Articles

What to expect when implementing consent management software

Written by Matt Davis, CIPM (IAPP) | August 29, 2022

You understand the importance of data privacy compliance, the ins and outs of cookie consent, and how a consent management platform can help; but what will the actual experience of implementing a CMP be like?

In this blog, we’ll describe exactly that. First, we’ll focus on what to expect during the implementation process itself. Then, you’ll learn what you can expect after implementing your CMP. Finally, we’ll talk about how you can maximize your outcomes both during and after the implementation process.

What to expect while implementing a consent management platform

For now, it’s still relatively uncommon for organizations to keep a dedicated compliance professional on payroll. That means that identifying the need for, evaluating, and implementing compliance software like a CMP often falls to whoever owns the website. Compliance isn’t their main job; they’re just stuck with it.

If you count yourself among that number, you may be wondering how much work is involved in the implementation process. While different products can be more- or less time-consuming, implementing a CMP generally involves the following steps:

  1. Add the CMP code to your website: This may range from a single line of code to several, possibly requiring variations to account for your unique configuration.
  2. Configure the consent management settings for the relevant jurisdictions: Different regions have different requirements and standards for collecting user consent. In the EU, you may have to ask users to take an action (like clicking a button) to indicate whether they accept all data trackers, specific ones, or don’t consent to any trackers at all. In many US jurisdictions, you may just have to indicate that you’re tracking user data and link to a means of opting out of data collection.

    Your CMP will need to know where you operate, what consent management settings are appropriate for that region, and whether you want an elevated level of compliance (such as applying EU consent standards in US regions).
  3. Configure tracker blocking: Not all data trackers are treated equally under data privacy regulations. Some are essential to your website’s functionality and can’t be blocked; others, merely improve the browsing experience; still, others track user behavior and follow them from site to site. CMPs need to know which trackers belong to which categories so they can be blocked or permitted based on the user’s preferences. There are a few different considerations related to this step that we’ll talk about in more detail later on in this article.
  4. Customize: You don’t want your cookie banner to look like everybody else’s out there — you want it to match your brand! CMPs provide varying degrees of customizability for their cookie banners to give brands control over the overall look and feel.

    It’s important to note that too much customizability can be a bad thing: if you tweak the banner too much, you might stray out of compliance with certain data privacy regulations. Ideally, your CMP gives you the ability to customize your banner but provides guardrails to prevent you from accidentally becoming non-compliant.

Classification is the hardest part of this process

Generally speaking, the most difficult part of implementing a CMP will be configuring the rules and mechanisms for tracker blocking (i.e., step three in the list above). In order to comply with any and all data privacy laws, you need to know:

  • Which scripts are essential for your website to function
  • Which collect anonymized analytics data
  • Which improve functionality, but aren’t essential
  • Which are used for targeted advertising or other marketing purposes

Then, your CMP can block or permit these categories of trackers according to the user’s preferences. But first, the CMP needs to know which trackers belong to which categories.

Depending on how your CMP actually conducts the blocking, this can be quite tedious. For example, some CMPs require an integration with your tag management system, which can be quite tedious to implement and maintain.

Tag management systems help businesses manage the pieces of code that drop cookies or track user behavior on your site. Since they create the tracker initially, many CMPs interact with this system to allow or block trackers at their source. The problem with this approach is that it requires a CMP to be integrated with individual tags within the system, which quickly becomes complex.

This isn’t the only approach, but it serves as a good example of what to avoid in a CMP. CMPs that require fiddling with the backend of your website or additional coding in order to classify and block trackers will be difficult to set up and maintain. A simpler approach (and the one that Osano takes) is for the CMP to work on the client side — once a CMP that takes this approach knows the categories of different trackers on your site, it blocks the trackers from the visitors’ browsers. This way, website visitors don’t get tracked, and you don’t have to mess around with your website’s backend.

What to expect after implementing a consent management platform

A drop in web data

Before implementing a CMP, you wouldn’t have been asking for user consent prior to tracking them. Because implementing a CMP means asking for user consent, you will inevitably see a large chunk of your web data disappear. There is no way to be compliant with data privacy laws and not have some amount of web data disappear off your radar; asking for consent or giving users the option to opt-out of collection means some of those users won’t let you track them.

This can be a shock to your marketing team. If you operate within a jurisdiction that requires opt-in consent before you can track your users, it may be a very big shock — like seeing half of your web traffic disappear. In other regions that only require you to provide users a means of opting out, it may only have a small impact. In either case, it will be a noticeable dip that you should be prepared for.

Semiregular maintenance

For the most part, CMPs won’t require significant upkeep. Instead, you’ll only have to update your CMP when you add new scripts to your website. For some businesses, this can occur quite frequently; for others, it’s a rare occurrence.

Your CMP needs to know what data privacy category the new scripts belong to (i.e., essential, analytics, functionality, or marketing) so that it can block or permit it appropriately. Thus, it’s important to consider how your chosen CMP approaches the classification and blocking of trackers, as described above. If it requires fiddling with the back end of your website during initial setup, it’ll require that same fiddling every time you add new scripts.

How to maximize your outcomes during and after implementation

Be transparent and have a communication plan

Implementing a CMP can have an impact on several different groups in your organization. Make sure you communicate:

  • The marketing team should expect a decrease in web data
  • The development team needs to classify new web scripts into one of the categories we listed above to make it easy to integrate with your CMP
  • The legal team should be aware of the need to update the cookie banner if the company’s policy changes

Select a solution that makes classification easy

Since classifying the categories of trackers on your website is often the most time-consuming part of a CMP setup and since you’ll have to repeat this activity when adding new scripts to your website, it’s important to evaluate a solution based on this feature. Ask how this process works whenever you book a sales demo.

Look for a happy medium of customizability and guidance

Businesses can and do get penalized for presenting manipulative and/or misrepresentative cookie banners on their website. Some businesses even make it more difficult to opt-out of data collection by forcing users to make additional clicks or to navigate to separate pages.

There are a ton of minor requirements around cookie banners. A good CMP will have all of those requirements baked in and will prevent you from changing your banner in a way that violates data privacy laws. Total customizability is often a desirable feature in software, but that’s not the case when it comes to compliance.

Start your evaluation process here

If you’ve educated yourself about the why, what, and how of data privacy compliance and are gearing up to evaluate CMPs, start the journey with Osano. Our experts are always happy to help answer any questions that you haven’t been able to find in our blog or in other resources. Schedule a demo today.

Or, if you’re not ready for a demo yet and want to learn more about cookie consent management, check out our FAQ on the subject.