The following notes will shed some light on what a Consent Management Platform (CMP) is, the consent laws being covered by this platform as well as some legal contextualization over the do's and dont's of each consent law.
This document will also cover some of the main AdConsent features. However, for a complete list of the available features and functions, as well as working examples, please check the AdConsent API Reference document.
Brief summary
Why should you use a CMP? A CMP is the linking tool between GDPR, which is the primary regulation in EU law on data protection and privacy, and the IAB Europe’s Transparency and Consent Framework (TCF). IAB TCF is the GDPR consent solution built by the digital advertising industry, being the standard used by the majority of vendors in the advertising business.
A CMP allows a publisher to obtain, manage, and propagate the user's consent for his site and across all its associated vendors. This means a full compliance with privacy regulations and opens the door for ad revenue optimization by using, i.e., targeted ads from the third parties. Most vendors will adopt a conservative approach to their processes over user data and privacy in the absence of user consent, so implementing a CMP in a publisher site that relies on ads to subsist will ultimately lead to better revenue in the areas where consent is needed.
Consent Management Platform (CMP)
For some years now, there has been an increased concern regarding individuals' data privacy and their rights to keep various types of data private, not being shared either manually or by automatic processes. The greatest step in that direction was given by the EU in 2018 when they ratified the GDPR regulation, which brought a myriad of changes in the way an individual’s data could be stored, processed, transferred to another entity, or even be disposed.
The main take from this law was the need for user consent to have all this data being processed and stored by third parties, which raised the problem on how to get this user approval (or not) in order to have the companies working within the law regarding user data handling. This was even more complex in the digital world, where the user data obtained by a company is most of the times quite invisible to the user, leading to individuals not even knowing they are sharing data with these entities.
To have this problem sorted out, the CMP figure was created and the Interactive Advertising Bureau (IAB), among other entities, created a framework in order to inform the user about his rights and obtain his consent choice, passing through the consent to all the involved parties which need consent to in some way handle user data.
So, what is a CMP? A Consent Management Platform is a piece of software that enables a website or application to comply with GDPR, CCPA and other data privacy regulations. CMPs allow the sites to inform their users about the types of data they want to collect and ask them for consent for specific processing purposes.
A CMP allows you to:
Display a consent banner and/or popup to users
Collect and handle user consent
Execute tags used in ad networks, analytics or others based on the user's consent choice
When should you use a CMP?
Getting a visitor's consent is required to collect data when the visitor and/or company collecting the data falls under a specific privacy law. A CMP helps effectively manage your compliance with these regulations. To find out whether or not should you use one for your website, app or product, check if it performs any of these actions:
applying personal data for purposes such as remarketing, content personalization, behavioral advertising, analytics, email marketing
automation of decision making e.g., profiling
transfer of data overseas: mostly applicable to organizations processing EU residents’ data outside of the EU
If any of the above apply to your business or site, getting a CMP will most likely be an important add-on to consider, and that's where AdConsent enters.
Supported consent laws
AdConsent currently supports two different consent laws: the European Union's General Data Protection Regulation, a.k.a. GDPR, and the United States California Consumer Privacy Act, a.k.a. CCPA.
GDPR
The General Data Protection Regulation (GDPR) is an European law regulation about data protection and privacy in the European Union (EU) and the European Economic Area (EEA), which also addresses the transfer of personal data to outside the EU and EEA areas.
Its primary aim is to give an individual control over his personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. It has replaced the Data Protection Directive 95/46/EC and entered live on the 25th May of 2018.
This regulation contains provisions and requirements related to the processing of personal data of individuals who are located in the EEA, and applies to any company, regardless of its location, as long as it is processing the personal information of individuals inside the EEA.
The full text of the regulation can be found here.
To implement this consent law, AdConsent uses the IAB Transparency and Consent Framework (TCF) version 2.0, which is standard for most of the big players in the internet market. You can find more details about the TCF 2.0 specification in the IAB TCF 2.0 official page.
AdConsent is an IAB Certified CMP, figuring in their official TCF 2.0 Certified CMPs list.
