The do’s and don’ts of selecting a Consent Management Platform

Choosing a Consent Management Platform (CMP) is a big step in an organization’s privacy journey.

Organizations facing this step often have reached one or more tipping points – multiple websites and apps, an increase in the number of applicable jurisdictions, a business need to collect and use more data, and/or a business need to increase the granularity and sophistication of data use.

The technical, procedural, and business goals and constraints involved can make the selection process complex and require input from a variety of stakeholders with sometimes competing points of view. However, there are some quick tips that can help an organization prevent the CMP selection tipping point from becoming a tripping point.

Do:

• Assess your needs
• Research thoroughly
• Focus on user experience
• Consider integration capabilities
• Plan for scalability

Don’t:

• Rush the decision
• Overlook hidden costs
• Ignore user feedback
• Neglect training and support
• Choose based on price or brand name alone
• Forget to plan for implementation

DO: Assess your needs

Different consent management platforms tackle different pieces of the permissions puzzle and in different ways. Some tools best manage a single type of consent, like cookie consent, or consent rules in a specific jurisdiction. Other tools are more global in nature, handling different jurisdictional rules across different types of consent.

Related to this point, it may be useful to initially define “consent” broadly when considering needs – data use consents for data collected through websites/apps/paper forms/other methods, cookies and trackers preferences, communication preferences, consents related to specific practices (like automated decisions, third party sharing), and even individual rights requests are all possible ‘consents’ that may be useful to handle through a consent management platform.

Your needs may not be that complex, but if you start broad and whittle down, at least you will not have missed any important requirements.

Your organization’s technical environment will also be important to consider. A deep understanding of any needed system integrations and how those will need to happen will be critical to any consent management platform selection process.

Depending on the scope of your organization’s needs, understanding integration with third parties may be an important consideration. That is, where your organization is responsible for passing consent information to third party vendors and partners, the consent management platform you select can facilitate that information sharing – or not.

The external regulatory environment also plays a role. Some jurisdictions are beginning to expect a consent experience that links preferences a customer expresses in one place to other areas. For example, in the United States, California’s regulator expects that an authenticated consumer request to not sell/share their personal information expressed through a cookie consent modal will be replicated elsewhere in the organization via OOPs or UooMs.

Similarly, your organization may operate in jurisdictions that require opt in, opt out, or hybrid models. Even in a single jurisdiction, your organization’s data use practices may require one or multiple consent models. Regardless, understanding needs related to internal and external requirements will help you make the best possible purchasing decision.

The internal culture of your organization also plays a role in needs. How resistant are employees to change and new technologies? How supportive of training time is leadership? Does the user interface need to be easy, or can internal users handle some technical complexity? How supportive would internal network admins and technical support staff be for a new vendor-provided technology? All these internal factors will determine needs related to ease of use, training, and on-going support.

Finally, it may be important to retain legacy consent data. Determining whether and how to maintain pre-platform consent data will be important to the overall transition plan. The ease of migrating data to the new platform or plan for retaining elsewhere is an important consideration when building requirements.

DO: Focus on user experience

Also defining “user” broadly can help you identify all stakeholders who might be advocates – or detractors – of any tool you bring on board. Not only may the privacy team fall under the definition of “user,” but also so may technical teams who will oversee current and future integrations, purchasing or legal partners involved in third party management, and marketing and sales departments who may be impacted by consent experiences and reporting abilities.

If the tool includes external-facing interactions to capture consents, consumer acceptance of those experiences will be equally important. Getting input from potentially all these stakeholders and more will result in a better, more widely accepted decision.

DO: Consider integration capabilities

If your current state of managing consents is a manual or semi-manual process, it can be hard to imagine life in the automated world. One of the intrinsic benefits of some consent management platforms is the ability to integrate into and act on databases with a minimum of human involvement.

As you consider consent management tools, consider the opportunities to integrate, how integration impacts the price of the tools you are considering, and whether the benefits outweigh any additional cost. Remember that integrations can impact implementation costs as well as licensing fees when doing your cost-benefit analysis. It’s also important to consider how quickly the platform can collect and redistribute consents downstream.

DO: Plan for scalability

Will your organization move into additional markets? Will it establish new web and app properties? Will new programs bring in new data and data use opportunities? Will your organization add new databases and/or third-party relationships?

Just as a ball player throws the ball to the point where the receiver will be, rather than where the receiver is in the moment, thinking ahead to the near and midterm future can help future-proof your purchasing decision. Consent is constantly evolving, and you need to choose a platform that can grow with you rather than restrict you.

DON’T: Rush the decision

It takes time to talk with multiple stakeholders, build accurate and complete requirements, research vendors and vendor capabilities in the marketplace, build a thoughtful CMP Request for Proposal (RFP), take and consider proposals, and decide. Add in the complexity of doing technology, security, and privacy assessments, it is reasonable to expect that the process could take a full annual budget cycle. Leaving enough time to decide will help ensure that it is the right decision.

DON’T: Overlook hidden costs

Sometimes the licensing fee of any technology can be the least expensive part of a transition. Implementation work, licensing fees for compatible software/hosting or new hardware costs, maintenance and update costs, human costs for training and ramp-up time, and the need to run parallel systems for some period of time are all costs that are not always anticipated.

As mentioned previously, it may be necessary to either store legacy consent information or migrate it onto the new platform, both actions of which may incur costs. Additionally, some vendors charge premium fees for higher levels of customer service, training, and transition work. Also watch out for big price increases – some vendors offer low or even free services to begin with before hiking up costs in contract renewals.

DON’T: Ignore user feedback

Especially when stakeholders express conflicting views, it is tempting to ignore some stakeholder feedback in the interest of getting to a decision. Dissenting opinions, though, can be enormously useful in anticipating and solving possible problems. Listen to all points of view, especially dissenting views. Even if a purchasing decision goes against a person’s or group’s advice, that advice will help the organization navigate or prevent pitfalls.

DON’T: Neglect training and support

Even the most intuitive of systems will require training and support. Strongly consider the level, duration, and customization of training and support you will get from vendors as part of the package. Ask what documentation and support the vendor provides, and in what languages. Also consider post-go-live support needs. As workers move roles and leave the organization, new workers will need to be trained and supported over time.

DON’T: Choose based on price or brand name alone

Admittedly, few privacy offices get a blank check for technology purchases. It is important to set a reasonable budget and consider price when vetting consent management platform vendors. However, price is one of many factors, and sometimes a slightly higher price up front can save money, time, and risk down the road.

Similarly, often consent management platform market leaders have developed their good names because of good technology, user experience, prices, and support. That said, a name brand does not guarantee either good fit for your organization’s situation or the best product value in the marketplace. It takes some time to develop a name, and unless that vendor has continuously improved its product, over that time other vendors may have made advancements and represent a next-generation solution.

DON’T: Forget to plan for implementation

Any technology implementation can be painful. When considering vendors, ask detailed questions about the implementation process your organization can expect, which organization is responsible for what types of activities, and what skill sets are required. Change management, testing, training, and transitioning from legacy systems to the new platform are also implementation steps that can make or break an implementation.

Though selecting a consent management platform is an important step in an organization’s march towards privacy maturity, it does not have to be a daunting task. Sometimes just knowing the questions to ask is the path to success, and the above list can help.