process that drives users towards compliance by informing them about data collection and use practices. A good consent management process logs and tracks consent collection so companies don't have to worry about complying with global laws and regulations. It also, of course, makes it easier to collect contributions.
What is the difference between consent and preference management?
Although contribution management and preference management sound similar, there are very distinct and important differences between the two. Both are a critical part of developing a privacy and customer-centric strategy, but it is important for businesses to understand the difference between the two concepts.
When marketers use consent management, they are asking for customer consent for things like the collection, storage and processing of personal data. The data is then of course used for marketing campaigns such as retargeting and email campaigns.
The collection of consent is also commonly known as 'signing up' or 'agreeing' to receive communications from the company. If customers no longer wish to hear from a company, they will change "opt in" to "opt out" and withdraw their consent to receive marketing communications.
Consent management controls the collection of customer preferences and ensures that companies comply with the law by not contacting customers who no longer wish to be contacted.
While it may sound similar, preference management actually refers to giving users the ability to choose the frequency of communications, the topics they wish to receive, and the channels through which they wish to receive communications. During preference management, customers are also free to enter their zero-party details.
While preference management is important, managing consent is the primary issue, so it is important to understand when to collect consent from customers.
When should you use consent management?
Under the GDPR, consent is one of six legal grounds for processing customer data.
In most situations, obtaining consent is the most optimal way for a business to process customer data. However, if this is not possible, the GDPR allows businesses five other ways to process customer data. These are:
- Contract performance. If your business provides a good or service to a customer, the legal basis for processing the customer's data that you need to perform such a contract is your contract, rather than consent, on which you can rely. For example, if a customer orders a T-shirt from your e-commerce store, your business will need the customer's address to deliver the T-shirt and complete the order process. The customer does not need to explicitly consent to the processing of delivery data, as this is covered by the contract in force.
- Performing public tasks. Public authorities carrying out tasks falling within their daily job description do not have to comply with these consent management requirements if they perform tasks of public interest or exercise public authority. However, if you do not work for the government, the police, a hospital or a school, this fund probably does not apply to you.
- Legitimate interest. This fund contains some grey areas. Your company can process customer data without consent if there is a "good reason" to do so. What this means in concrete terms is open to legal interpretation and has been the subject of court cases.
- Vital interest. If processing customer data is essential to save someone's life, such processing is legally required under the GDPR. Again, this does not apply to your everyday e-commerce business.
- Legal obligation. This basis applies where the processing of a particular type of data is legally required. An example of this might be criminal records.
Many of these funds do not apply to typical e-commerce businesses. Any business that is not included in the above exceptions ends up exactly where we started this discussion: having to obtain consent to lawfully process customer data.
Why is it important to manage consent?
Managing consent can seem like a lot of hassle and extra work, which can be alleviated by simply ignoring the consent process.
Ignoring consent management is at your own risk. GDPR fines have skyrocketed in the past year as customers have become much more concerned about businesses holding their personal data.
GDPR fines for some breaches can reach up to £20 million or 4% of a company's annual global turnover. Here are two examples of GDPR fines that could have been avoided if these businesses had better consent management plans in place:
- Mobile telecoms provider Wind Tre was fined £16.7 million for "unlawful direct marketing practices". These practices included creating confusing interfaces for users to give consent, using personal data without the data subject's consent and deliberately ignoring privacy guidelines.
- In June 2020, a fine of £1.24 million was imposed on the German health insurance organisation AOK Baden-Württemberg. The company was found to have sent marketing messages to 500 people without consent because it had failed to take adequate measures to protect personal data.
Companies will not only feel the pain of such cases financially. The 'clean-up' process resulting from the GDPR fine will not only address the problem for which the company was fined, but also regain the trust of customers who now have a negative perception of the brand concerned.
This process is easy for some customers and difficult for others. Take the necessary steps by implementing a robust consent management program to avoid potentially large fines and the reduced customer loyalty that comes with fines.
Contribution management and compliance
Now that you know it can be disastrous if you're not GDPR compliant, how can your business specifically comply with GDPR when it comes to consent?
Article 7 of the GDPR outlines all the conditions for consent and sets out exactly how companies must comply in this regard.
Below is a brief summary of Article 7 to save you some technical reading:
- If the collection and processing of customer data is based on consent, the company must be able to prove that the customer has consented.
- If the customer's consent to data processing is given in a written statement that also applies to other matters, the request for consent must be made in a way that makes it easily distinguishable from other matters.
- The customer shall have the right to withdraw consent at any time. This does not affect the lawfulness of the processing prior to the withdrawal of consent. Withdrawal of consent should be as simple for customers as collection. If consent is given with one click, customers should also be able to withdraw it with one click.
- In assessing whether consent has been freely given, the extent to which the performance of the contract is dependent on consent to the processing of personal data not necessary for the performance of the contract should be taken into account.
As laws change and new regulations emerge around the world, so will the consent process. It is therefore important to have a partner on your team who can keep you up to date on the processing of consent.