Analyst Chat

Analyst Chat #30: Consent Management Done Right


Graham Williamson and Matthias Reinwarth talk about consent: what does it mean for identity professionals, service providers or lawyers and how to reconcile all those different views in modern IAM environments.

welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. I'm an analyst at advisor at KuppingerCole analysts. My guest today is Graham Williamson. He's director Asia-Pacific of KuppingerCole, and a senior analyst acting out of Brisbane. And today we will talk about consent. Hi Graham.
Hi Mathias. How are you?
I'm fine. Great to have you again in this podcast, it's been awhile, but great to have you back again. Last time we've been talking about I am project done, right? And you could share your experience with how you organize a project from the organizational structure point of view. And also from, from an architecture point of view today, we want to talk about a topic which is often ignored, neglected, or just not done. We want to talk about consent. Why do we have to talk
About that? Yes. Consent is a word that means different things to different people. It is of course, important to identity and access management professionals, because consent is part of the services that they must support with the identity in a environment within their organization. But then you've got like the service providers who are collecting users consent, and they've got a different view of, of what they have to do there. And then there's the lawyers because the lawyers now are being involved very much in consent, managing user rights, and they've, they, they then want to wrap everything up in, in very concisely to Lee's. So we've got different groups that are considering consent. And because of that, I think it's something that we should just address as a format from an identity professionals point of view, to make sure that what we're doing as we're putting together an identity and access management environment accommodates what needs to be done when we're collecting and managing user consent.
As I'm acting out of Germany, which is Europe, which is GDPR, which is requiring consent, being handled in an adequate manner, and you are acting out of Asia Pacific. And is there a common ground that we can look at when we're talking about consent? Is there a common denominator that we could consider as being given, knowing that we both are not
Lawyers in Asia Pacific, we very much follow the GDPR lead. So Europe is considered a leader when it becomes, when it comes to identity and access management and indeed the what's happening in the consent space. I would S I would go suffice to say that in Asia Pacific, we've gone up, got a long way to go. But in terms of like, just in Australia, for instance, there's a lot happening now in the consumer data rights space, which is directly related to consent. So it's something that's becoming much more important globally. And so I think it's very appropriate that we talk about consent and start to formulate in our minds how we need to proceed. But the answer to your question is very much, we do follow the European model and what's happening in that space. Okay.
So when we want to implement content in a way that adheres to what you just mentioned to GDPR as the yeah, as the guideline, and that is, that is relevant for almost anybody, then how do you implement that when it comes to providing adequate concept management solutions as part of an IAM solution,
How do you say, well, the first thing you do is you do not allow the bad practice that we've seen in the past to, to continue. So for instance, many, in many cases, a service provider simply provides an agree button that a user is expected to click on in order to get access to the service, whatever that might be, that is no longer satisfactory. The bad practice that we'd been experiencing is a service provider, not explaining fully of the service that is being provided. Even if that service is, is just provision of a document, okay, we need to be better at telling users what that document contains. I don't know about you, but I have been disappointed many times when I download a document that I thought addressed a particular issue as interested in, but it didn't. And because I didn't know that before I did it, I had provided my consent to the service provider that I really would've liked to have rescinded.
What we need to do to is avoid then going too much in the other direction. Whereas the service provider, we ask the user to give too much information. We want them to register in order to get access to our service. Well, again, it is simply a matter of downloading a document. I personally will not register. If it asks me to set up an account in order to download a document, I'll click away. You know, we need to make sure that was, we are providing a service that the information that we're providing actually matches the level service that we're providing serve as simply a document access. Then we shouldn't be asking for any more than an email address. We need to stop these bad practice that we've we've been involved in before. Maybe I can just suggest what we may be, should be going to, because when we look at how we deal with consumers, there's a lot happening right now.
Some of the developments in that C I a M area, and the consumer identity and access management space are quite exciting. And we, we, we generally agreed that we do need to bring the customer along on a journey. We start with a basic relationship. And then over time, we will develop that into a loyal customer relationship. And our consent needs to follow a similar thing. As we start, we ask for basic information, and it's not until the customer's happy with that and is willing to provide more information in terms of their consent that they're providing to us, that we should be looking at that strong relationship. So what the general approach now to consent is making sure that we take a customer on a journey and develop that consent relationship along with the customer journey that we are taking our customers on. And we'll feed
Think of this customer journey. I assume that the customer as the, the one that should be in control should also be able to manage a constant over time to revoke or to approve more access to data. And that should be done as easily as possible. So consent management should be a real part of the overall management platform for the user and for themselves. Absolutely.
And personally, I think this is an area where many companies are going to run into difficulty. Okay. So if we look at consent, there's basically a consent event. If you like has three components. First, there's an act that the user will, will do. It might be just clicking on an agree button. It might be setting up an account like an establishing a password so they can access the site again. So this is an event then there's the knowledge. And the knowledge is one area I alluded to earlier. Whereas service providers typically don't do a very good job at helping the user understand explicitly what they're going to get. So if they're going to get information, what do they get in return? And many cases are users going in blind and just assuming they're going to get what they want rather than the consent event, telling them explicitly what they'll get at.
