Leadership Compass

Privacy and Consent Management

This report provides an overview of the market for Privacy and Consent Management platforms and provides you with a compass to help you to find the solution that best meets your needs. We examine the market segment, vendor service functionality, relative market share, and innovative approaches to providing solutions that enable you to collect and manage consent in a compliant and privacy-centric manner.

Anne Bailey

aba@kuppingercole.com

1 Introduction

Nearly all enterprises have an online presence and seek to better serve their customers and end-users by understanding who they are and what they want. Compiling customer profiles from personal interactions has long been standard practice to deliver personalized services, but data collection in the era of tags, cookies, and numerous other technologies that reside on web browsers to gather information are now considered essential for marketing and functional purposes. Many are first-party technologies set by the site owner, and many are set by third parties that elongate the data value chain beyond the organization’s boundaries. The implicit consent from end-users that such cookies and trackers are active on any site that they visit has been the modus operandi since the mid-1990s, with their derived insights gaining sophistication over time.

Cookies and trackers are highly desirable from a marketing perspective but generate concerns for privacy and use of data without the consent of end-users. There is a wave of privacy regulations across the globe that have been or will be released: EU GDPR, US CCPA, Canadian PIPEDA, Singaporean PDPA, Australian Privacy Act, Brazilian LGPD, Japanese APPI, Indian PDPB, Russian 152-FZ, and many more. Most countries require privacy policies on websites as part of their privacy laws. Vendors did offer enterprise tools to safeguard the privacy of their customer data before the 2018 GDPR, but its and the subsequent release of other privacy regulations have stimulated the growth of Privacy and Consent Management solutions, and increased the demand for solutions that offer a path to compliance.

This Leadership Compass analyzes vendors in the Privacy and Consent Management segment that provide tools to manage cookie consent, preference management, privacy statements, data usage, and compliance for global data protection and privacy regulations. These solutions are often called Consent Management Platforms (CMPs), a user interface for end-users to register or revoke their consent and adjust their preferences. There is a clear trend that prioritizes cookie consent management for ePrivacy compliance for companies in the publishing industry, but we consider this market segment to have a broader definition to include privacy tools for all verticals and for data collected via channels other than browser cookies, attempt to integrate principles of privacy-by-design, and innovative efforts to align the – at times – conflicting needs of marketing and legal departments.

You gain a full insight into the Privacy and Consent Management market with this report. The key capabilities that make a comprehensive solution are explained, and the different approaches that vendors take to providing a solution are evaluated. The leading vendors are identified according to Product Leadership, Innovation Leadership, and Market Leadership, each with detailed profiles and assessments.

1.1 Market Segment

The enterprise Privacy and Consent Management market segment has its roots in processes for the responsible collection and handling of customer data, but has recently entered the public consciousness with the rollout of GDPR regulations and mass data breach scandals. Strict, binding regulation and strong public demand have attracted new entrants to this segment. This has yielded a dynamic and competitive space where vendors provide the means to collect consent for processing of end-user data.

This Leadership Compass analyzes vendors in the Privacy and Consent Management segment that provide tools to manage cookie consent, preference management, privacy statements, data usage, and compliance for global data protection and privacy regulations. These solutions are often called Consent Management Platforms (CMPs), a user interface for end-users to register or revoke their consent and adjust their preferences with an administrative dashboard for a customer to customize privacy policies, cookie notifications, and integrate with marketing systems, CRM systems, and analytics platforms. There is a clear trend that prioritizes cookie consent management for ePrivacy compliance for companies in the publishing industry, but we consider this market segment to have a broader definition to include privacy tools for all verticals and for data collected via channels other than browser cookies. Solutions should attempt to integrate privacy-by-design principles, and make innovative efforts to align the – at times – conflicting needs of marketing and legal departments.

