• Marketing
  • Privacy
  • UPCP

Implementing Consent Management for Agencies


Digital agencies often serve as the connective tissue between organizations and technology. And as data privacy regulations continue to expand and evolve, agencies will need to stay on top of how these regulations to continue to  responsibly, reliably, and effectively serve their clients.

Adweek reporter Trishla Ostwal’s sources tell her that “agencies are commonly being asked to address privacy in RFPs and clients are conducting data audits on potential agency partners. Clearly suggesting that privacy has become a deciding factor.” Her recent Adweek article notes that “media agencies are expanding their competencies and shifting away from leaning solely on legal teams” (Ostwal and Morley, 2022). [1]

To explore this transformation and its impact, Ostwal was joined by  President and Founder of website solutions company Digital Polygon, John Doyle and CPO of media agency UM, Arielle Garcia at the 2022 Summer Spokes Technology Conference (held June 22-23). The discussion, Implementing Consent: A Plan for Agencies was moderated by WireWheel VP of Marketing, Judy Gordan.

The industry perspective

Agencies are expanding their competencies and shifting away from leaning solely on legal teams. This traces back to GDPR, after which agencies invested (requiring investments in the millions) in building privacy departments.

—Trishla Ostwal, Adweek

“Some agencies have moved towards hiring data officers to keep up with all the privacy regulation changes,” notes Ostwal. “They have also gone on to build privacy task forces that span departments. Some collaborating with organizations like the IAB and others taking an inhouse approach and acquiring data companies.”

It comes down to client expectations, and “simultaneously, agencies are substituting for cookie deprecation with solutions such as data clean rooms. However, the industry is still in a nascent stage,” as it looks to develop that ‘one solution fits all’ approach.

The media company perspective

“That’s very much aligned to what we’re seeing on our side,” concurs Garcia.

“We have a privacy task force that spans all of our specialty units, and we collaborate with industry groups. The reason that we did all this (several years ago now) is because we knew that we needed to be there to support our clients.”

The reality of where agencies sit – and because there’s so much ambiguity in the law and different positions that everyone can take on the client side, the publisher side, the ad tech side, et al. –  is in this unique position of needing to play matchmaker. Understanding what the requirements, risk appetite, or interpretation that a brand is taking.

—Arielle Garcia, UM

“This has required us to really get into the weeds of understanding partner practice and a core reason we’ve started proactively having client privacy discussions,” she says.

“We created something called a client privacy primer dialogue that is now evolving into regular check-ins and being incorporated into quarterly business reviews because there’s so much change in this space.”

WireWheel's Universal Preference and Consent Platform: The Easiest Way to Manage Preferences and Consents

Learn More

The development agency perspective

“There’s three key buckets that we’re seeing,” says Doyle:

  1. Understanding where your data lives and how it’s used by different groups within your organization. It’s not just cookies. It’s not just web. It’s not just consent…it’s also how you use that data, how you pass it to subprocesses, and where it’s stored.
  2. The facilitation of rights requests (such as DSARs) has to be compliant with all the new laws. And your website and applications facilitate implementation of these.
  3. Managing, tracking, and integrating consent, and ensuring consent is distributed to downstream systems. It is critical to have a central source for that consent as a lot of enterprise ecosystems are distributed and there can be a lot of duplicate data.

Additionally, different departments (say sales and marketing) might not talk about how they’re using information differently and it requires deeper data mapping and understanding of your ecosystem so that you can map out how consent is collected.

It goes far beyond just cookie consent and whether or not I’m setting third-party pixels.

—John Doyle, Digital Polygon

“Like everyone else, we’re trying to stay up to date with a law, the client’s interpretation of those laws, and how we translate that into implementation.”

The questions behind the question

“It’s definitely a mixed bag,” opines Ostwal.

“To say that it’s only the demise of third-party cookies that’s driving conversation would be inaccurate.”

It’s also a lot to do with the regulatory proceedings and the agency folks are asking “what are the differences? While there is a 65% semblance amongst the state laws, the 35% difference can cost them a lot to comply with each State. California alone is an investment in the millions….

And if you don’t adhere to all the provisions, you risk a penalty, so it’s a lot of money at the end of the day.

—Trishla Ostwal, Adweek

“I think [everyone] just wants to get things right. But to get things right at such an early point” is a real challenge.

“Privacy has become a catch all to encompass everything,” opines Garcia. “Regulatory developments, third-party cookie deprecation – just ID deprecation – and its limited availability, scalability, and addressability in the future. We are infusing that privacy related thinking in everything we’re doing.”

