Consent management is a crucial aspect of data privacy and a significant challenge businesses face because 71% of countries have data privacy laws, and another 9% are drafting legislation.
In this guide, I’ll simplify consent management for businesses, discuss consent requirements from various data privacy laws, and provide tips to lawfully collect, process, and use consumer personal information.
- What Is Consent Management?
- What Does Consent Management Look Like?
- Why Is Consent Management Important?
- When Do You Need To Manage Customer and User Consent?
- Privacy Laws That Require Consent Management
- Types of Consent You Need To Know About
- How To Easily Manage Consent
- Wrapping Up Consent Management
What Is Consent Management?
Consent management refers to the technical measures businesses use on their websites or apps to obtain users’ expressed agreement to collect, process, and use their personal information for different purposes.
It helps businesses lawfully obtain users’ permission to deploy non-essential Internet cookies and other trackers on their browsers for different purposes, such as:
- The selling or sharing of their data
- Targeted advertising
- Collecting sensitive personal information
- Creation of analytics regarding the use of a specific tool, service, etc
- Remembering certain preferences of a specific user.
Even though Google Chrome is slowly phasing out cookies, consent management still applies to any new tracking technology that eventually replaces them.
What Does Consent Management Look Like?
Implementing proper consent management on a website includes the following:
- You need to present website visitors with a consent banner that gives them a clear way to consent or not consent to your collecting, processing, or using their personal information.
- Include a link to a preference center that allows users to customize their consent choices.
- Provide website visitors access to an accurate, up-to-date cookie and privacy policy.
- Give website visitors an easy way to change their minds (i.e., withdraw or give consent) at any time.
- Maintain a log of a website visitor’s choice (their consent preference).
- Display and acknowledge the retention period set for a specific processing activity.
Why Is Consent Management Important?
Consent management is important for two reasons:
- Various data privacy laws legally require it, and noncompliance can result in fines, criminal penalties, and other repercussions.
- Consumers care about data privacy and will shop elsewhere if they don’t think you manage their consent fairly and reasonably.
Before I dive into the details of how data privacy laws affect consent management, check out these telling data privacy statistics:
- 81% of users believe the way a company treats their personal data indicates how it views them as a customer. (Cisco)
- 63% of Internet users believe most companies aren’t transparent about how their data is used. (Tableau)
- 48% have stopped shopping with a company because of privacy concerns. (Tableau)
- Only 5% of consumers have no major concerns over how organizations use their data. (MAGNA/Ketch)
Assuming ‘nobody reads your privacy policy’ is outdated and untrue.
Internet users know that companies track them online, and many aren’t okay with it when it’s done secretly or in a non-transparent way.
The recent success of companies like NordVPN and Surfshark is no surprise. Who hasn’t heard an ad read for one of these VPN/safe Internet browsing subscription services when listening to a podcast or watching a YouTube video?
But if you give your consumers a choice and let them know what data you’re collecting from them and how you’re using it, they’ll feel more in control of their own information.
It’s simple: implementing consent management solutions demonstrates a commitment to data privacy, which earns more customer trust and leads to greater success.
Businesses can either keep up with this trend or fall behind and face the consequences.
When Do You Need To Manage Customer and User Consent?
You need to manage customer and user consent in the following situations:
- Your business is subject to laws that require it — like the EU General Data Protection Regulation — and consent is your legal basis for certain types of data collection and processing.
- You deploy cookies or other trackers for the purposes of running targeted advertising.
- You sell or share personal data collected from your consumers with your partners or other third parties.
- You profile individuals, aka., any automated processing of data to evaluate a natural person, including work performance, economic situations, health, and personal preferences.
- You want to collect and use sensitive personal information.
- You fall under U.S. state-level data privacy laws and want to collect data from users that is not considered “adequate, relevant, or reasonably necessary.” or need opt-in consent for processing sensitive data.
Privacy Laws That Require Consent Management
Every data privacy law has guidelines about how and when to obtain user consent for specific data collection and processing purposes.
While they share some similarities, they can also differ significantly, especially when comparing U.S. state-level laws to legislation from other parts of the world.
For example, the General Data Protection Regulation (GDPR), which protects individuals in the European Union (EU) and European Economic Area (EEA), requires:
- Active, informed, affirmative opt-in consent to process personal data whenever consent is the legal basis for the processing (see examples of GDPR consent forms)
- Giving consumers a way to opt-in to automated decision-making, including profiling
- Giving consumers a way to object to (aka, opt-out of) direct marketing and targeted advertising
However, U.S. state-level privacy laws typically require entities to give users a way to opt out of different types of processing, which is opposite to the GDPR’s opt-in consent.