The current rapid growth of the Privacy and Consent Management segment for enterprises is dependent on the opposing pressures of marketing technology and the increasing number of privacy regulations. In an ideal world the goals of these departments should be aligned, and with the help of innovative products in the privacy space, they can be. Marketing technology (MarTech) has a strong influence on a company’s revenue, nearly irrespective of industry vertical. In the publishing and content-production industry, revenues can be solely dependent on advertisements and successfully understanding the end-user’s behaviors and interests to deliver personalized ad experiences. This strategy is heavily dependent on collecting personal data from end-users, often through cookies and tracking technology. Collection of this data has come under heavy scrutiny in recent years, with regulation eventually following. The EU was the first region to take meaningful action with the GDPR, ePrivacy Directive, and PCER in the UK. Other regulations from the US and globally are in development, among these being the California Consumer Privacy Act (CCPA). The concern over end-user privacy and data usage predates the 2018 GDPR, and many of the vendors assessed in this Leadership Compass have been offering privacy solutions before the GDPR was enforced.

Although Privacy and Consent Management solutions are necessary in all verticals, the business models of publishers and content creators are especially intertwined with the collection of end-users’ data. This causes publishers to have very complex and multi-layered tag and tracker ecosystems. Many CMPs are primarily concerned with creating transparent and standard data exchanges between publishers, advertisers, and the vendors that fire third-party http/JavaScript cookies, HTML5 Local Storage, Flash Local Shared Object, Isolated Storage, IndexedDB, ultrasound beacons, and pixel tags. Gathering consent and implementing end-user choices can be relatively straight-forward for first-party owned cookies and trackers – those that are set by the organization owning the website they are fired on – as the process can be managed internally, although this is challenging for companies that own numerous domains and high volumes of site visitors. First-party control of third-party tech and wholly third-party cookies are cookies that belong to a domain that is different than the hosting website, and implementing end-user choices means interacting with external vendors. Piggyback tags are usually from third-party vendors that are invoked by another tag, making it possible for third parties to set cookies on a website without the site owner’s permission or knowledge. These cookies and trackers have many purposes, including personalization and collection of preferences, session management and login activities, and tracking end-user browsing behavior.

Data usage is a key aspect of protecting the privacy and enforcing the consent choices of end-users. Effectively communicating an end-user’s consent choices to relevant departments within an organization as well as to downstream partners in the digital advertising chain is critical to a Privacy and Consent Management solution. This is typically achieved in one of two ways, and sometimes in combination: either by scanning websites for cookies and trackers then blocking these from firing until adequate consent has been collected, or by following the IAB Europe Transparency and Consent Framework (TCF) that whitelists compliant cookie and tracker vendors and proactively communicates via standardized signals. A non-exhaustive list of other data usage aspects that should be considered are: data protection (including data minimization, storage limitation, etc.), breach notification, consent per purpose, extension of data subject rights (such as the right to be forgotten), data portability, Data Protection Impact Assessments (DPIA). Privacy-by-design that considers these aspects should be a goal for all Privacy and Consent Management solutions.

At this point, there are no universally recognized interoperability standards for Privacy and Consent Management. There is a voluntary framework called the IAB Europe Transparency and Consent Framework (TCF) to assist participants in the digital advertising chain – including publishers, advertisers, vendors, and Consent Management Platforms (CMPs) – to meet the requirements of the ePrivacy Directive and GDPR. This is heavily focused on cookie and tracker management by establishing standard signals that indicate an end-user’s consent choice to easily and instantaneously communicate with participants downstream. There are four aspects to the TCF: a Global Vendor List, a Transparency and Consent (TC) String for data storage, an API for Consent Management Providers or Platforms (CMPs) to create and process the Transparency and Consent String, and the governing policies of the TCF. Many solutions covered in this Leadership Compass that specifically serve the publishing industry are certified IAB CMPs, meaning that they offer an option to their customers to configure the CMP according to IAB specifications. The benefits of such a framework include the ability to identify cookie vendors who are also part of the framework, which increases the transparency and auditability of data and consent collection throughout the digital advertising chain.

