Online privacy and data have always been the headlines of the adtech industry. Especially, whenever someone announces a new law to scrutinize the obscure ecosystem, it’s all chaos. The most recent stateside privacy laws CCPA and LGPD are clear examples. Besides giving birth to a new role, the privacy laws have led us to deal with yet another three-word acronym – CMP expanded as ‘Consent Management Platform’.

Whether you’re a publisher, adtech vendor, or marketer, you need to know what a CMP is and how it supposed to help you comply with different privacy laws and regulations. Else, you wouldn’t be able to process and use the data (of several users belonging to the countries) to run advertising on the open internet.

Almost 8.4% of internet users are from the EU (Src).

So, we know CMPs are going to be a to-do list of every publisher. That’s why we created this status page. It keeps you on track with the CMP and gives you a glimpse of where are we headed with the technology. Let’s dive in.

Table of Contents

Consent Management Platform (CMP)

First thing first. What is CMP?

Simply put, Consent Management Platform (CMP) is a platform that can be used by the publishers,

For requesting, receiving, and storing users’ consent. For storing the list of preferred vendors along with why they’ve been collecting the users’ information. For updating the collected consents (if a user-triggered the action).

A user can set their consent status for all the vendors (individually or in a bulk manner) on a publisher’s site. CMPs will employ a user-friendly interface to let consumers allow/disallow vendors to track, target, share their online footprint.

IAB Europe defines CMPs as,

“A company that captures and stores a Publisher’s preferred vendors and purposes and will also retrieve or set the vendor consent status of a user through a third-party cookie available to all CMPs.”

A CMP can employ a pop-up modal (as shown above) to collect the users’ consent. Once the consent is given by the user, a CMP can distribute the same throughout the supply chain to deliver ads. If the user doesn’t give any consent, a CMP will only trigger certain tags to collect generic and accepted information.

For instance, if you haven’t agreed to let advertising vendors process your information, you’ll be shown a contextually-relevant ad. The ad is purely based on the content of the page.

Moving forward, there are four core functions of a Consent Management Platform:

Consent Notification: A CMP is responsible for providing the users notices about the data collection and processing of data (PII and Non-PII). Consent Capturing and Sharing: An ideal CMP stores the users’ preferences in an IAB-compliant cookie so that it can share legally with the approved partners. Users’ Privacy Preferences: A CMP provides multiple options to the users to exercise consent at granular levels. Compliance Proof: A CMP provide the access to log data and audit it.

Why does a publisher need a Consent Management Platform?

Typically, publishers, directly and indirectly, collect a set of information (Both PII and non-PII) to target ads and deliver personalized Ad/Content experience to a user. As per GDPR guidelines, publishers have to “unambiguously” get the users’ consent for collecting, processing, and using their data. That’s where the Consent Management Platform comes in. Of course, we’re referring to EU users.

Without CMPs, a publisher might take a deep revenue cut, as digital advertising is the major source of revenue for many publishers. Though we can show contextual ads, both users (for lesser relevance) and publishers (for deprecated CPMs) hate them. To sum up, you need a Consent Management Platform if:

You are using the personal data of your website visitors for purposes like behavioral targeting, analytics, content or ad personalization, or any other kind of remarketing.

You are using behavioral data for automated decision making.

You are sharing/transferring data of your website visitors.

What if a CMP violates the rules?

The consortium (IAB Europe) will determine whether to let CMP continue the integration with the publisher, based on predetermined procedures and norms.

Rules?

A CMP can read the vendors and users’ consent status of a publisher, it partnered with. And, it may use a first-party cookie or a third-party cookie (global) to function.

IAB Europe requires it to protect and pass the information in an authorized/agreed manner. And, it has opened registration for CMPs and has a list of registered ones too.

Is it compulsory for publishers to work with a CMP?

No, it is safe to have a specialized entity in place. Also, publishers may choose to act as a CMP. That being said, it is essential to pick the right vendor and implement CMP properly.

During November 2018, a French adtech company named Vectaury got sued by the data protection authority, Commission Nationale de l’informatique et des libertés (the CNIL). Do you know why?

The CMP implemented by the company wasn’t complying with the law and hence, the collected consent isn’t valid. From language to UI, several things were questioned. As a publisher, you should know whether your CMP is valid. Either you can use IAB’s CMP validator or breakdown the CMP yourself to know what’s happening.

Wait, what is the IAB CMP validator?

IAB Europe initiated the development of a tool to validate CMPs. The CMP validator was developed by The Media Trust and you can access it via The Media Trust platform. It validates whether a CMP’s code conforms to the technical specifications and protocols detailed in the IAB Europe Transparency & Consent Framework (Framework), as per the press release.

What do you need to keep-in-mind?

CMPs will be growing over the EU region similar to SSPs and DSPs. Premium publishers, who are capable of maintaining a dedicated in-house for consent management can try to avoid external help. When it comes to the mid-range market, it is advisable to partner with the registered CMPs. Besides, there are a few open-source CMPs available in the market (similar to prebid), with the help of which mid-market publishers can customize and implement CMPs in-house.

The system is flexible. It means, IAB Europe is planning to optimize the rules and regulations, technical standards, etc. based on the feedback from the market.

Publishers have complete power, even after they partner with an external CMP. They decide the UI, vendors, information sharing, etc.

The maximum validity of user consent should be 13 months.

Here‘s how the Consent Management Platform distributes the consent to the ecosystem.

Any CMP Suggestions?

Without a doubt, there are almost a hundred CMPs in the market and all claim to be the best. To ease your decision-making process, we’ve gone through a couple of sources and listed the top 5.

From the Adzerk CMP report:

1. OneTrust (IAB-Registered).

2. Quantcast (IAB-Registered).

3. TrustArc (IAB-Registered).

4. Cookiebot (IAB-Registered).

5. Crownpeak.

From BuiltWith CMP Market share data:

1. Cookie Notice (WordPress Plugin).

2. Cookie Law Info (WordPress Plugin).

3. TrustArc Cookie Consent.

4. ShareThis CMP System.

5. UK Cookie Consent (WordPress Plugin).

Image Source: Builtwith Trends.

How’s the CMP Adoption Rate?

CMPs are gaining adoption constantly across the markets. UK publishers are leading the race (as of Q3 2020, almost 40% of the US publishers have implemented CMP). A considerable amount of publishers are using the Open source code provided by the AppNexus.

Image Soucre: AdZerk

Conclusion

It is a fact that data runs the advertising and without it, many would struggle to even exist let alone thrive. Users, on the other hand, are becoming more concerned about their data and online privacy. We see the GDPR and the CMP as a way to satisfy both parties. Unlike walled gardens, users are given complete freedom to handle their data through CMP and as per Quantcast, 90% of the consumers gave consent to advertising purposes.

Now, if you have decided to partner with a CMP, then have a look at our list of Best CMPs for Publishers.