It is important to highlight that some U.S. state-level privacy laws may also require an opt-in consent option to a previous opt-out exercised by the individual.
See the table below for the specific consent requirements outlined by the U.S. state-level privacy laws currently in effect.
| Privacy Law | Opt-out of the Sale of Data | Opt-out of the Sale or Sharing of Data. | Opt-out of Targeted Advertising | Opt-out of Profiling | Opt-in to the Collection of Sensitive Personal Data | Opt-out of the Collection of Sensitive Personal Data | Opt-in further to an opt-out exercised earlier |
| California Consumer Privacy Act (CCPA) | ✓ | ✓ | ✓ | ✓ | |||
| Colorado Privacy Act (CPA) | ✓ | ✓ | ✓ | ✓ | |||
| Connecticut Data Privacy Act (CTDPA) | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| Utah Consumer Privacy Act (UCPA) | ✓ | ✓ | ✓ | ||||
| Virginia Consumer Data Protection Act (VCDPA) | ✓ | ✓ | ✓ | ✓ |
One exception to the U.S. opt-out consent requirements is the collection of sensitive personal information.
Most U.S. laws obligate businesses to obtain opt-in consent to collect this more vulnerable data type.
You must also obtain opt-in consent from users under U.S. state laws to collect data that is outside the scope of what would be considered “reasonably necessary.”
Types of Consent You Need To Know About
Now that you know how data privacy laws describe consent management requirements, I’ll briefly explain the difference between opt-in and opt-out consent.
Opt-In Consent
Opt-in consent requires users to take an active action to denote that they agree to give their consent for a specified purpose.
For example, checking an unmarked checkbox or clicking a clearly labeled ‘Agree’ button.
The GDPR requires opt-in consent whenever consent is used as your legal basis.
Additionally, several U.S. state-level privacy laws require you to obtain active, opt-in consent to collect sensitive personal information from individuals.
Opt-Out Consent
Opt-out consent requires users to take active action to indicate that they do not agree to something.
For example, they might uncheck a pre-ticked box, click a ‘Reject’ or ‘Do Not Sell My Personal Information’ button, fill out an online form to withdraw their consent, or even send out an e-mail to indicate their intention to opt out.
U.S. state-level privacy laws typically require opt-out consent, specifically for processing purposes like the sale of data and targeted advertising.
Additionally, under various laws, such as the GDPR or CTDPA, users have the right to withdraw their consent (or change their mind) at any time and it must be offered to them in a way that is as easy as it was giving consent.
Personalized Consent
Personalized consent refers to giving website users the ability to choose which specific cookies they agree to have placed on their browsers.
Providing users with this type of preference center gives them more granular control over what data collection and processing they agree to.
For example, they might agree to analytics cookies and essential cookies but opt out of trackers used for targeted advertising.
Using a consent banner on your website that supports personalized consent may help you retain more data, as privacy-conscious users might choose to accept some cookies rather than broadly opt out of everything.
How To Easily Manage Consent
The easiest way for websites to manage user consent is to use a Consent Management Platform (CMP).
As long as you know what laws apply to your business, using a CMP can help simplify the entire process of consent management.
Here’s how easy it is to use Termly’s CMP:
Our CMP is configurable to comply with laws in 80 different regions worldwide and is also:
- A Google Certified CMP Partner
- Supports the most recent version of Google Consent Mode
- Compatible with the IAB TCF v2.2
Folks who may be less familiar with privacy laws will enjoy how easy it is to use and install and can always contact our awesome customer support team for extra help.
But it also has plenty of advanced features and additions for those with more technical knowledge and data privacy experience.
Enter your website URL below to get started for free!
Wrapping Up Consent Management
For businesses operating online, it’s crucial to prioritize consent management to stay on top of current and future privacy laws and show consumers you respect their personal information.
It will increase your business accountability and consumer trust, as it shows that you process personal information ethically.
Ensure you present your users with a compliant consent banner and keep them properly informed with an up-to-date cookie policy.
Use our CMP to eliminate the guesswork of consent management so you can focus on what matters most — your business.
More about the author
Written by Teodor Stanciu, CIPP/E, CIPM
Teo is a Data Privacy Specialist and experienced Data Protection Officer (DPO) who is passionate about helping companies meet their data protection obligations. He has an experience of more than seven years as a DPO for an international organization active in 50 countries and based in Brussels, Belgium. Teo is a Certified Information Privacy Professional/Europe (CIPP/E) and Certified Information Privacy Manager (CIPM) with the International Association of Privacy Professionals (IAPP).
More about the author
