Leadership Compass

Privacy and Consent Management 2022

This report provides an overview of the market for Privacy and Consent Management solutions and provides you with a compass to help you find the solution that best meets your needs. We examine the market segment, vendor service functionality, relative market share, and innovative approaches to providing solutions that enable you to collect and manage consent in a compliant and privacy-centric manner.

Anne Bailey

aba@kuppingercole.com

1 Introduction / Executive Summary

This Leadership Compass analyzes vendors in the Privacy and Consent Management market segment. The term "Privacy and Consent Management" stands for the administrative and governance capabilities over data privacy within the organization. Privacy and Consent Management impacts every level of the data value chain, from advertisers, AdTech, and publishers, to enterprises and their communication strategies, to end users and the relationships that they build with service providers and third parties that handle their data. Solutions that provide Privacy and Consent Management have the challenge of working for the best interest of all: to enable compliant data collection, build compliant consumer profiles, and monetization while enabling the privacy choices of end users and the intersection of global regulations.

This reports provides an in depth insight into the Privacy and Consent Management market. The key capabilities that make a comprehensive solution are explained, and the different approaches that vendors take to providing a solution are evaluated. The leading vendors are identified according to Product Leadership, Innovation Leadership, and Market Leadership, each with detailed profiles and assessments.

1.1 Highlights

  • The term "Privacy and Consent Management" stands for the administrative and governance capabilities over data privacy within the organization.
  • The market is very dynamic with new global privacy regulations, eventual reducing in use of third-party cookies, and changing methods to operationalizing privacy.
  • Privacy and Consent Management Solutions are primarily delivered as Software as a Service.
  • Data governance and automation are key trends in Privacy and Consent Management
  • The Overall Leaders (in alphabetical order) are OneTrust, OneWelcome, Securiti, Syrenis, and TrustArc
  • The Product Leaders (in alphabetical order) are OneTrust, Securiti, Sourcepoint, Syrenis, and TrustArc
  • The Innovation Leaders (in alphabetical order) are DataGrail, OneTrust, OneWelcome, Securiti, and TrustArc
  • Leading vendors in innovation and market presence (also called the "Big Ones") in the Privacy and Consent Management space (in alphabetical order) are OneTrust, OneWelcome, Securiti, and TrustArc

1.2 Market Segment

The Privacy and Consent Management market segment has its roots in collection processes and responsible handling of customer data and entered the public consciousness with the rollout of GDPR regulations and mass data breach scandals. Data privacy regulation and strong public demand have attracted new entrants to this segment, where consent management was a key enabler of compliant data collection. Recent announcements by Google to remove support for third-party cookies from its browser and the rollout of cohort-based profiling of browser activity indicate that the publishing and advertising industries must adjust quickly to different technologies, that the privacy goals of users may move away from consent or emphasize more on first-party consent and consent from authenticated relationships, and that the Privacy and Consent Management solutions may need to support new capabilities.

This has yielded a dynamic, competitive space where vendors provide data consent processes for vendors and consumers. Thus, this Leadership Compass analyzes solutions that provide means for enterprises to assess their privacy compliance, take meaningful action to increase the data privacy protections afforded to end users, and balance the needs of compliance and marketing departments.

At a high level, these solutions should accomplish:

  • Compliance support for global privacy regulations including GDPR and CCPA
  • Provide insight into movement and protection of personal data within the organization and in transit to partners
  • Support in the design, implementation, and enforcement of privacy policies
  • Facilitate the compliant collection of consumer consent and preferences, and enforce those decisions
  • Enable self-service privacy choices for users

Privacy and Consent Management is a market segment that continues to evolve to meet changing requirements. New privacy legislation is constantly being passed around the world, and the interconnected flow of data up and down the value chain makes it possible that legislation from one jurisdiction may become relevant to an organization based in another. And as more and more users become aware of their data rights and choose to exercise them, there is an increasing need to be able to respond to Data Subject Rights (DSR) requests in a scalable and secure way. There is a trend to operationalize privacy, or to enable action to be taken when a compliance gap is identified, a DSR is filed, or third-party vendor is not acting in a privacy-preserving way. Better yet is when these workflows can be automated to manage the scale and volume of privacy actions that may need to be taken.

There is an increase of data governance capabilities seen in this year's vendors, indicating a convergence of data governance and privacy management, along with approaches that favor identity and CIAM as a natural bridge to providing privacy management. This could for example mean more focus on data discovery capabilities of structured and unstructured data sources to identify all sensitive data in the organization. Data discovery capabilities support designing a well-informed privacy initiative, with better insight into what type of information is collected, how it is legitimately used or proliferated through the organization and up/downstream, manage data breaches quickly, and fulfill DSRs efficiently. What remains to be seen is if Privacy and Consent Management can move beyond automation for compliance's sake to more transparent relationships.

1.3 Delivery Models

Privacy and Consent Management Solutions are primarily delivered as Software as a Service (SaaS), with all participating vendors providing this deployment model. On-premise deployment is offered by nearly half the vendors, and two thirds of vendors support multi-cloud deployments. This serves as an indicator that although on-premise remains relevant, organizations are requiring more agile multi-cloud and multi-hybrid deployments, especially when it comes to oversight and management of organizational data.

1.4 Required Capabilities

Privacy and Consent Management Solutions can cover some or all of the functional areas described below. Typically, solutions need to manage incoming signals like user consent, information from cookies and trackers, and information from user self-service portals. The solution may also support developing a privacy strategy for the organization, which would involve running assessments to identify compliance gaps, documenting steps taken to reduce those gaps, data governance capabilities, and provide ways to operationalize privacy in a scalable way.

Privacy and Consent Management Solutions, Possible Areas of Functionality
Figure 8: Privacy and Consent Management Solutions, Possible Areas of Functionality

The approach to providing these areas of functionality is still quite varied. Some vendors believe CIAM and identity solutions are best situated to provide management and protection of private information. Others believe data is the foundation of privacy, and take a strong data governance stance. Still others think that the current model for cookies and analytics is too extractive and are designing a privacy-centered alternative to the existing analytics and tag managers. Still others present Privacy and Consent Management as compliance combined with marketing, bringing the best of both worlds.

For vendors to be included in this report, they must have comprehensive solutions that include a majority of these capabilities:

  • Compliant collection of user consent
  • Enforcement of user consent
  • Prevent non-compliant tracking and profiling on customer channels
  • Assist in designing and implementing compliant privacy policies, cookie notifications, etc.
  • Record progress towards compliance on specific regulations, i.e. GDPR
  • Data mapping and inventory of personal data in the enterprise
  • Provide data risk management support, for example de-identifying data via anonymization, pseudonymization, aggregation, redaction, or differential privacy
  • Enable consumer control over privacy settings and consent choices
  • Support workflows for DSR/DSAR/consumer requests and data breach notification

We expect solutions to cover a majority of these capabilities at least at a good baseline level. There is no minimum number of customers or revenue caps that vendors must meet – both large international companies and small but innovative startups are included in this report. Some vendors did not respond to requests to participate, or chose not to participate. Profiles of these vendors, as well as other interesting vendors, can be found in Chapter 6, "Vendors to Watch".

Vendors with products still in a prototype stage, that provide only a single point solution, or who focus on individual and personal solutions rather than on the enterprise were excluded from this report.

Solutions that do not meet our general inclusion criteria but nevertheless strongly focus on specific types of Privacy and Consent Management may be mentioned separately in our "Vendors to Watch" chapter.

Continue reading...
Read the full report and get access to KuppingerCole Research for 4 weeks.
Start Your Free Trial
Already a subscriber? Click here to login.