Where Are Companies on the Consent Management Spectrum?
As a Senior Principal in the Promontory Financial Group’s privacy and data protection practice, I consult with companies on a variety of privacy issues related to compliance, risk, governance, and record retention/deletion. I have seen clients both large and small struggle to understand privacy consent management requirements. With impending new regulations—both Virginia and Colorado have recently passed their own state privacy laws and the California Privacy Rights Act (CPRA), a more stringent version of the California Consumer Privacy Act will go into effect in January 2023—it’s a challenge that will become tougher over time.
In the past, companies largely viewed data privacy and compliance as a necessary evil to avoid the backlash and PR nightmares that came with significant data breaches. However, companies are now beginning to realize the value of being good guardians of consumer data. That idea has taken off in the last decade or so, with savvy entities (such as Apple) building advertising campaigns around a reputation as a “guardian of your data.”
That’s not to say that every company needs to loudly proclaim itself as a “data guardian.” Most companies, however, have seen the writing on the wall. They know that even if they do not do business in California and therefore not subject to CPRA, it’s crucial to make investments in data privacy and compliance now, as a patchwork of new state laws—largely based on California’s, but with slightly differing nuances—loom on the horizon. That’s why taking the first step—recognizing where your company is on the maturity scale and building a plan to advance—is so critical.
Often, companies think they need to apply a data privacy product off the shelf, and that’s all that’s needed for solving their problems. However, there’s more to it than that. It takes work to integrate products into their existing infrastructure, not to mention developing change management procedures required to make sure the foundation is in place to properly manage data privacy concerns. There’s more to advancing along the maturity scale than applying a technological solution—although that’s certainly an important part of it. Think of it as more of an evolution, with many moving parts that will involve technology, process improvements, governance, and so on.
Much of the work I do with clients centers around helping them to decide on the best choices they need to make to comply with consent management regulations. That means reviewing a company’s existing technology capabilities, helping them understand some of the choices they provide to customers from a compliance point of view, and working with them on defining these rules and determining what next steps they need to take to improve their consent management processes.
The maturity scale
In broad terms, a company’s position on the consent management “maturity scale” depends on how consent preferences are collected, how they are shared with vendors or other organizations, whether there’s a governing structure around consent management, whether these preferences are managed manually or handled through a CRM system, or whether there are any metrics in place that will allow an organization to determine whether the company is following these rules.
Level 1: Ad Hoc
For companies in the “ad hoc” phase, managing consents and preferences is often disorganized. At this level, consent preferences and rules are often manually updated.
This means that consent management is a laborious process, prone to error and misjudgment. Most often, there is no centralized database for consent preferences, and information tends to be siloed. At this stage, any consent preferences are not easily shared with others within the organization.
Level 2: Developing
At this level, if consent preferences are captured, they are usually done so in a rudimentary way—such as through email “unsubscribe” links for consumers to opt in or opt out. There is no mechanism for a consumer to know what data the company may have about him or herself—and the company usually doesn’t have it organized in any logical way.
Here, companies may also have the beginnings of a consent management strategy, but it is not fully fleshed out. At this stage, companies may have a database of consent preferences, but—again—it most likely is siloed from others, critical areas of the company where consent preferences would come into play. Marketing, for example, may not have a process or procedure in place that links it to the consent preferences database.
At this level there will also be early attempts at establishing some accountability for data privacy governance, along with some basic framework for how to deal with privacy choices and preferences. However, this framework may not yet be fully adopted.
Level 3: Defined
At this level, consent preferences are handled in a much more organized fashion, although there still exists some room for improvement. Consent preferences are captured on the company’s website and managed separately according to product or service, rather than under a single umbrella.
There’s also much more engagement with developing and maintaining a consistent and coherent data privacy strategy, with regular reviews of policies, rules, and progress.
Level 4: Managed
At the “managed” level, consents and preferences are stored and handled on a central CRM system, and you’ll also find that stakeholders within the company have a thorough understanding of what data is collected, where it’s managed, and how the consent and preferences framework is designed to function.
At this point, consent rules and notice requirements are fully developed and documented, with all stakeholders on the same page. Consent preferences have also evolved enough so that “just-in-time” consent (such as location-based or marketing-based consent obtained at the time of service) can be easily provided.
Level 5: Optimized
Companies at this level have developed a robust and fully mature consent management framework. They have invested considerable resources toward crafting a governance policy that informs their decision-making, and leverage data privacy technology to ensure compliance at every step. And one of the key points here is that companies at this level have also developed consent management metrics, so that they can track progress and spot issues before they become big problems.
Companies with an “optimized” level of consent management employ a privacy hub for preferences that data users can access and update in real time, and consent is also linked directly to browser data collected and use preferences with integrated content. That means much of the manual work of managing consents and preferences has been automated—including automatically sharing consent preferences with third-parties, such as vendors.
For companies looking to enhance their consent management capabilities, they should consider taking the following steps:
- Review their current consent management maturity with internal stakeholders understanding the processes, systems, and tools they use to collect and manage customer preferences
- Determine their current consent management maturity as well as where they would like their maturity to be in the short- and long-term
- Develop a roadmap for improving their maturity through means such as improving governance processes, upgrading IT capabilities, drafting new policies, and procuring new tools