Online privacy and data have always been the headlines of the ad tech industry. Especially whenever someone announces a new law to scrutinize the obscure ecosystem, it’s all chaos. The stateside privacy laws, CCPA and LGPD, are clear examples. Besides giving birth to a new role, the privacy laws have led us to deal with yet another three-word acronym – CMP, expanded as ‘Consent Management Platform’.
Whether you’re a publisher, ad tech vendor, or marketer, you need to know what a CMP is and how it should help you comply with different privacy laws and regulations. Else, you wouldn’t be able to process and use the data (of several users belonging to the countries) to run advertising on the open internet.
Almost 7.5% of internet users are from the European Union in 2022 (Src)
So, we know CMPs will be a to-do list for every publisher. That’s why we created this status page. It keeps you on track with the CMP and gives you a glimpse of where we are headed with the technology. Let’s dive in.
Table of Contents
Consent Management Platform (CMP)
First thing first. What is CMP?
Simply put, a Consent Management Platform (CMP) is a platform that publishers can use,
- For requesting, receiving, and storing users’ consent.
- For storing the list of preferred vendors and why they’ve been collecting the users’ information.
- For updating the collected consents (if a user triggered the action).
A user can set their consent status for all the vendors (individually or in a bulk manner) on a publisher’s site. CMPs will employ a user-friendly interface to let consumers allow/disallow vendors to track, target, and share their online footprint.
IAB Europe defines CMPs as,
“A company that captures and stores a Publisher’s preferred vendors and purposes and will also retrieve or set the vendor consent status of a user through a third-party cookie available to all CMPs.”
A CMP can employ a pop-up modal (as shown above) to collect the users’ consent. Once the user consents, a CMP can distribute the same throughout the supply chain to deliver ads. A CMP will only trigger certain tags to collect generic and accepted information if the user doesn’t consent.
For instance, if you haven’t agreed to let advertising vendors process your information, you’ll be shown a contextually-relevant ad. The ad is purely based on the content of the page.
Moving forward, there are four core functions of a Consent Management Platform:
- Consent Notification: A CMP is responsible for providing the users notices about the data collection and processing of data (PII and Non-PII).
- Consent Capturing and Sharing: An ideal CMP stores the users’ preferences in an IAB-compliant cookie to share legally with the approved partners.
- Users’ Privacy Preferences: A CMP provides multiple options to the users to exercise consent at granular levels.
- Compliance Proof: A CMP provides access to log data and audits it.
Why Does a Publisher Need a Consent Management Platform?
Typically, publishers, directly and indirectly, collect a set of information (both PII and non-PII) to target ads and deliver personalized ad/content experiences to a user. Per GDPR guidelines, publishers must “unambiguously” get the users’ consent to collect, process, and use their data. That’s where the Consent Management Platform comes in. Of course, we’re referring to EU users.
Without CMPs, a publisher might take a deep revenue cut, as digital advertising is many publishers‘ major revenue source. Though we can show contextual ads, users (for lesser relevance) and publishers (for deprecated CPMs) hate them. To sum up, you need a Consent Management Platform if:
- You are using the personal data of your website visitors for purposes like behavioral targeting, analytics, content or ad personalization, or any other kind of remarketing.
- You are using behavioral data for automated decision-making.
- You are sharing/transferring data of your website visitors.
What if a CMP Violates the Rules?
The consortium (IAB Europe) will determine whether to let CMP continue integrating with the publisher based on predetermined procedures and norms.
IAB Europe requires it to protect and pass the information in an authorized/agreed manner. And it has opened registration for CMPs and has a list of registered ones too.
Is It Compulsory for Publishers to Work with a CMP?
No, it is safe to have a specialized entity in place. Also, publishers may choose to act as a CMP. That said, picking the right vendor and implementing CMP properly is essential.
In November 2018, a French ad tech company named Vectaury got sued by the data protection authority, Commission Nationale de l’informatique et des libertés (the CNIL). Do you know why?
The company’s CMP didn’t comply with the law; hence, the collected consent isn’t valid. From language to UI, several things were questioned. As a publisher, you should know whether your CMP is valid. You can use IAB’s CMP validator or break down the CMP yourself to know what’s happening.
Wait, What Is the IAB CMP Validator?
IAB Europe initiated the development of a tool to validate CMPs. The Media Trust developed the CMP validator, and you can access it via The Media Trust platform. It validates whether a CMP’s code conforms to the technical specifications and protocols detailed in the IAB Europe Transparency & Consent Framework (Framework), as per the press release.
What Do You Need to Keep in Mind?
- CMPs will grow over the EU region, similar to SSPs and DSPs. Premium publishers, capable of maintaining a dedicated in-house for consent management, can try to avoid external help. Regarding the mid-range market, partnering with the registered CMPs is advisable. Besides, a few open-source CMPs are available in the market (similar to Prebid), with the help of which mid-market publishers can customize and implement CMPs in-house.
- The system is flexible. It means IAB Europe is planning to optimize the rules and regulations, technical standards, etc., based on the feedback from the market.
- Publishers have complete power, even after they partner with an external CMP. They decide the UI, vendors, information sharing, etc.
- The maximum validity of user consent should be 13 months.
Here‘s how the Consent Management Platform distributes the consent to the ecosystem.
Any CMP Suggestions?
Without a doubt, there are almost a hundred CMPs in the market, and all claim to be the best. To ease your decision-making process, we’ve reviewed a couple of sources and listed them here.
Content Management Platform: What’s in Store?
It is a fact that data runs the advertising, and without it, many would struggle even to exist, let alone thrive. Users, on the other hand, are becoming more concerned about their data and online privacy. We see the GDPR and the CMP as a way to satisfy both parties. Unlike walled gardens, users are given complete freedom to handle their data through CMP, and as per Quantcast, 90% of the consumers gave consent to advertising purposes.
What Is a Consent Management Platform (CMP)?
A Consent Management Platform (CMP) is a solution that helps publishers collect and manage users’ personal information and consents in line with data protection laws and regulations such as the EU’s GDPR, California’s CCPA, or Brazil’s LGPD.
How Does Consent Management Platform Work?
A CMP informs visitors of data collection and stores their consent information. Visitors can modify their preferences and make requests related to their data. CMPs ensure adherence to data protection regulations.