An IAB compliant cookie notice shows different categories for cookies than the typical four of strictly necessary, functional, marketing, analytics. These different categories are personalization, linking devices, experience enhancement, precise geographic location data, and provides information on individual vendors. In an IAB-compliant CMP, consents and preferences are packaged in a standardized payload called the TC String, which carries additional information such as the metadata, legitimate interest, publisher restrictions, and specific jurisdiction disclosures. The API provided by the TCF is a standardized means for parties in the digital advertising chain – being a hosting publisher, CMP, or an advertising vendor – to access the consents and preferences in the TC String.

The uncertainty that impending regulation brings for companies creates the conditions for this market segment to develop rapidly. But until the regulatory environment is stable, the Privacy and Consent Management segment will continue to grow with a variety of service offerings to help businesses achieve privacy compliance.

1.2 Delivery models

This Leadership Compass accepted vendors regardless of delivery model, although most are SaaS with an option to deploy on-premise if requested. Vendors that have a strong IAM background deploy on-premise as well.

Privacy and Consent Management solutions have several different approaches that differentiate the suitability of solutions to different contexts.

Analytics/marketing approach vs. compliance approach: solutions tend to have either an analytics and marketing background, or a compliance background. This orients the solution to a slightly different audience within the customer’s organization: either the marketing department by prioritizing the collection of preference data and maximizing the number of consent opt-ins, or the legal department by emphasizing privacy and compliance training for organizations, tools to measure an organizations progress towards compliance, and in-house legal teams. This distinction is not always black or white. We consider the best approach to be a mixture of the two, where vendors strive to create a symbiotic relationship between legal privacy obligations and generating actionable marketing insights.

Publishers approach vs. general approach: Because the revenue stream of online publishers is often dependent on advertisements, data collected from cookies and trackers is the primary interaction between company and end-user. Solutions for publishers often have robust cookie consent management capabilities, but lack other systematic tools like data inventories, mapping, and tools for compliance progress. Companies in other verticals have a need for Privacy and Consent Management solutions that cover a much wider variety of interactions with end-users, and vendors that have a general approach typically have well-designed data inventory and mapping tools and integrate with CRM and email tools. Determining the better approach here is dependent on the customer’s own vertical and the breadth of their compliance needs.

1.3 Required capabilities

When evaluating Privacy and Consent Management solutions, we begin by assessing standard criteria such as:

  • Overall functionality
  • Size of the company
  • Number of customers
  • Number of developers
  • Partner ecosystem
  • Licensing models
  • Platform support

Each of the features and criteria listed above are considered in the product evaluations below. We also consider unique selling propositions (USPs) and innovative features of products that distinguish them from other offerings available in the market.

Baseline criteria that we look for in a Privacy and Consent Management solution are:

  • Generation of privacy policy notifications
  • Generation of cookie notifications
  • Collection of end-user consent for cookies and trackers
  • Prevention of cookie firing until appropriate consent is captured
  • Reporting and auditing functions
  • Means for end-user to view and update privacy and consent choices
  • DSARs workflows

Advanced capabilities we are interested in seeing as part of these products:

  • Data mapping and inventory
  • Preference customization
  • Detection and visualization of progress towards compliance
  • Access Management
  • Data Risk Management

Inclusion Criteria

  • Support for several of the criteria above

Exclusion Criteria

  • Solutions that only addressed end-user use cases without offering solutions for enterprise Privacy and Consent Management
  • Any solution still in a prototype stage
  • Solutions with a low maturity that restricts the overall functionality

We invited numerous vendors to participate in this report to provide a comprehensive overview of the current state of the market. This information should help inform you to choose a vendor that fits your specific requirements, and your current and future landscape to be managed.

Continue reading...
Read the full report and get access to KuppingerCole Research for 4 weeks.
Start Your Free Trial
Already a subscriber? Click here to login.