As we evaluate partners and their identity solutions, we’re asking the question behind the question. Everyone says that their ID’s consented, that they honor rights and preferences.

It means nothing until you understand the details of what that actually looks like. That’s what we and the brands that we serve need in order to make an informed decision on what a durable and responsible solution looks like.

—Arielle Garcia, UM

“It is early to get it right, but you’re going to be closer to right if you’re erring on the side that aligns with regulatory trends (which are just a codification of consumer expectations of choice),” asserts Garcia.

“There are these really interesting operational challenges that we’re navigating,” she says. “And the important part of all of this is that we’re steering towards a place that aligns to consumer expectation. Otherwise, we’ll find ourselves in this whack-a-mole environment until we get there.”

Who’s in on these conversations?

Garcia wants everyone in on the conversation: marketing, technology, media, privacy, and legal.

In my experience everyone’s very focused on their first-party data assets and they’re not necessarily as well versed in what’s happening downstream. This is quite challenging and it’s a big emphasis for regulators.

What we’re really trying to do is break down those silos where they exist. The good news is, I’m increasingly seeing more of that happening organically.

—Arielle Garcia, UM

Doyle sees the legal team reaching out to marketing and asking “are you complying with these new regulations? Tell me what data you collect? Which third-party systems you use? How are that data used? Making sure there’s an understanding of what’s being done and communicating it with their audiences.”

Unsurprisingly, organization impacted by GDPR brought more people to the table earlier while those based in the U.S. “are not worrying about it yet (because legal hasn’t yet come and yelled at them). More likely than not it’s going to turn into the same type of firefighting situation that we saw with GDPR,” submits Doyle.

Avoiding whack-a-mole

“The first step is getting a team together that’s going to own privacy at your organization,” avers Doyle. And it should be cross functional so you can gain a full understanding of the impact.

Organizations also need to understand the cost of implementing piecemeal vs. globally vs. facing fines if they decide not to implement.

Depending on what your organization does and how much revenue you generate from these different means – and across different States – that answer will be different.

—John Doyle, Digital Polygon

“I’m always going to fight for a user-first mindset. Trust is an economy that’s going to continue to grow,” asserts Doyle. “Sometimes that conversation is harder to sell to marketing executives who have to hit numbers and getting everyone in the same room helps build that consensus.

Garcia suggests that as marketing works to figure out their first-party data path forward, there is an opportunity to mitigate friction and align workstreams to support tech decisions that can serve both means and ends.

A preference center can enable greater consumer insight and facilitate zero-party data collection: there are some really unique opportunities that start to surface.

When you have all of the right folks at the table and are putting a consumer lens on all of this from a consumer experience and trust…it makes this more of an investment than a compliance costs.

—Arielle Garcia, UM

Honing the value of trust

There is an early group of actors that look to make privacy a differentiator, says Garcia, “like the Apple approach. I think we are increasingly going to see more of this as the realization settles in that everyone wants to optimize their first-party data collection and utilization.”

Ostwal avers that “for agencies, brands, publishers, there’s just one question: How do we hone consumers trust?”

They’re also trying out new solutions like a customer data platform or data clean room, or sometimes combining the two as we’ve seen in recent partnerships. But there’s still a lot of questions:

How do we maximize zero-party data? First-party data? And what’s the difference between the two?

—Trishla Ostwal, Adweek

As WireWheel’s Gordon notes, “this may be easier for some brands than others. For example, Brands that have a direct relationship with consumers versus those that are B2B.”

The traditional macro-level advice is if you have the opportunity to collect first-party data, get the infrastructure in place to have a single view of the consumer and the ability to respect their preferences and orchestrate that downstream.

If you’re a consumer packaging group, for example, you’ll probably be more reliant on smart partnerships. But there are still ways to enhance the connection with consumers authentically and data does become a byproduct.”

For a lot of brands, investments are focused on making the switch from third-party to first-party data. The key opportunity is to make privacy, consent, and preference the foundation. Then build your first-party data on top of that so you already have the leverage in place to control how data are used with different applications.

—John Doyle, Digital Polygon

“For companies that aren’t using a ton of first-party data, regulations will increasingly, impose obligations with respect to rights requests. So, even if you don’t think you’re using first party-data, it’s worth doing that data mapping exercise to understand the processing on your behalf by your partners,” cautions Garcia.

“If you’re not using a lot of first-party data you’re unlikely to have as robust an infrastructure and so it’s never too early to start thinking about what investments may be needed.”

[1] Privacy Orgs Are Media Agencies’ Next Big Investment (paywall)