MarTech Landscape: What is a consent management platform (CMP)?
The new CMPs are offering ways for publishers to capture and disseminate user consents, with support for the two biggest ad-related consent mechanisms — IAB’s and Google’s.
If there was a contest for the most important word over the last year of marketing and advertising, my money would be on “consent.”
The key driver, of course, is the value of that term in the newly implemented General Data Protection Regulation (GDPR).
To manage all those user consents, there’s now a new acronym: CMP, for consent management platform. (Content management platforms will just have to go back to being called content management systems.)
Although consent managing systems have been coming online since at least a year ago, many of the current crop are being built for compatibility with the Interactive Advertising Bureau (IAB)’s new GDPR Transparency & Consent Framework.
Currently, there are over a hundred approved CMPs. The IAB Consent Framework, announced in March, is designed to present consent options to visitors of websites (and, eventually, mobile apps), to capture consent about the use of personal data and the authorized vendors, and then to relay that consent profile to relevant ad tech vendors in the ecosystem.
IAB Tech Lab SVP Jordan Mitchell told me that his organization “didn’t want to pick winners who would surface the consent screen,” so it hasn’t actually delivered a tech spec for CMPs.
But there are a few common characteristics for all IAB-authorized CMPs, he said. They have to be able to present disclosures, vendors and purposes to visitors who are considering whether to grant use of their personal data, like browsing behavior.
They need to be able to add new vendors to the consent form and pass consent parameters to other tools, like marketing automation. And the DMP records those choices onto cookies, so that the consent parameters are made available by the IAB Framework to the OpenRTB ad call.
But the IAB Tech Lab doesn’t tell the CMP how to offer or capture consent, or what kinds of granularity options to offer the publisher.
Some CMPs might store that consent profile for each visitor, but that might be for their own use or the use of their publisher clients. It can also be stored as a first-party cookie on the visitor’s browser, so a particular website can know the consents granted by its visitors during that session or when they return.
But, if the publisher allows and the visitor grants what’s called “global consent,” the CMP places a third-party cookie with the consent info onto a new domain established by IAB Europe, called Consensu.org. The third-party cookies in Consensu can be read by any other CMP that is authorized by IAB as an approved vendor.
If a global consent generated during a visit to Site A is stored on Consensu.org, it is available to Site B and other sites, so they can determine the consent profile of a visitor without having to ask her all over again.
In fact, one of the qualifications that the IAB Tech Lab does require for the authorization of a CMP is that the platform must be able to be read consent preferences set by another CMP in the Consensu cookie.
One such CMP was released by content compensation platform Sourcepoint at the end of May, as a module for its Dialogue platform.
COO and co-founder Brian Kane told me that his company’s CMP supports the IAB Framework, but also supports non-IAB vendors.
It allows publishers to acquire explicit consent from site visitors and pass the consent to the ad ecosystem, he said. Publishers can customize their consent forms, such as grouping vendors to make opt-ins easier, and, if a visitor doesn’t provide consent, it can let the publisher know so that non-targeted ads can be delivered. Customized messages to acquire consent can be directed at specific groups defined by such non-personal data as geography or content being viewed.
The broad consent categories for publishers are site-only consent, global consent or “publisher family consent,” which applies to a group of publisher-owned sites. The Dialogue platform also lets publishers employ A/B tests to see which approaches get more consent.
The publisher decides where consent takes place on the site and the vendor list. The visitor sees a Sourcepoint Privacy Manager, delivered as a modal screen, such as this one:
In Sourcepoint’s implementation, the consent dataset is appended to a cookie that is stored on your device, and then the CMP automatically writes the cookie to Consensu. If the publisher has offered global consent and the visitor has granted it, then the Consensu consent profile is available to other sites.
At the moment, the consent universe is additionally complicated by the fact of a separate Google consent system. SourcePoint also makes Google’s DoubleClick consent options available as choices to the user, except consent is publisher-specific, stored in a first-party cookie for that publisher only.
Kane said there was no conflict with offering both IAB’s and Google’s consent platforms, all in one window to the user. But, he told me, it could become complicated once Google fully implements the IAB Framework. In late May, the search giant said it is in the process of joining the IAB Framework.