The resulting IAB TCF 2.0 built upon the GDPR regulation led to the need of following a set of policies and directives from the CMPs that wanted to be TCF 2.0 compliant. Some of these policies and directives include minimum acceptable dimensions for the banner or popup to be shown to the user, opt-in and opt-out buttons with equal prominence, and the obligation to show specific data and options at specific points in the consent screen navigation. It even goes to the point of having most of the popup labels either coming from the framework itself or being pre-approved texts. This means that the publisher has little freedom to personalize the GDPR banner other than changing some color styles and other CSS that may not disrupt the TCF policies, and three or four very specific labels in the banner that act as a personalized welcome message from the publisher, not carrying legal implications regarding the CMP compliance to the policies.
AdConsent tries to give the publisher the greatest possible freedom to customize the GDPR consent interface according to his needs while being within the GDPR and TCF policies. To know more about what can be done in terms of customization and configuration please refer to the AdConsent API Reference document or contact your account manager.
CCPA
The California Consumer Privacy Act (CCPA) is a state law intended to enhance privacy rights and consumer protection for individuals residing in California, in the United States. Signed on the 28th of June 2018, it became effective from the 1st of January 2020.
This Act aims to provide California residents with the right to:
Know what personal data is being collected about them.
Know whether their personal data is sold or disclosed and to whom.
Say no to the sale of personal data.
Access their personal data.
Request a business to delete any personal information about a consumer collected from that consumer.
Not be discriminated against for exercising their privacy rights.
CCPA applies to all businesses that deal with Californian users with small exceptions, which you can find by checking the CCPA law here.
AdConsent implements this consent law through the IAB's CCPA Compliance Framework.
CCPA is a privacy regulation with a little bit more loose criteria than GDPR, which means that along with the IAB's CCPA Compliance Framework, the level of simplicity of use and available customization options are higher than in GDPR. In this case, for example, you don't need to show the consent banner upfront to force the user to choose. It can be brought into view by the click of a link in the publisher's page. The banner itself also doesn't need to comply with any particular styles, directives or even labels, as long as it is visible in the page and correctly informs the user about the actions that can be taken. This means that a greater deal of freedom is granted to the publisher in order to completely integrate this solution into his page look and feel.
Main features
AdConsent tries to be the most feature-complete CMP yet being very lightweight. Some of its main features include:
Fast loading UI with a small footprint in terms of number of downloaded files and size
Choice between popup or banner mode for the GDPR GUI
Choice between a popup or link for the CCPA GUI
Includes Google ATP (Ad Technology Providers) vendor list in GDPR consent, so that you don't miss out any possible consent
Possibility to add a list of custom vendors to the existing ones, in order to comply to some technology in your website not covered by either the IAB vendor list nor the Google ATP list
Possibility to set specific consent for the publisher when in GDPR zone, using either the standard purposes and features as well as some specific custom purposes, or a combination of both
Diverse customization options with simple CSS styles
A complete analytics module that can be enabled and integrated with your own analytics solution (Google Analytics, GA through Tag Manager or other)
Possibility to use AdConsent as a standalone product or fully integrated with AdEngine, resulting into a very simple out-of-the box solution for your ad stack consent needs
In order to have a full overview of the possibilities, available functions and usage examples, please check the AdConsent API Reference document.
You can also verify a full working example in our demo page.
Integrate AdConsent
If AdConsent is used together with AdEngine there are no code changes required. You only need to add some privacy information to your page, please follow the Consent Management Page Integration Guide.
AdConsent and Cookies
AdConsent uses cookies to store user consent locally in the device. These are functional and fundamental cookies, not storing any other information other than the user given consent regarding the first-party and third-party vendors, thus being legal under any of the current privacy regulations.
Depending on the consent zone, the following cookies may be deployed by AdConsent:
euconsent-v2
Main GDPR consent cookie. This is the cookie holding all the TCF2.0 needed data in their own format. This cookie can be read by any TCF compliant software.snconsent
This is Snigel's consent data specific cookie. This cookie holds consent for non-IAB compliant vendors, like some publisher specific vendors or Google third parties. This cookie has a proprietary format and can only be decoded by AdConsent.usprivacy
This cookie holds the user consent for CCPA zone, using the IAB defined framework. This cookie can be read by any IAB CCPA framework compatible software.