So we need to be better at telling, giving them that knowledge. The third component of it is that there needs to be voluntary. The user needs to have the decision as to whether they want to provide this information. And indeed how much information they're going to provide. If it's simply clicking the green button, and if you don't click it, you're not going to get the service. That's not very good consent. We need to do much better. In fact, I was pleasantly surprised in, in, in, in one service I went to get, they actually allowed you to, to provide your consent at three different levels, depending upon what sort of service you wanted to get. You know, we have to be more intelligent in the way that we provide that. So we're looking for, in what the act is, what the knowledge is requirement is, and whether or not it's voluntary, whether the user has the capability of determining whether or not they want to give their consent for this particular service that they're accessing. So if we design the consent event, based on those three things, I think we'll do a better job of providing something. That's going to give the user some certainty as to the information or not, or service they're getting, and also giving them control of the amount of, of consent that they actually provide. Right. And we've
Seen already, as you mentioned, some improvement, when it comes to explaining what this terms and conditions actually mean, as you said earlier, that that was just a large text provided by a lawyer that no usual person was capable of understanding. Now that has already changed. They really have to say where this data has to go or will go and whom they are sharing it with before you can approve that. So it's really getting better in making it consumer friendly to understand what's going on. I think that is really a good development going on. What other developments are there around when it comes to improving consent management? I I've heard of user managed access and I've talked to the people behind that that is a great effort to improve content management as well. So really putting this management into the hand of the user is that reflected also in concept management when it comes to CIM,
Not very much yet, but it's definitely a trend. So if we look at a couple of trends that we need to keep in mind, as we design our consent mechanisms, one is the data rights legislation that is being put in place in many jurisdictions. So like Australia, for instance, is putting in the, the consumer data rights legislation that says explicitly what is allowed when a service provider is requesting information. Now, of course, it's tied into the privacy legislation. So you can't ask for information than you need in order to provide the service you want. You're providing. I mean, but the user wants to get a service and they, the information that they should be providing is it's got to be commensurate with the service that's being provided. The, the, the, the, the data rights legislation is including some interesting things. So for instance, there's restrictions on how long that consent can stay active.
So it comes back to your question about the control that the user has. And the default setting is 12 months for in, in, for Australian legislation. So you've got to have a mechanism if you're collecting a user consent, to be able to refresh it or deleted in 12 months time, most organizations do not have that capability right now. So it's something that's got to be developed and designed into the consent mechanism. Users have the given the right to rescind their consent. So it's similar to the European, right, to be forgotten legislation. So that needs to be built in. Now, you can't do that unless you have a proper consent management environment. You mentioned the, the user managed access initiative or the Conterra initiative control has done some very good work in this space. And it, you know, by, by using a consent receipt, which is one of the techniques they suggest that gives you the capability of being able to rescind consent. You need to think through how you're going to be able to find the consent that was given by a particular user so that you can delete it, should the user request that. So it's important that design mechanisms and put in that consent revocation is something that must be accommodated in, in a consent mechanism, but that
Will really reveal revolutionize many aspects of identity and access management for many organizations. Because as you said, there are just not prepared for having these additional processes in place for, for finning out data over time for rechecking constant over time. That is really something that many organizations just don't have in there, in that process plan when it comes to defining and implementing an IAM solutions. So that is really a challenge to keep up to date, to keep in business.
It is. So you bring up a good point, keep in business. If they do that, if they make this consent mechanism, if they can put in a consent mechanism that will make the, keep the user comfortable with their organization and the service products that they're providing, they're much more likely to build a loyal customer. And with the millennials become, you know, the, the main purchasing group, they want a good experience. So if you don't provide them a good experience, you're going to lose out on, on product sales. So building that relationship and a large part of it is built on the consent management that you provide is going to be very important for companies in the future.
We'd have to have been talking about consumer identity and access management, and of course, for the consumer, and to protect the data of the consumer and to, to make sure that the rights of the data of a user are well maintained. That is an important factor. But when you talk about employee identity and access management, that is usually covered by a good purpose, because yeah, you have a contract working for your, for your employer. But if I provide additional information, say my phone number, my home address, I don't know additional information to the identity and access management. That's this applied there as well. Is this changing traditional enterprise IAM as well?
It impinges on it workforce. I am, has typically relied on the human resources processes and the agreements that are put in place when either a stop member is engaged as an employee, or whether a contractor is engaged as usually a contract put in place, which controls a number of things, including, you know, what the company is going to do with their information, how they have been to protect the information that they maintain on their employee, how that employee will protect the sensitive information of the corporation. There's usually some sort of confidentiality agreement. So that's, that's often handled in, in that realm, but increasingly an employee is also a customer of an organization and the bringing the C I am, and the I am environment together is something that a lot of companies are doing now and are using a single infrastructure to accommodate that. So we do see some crossovers there.
One of the issues that is looming is the consent transaction, what a consent transaction might be. So we've talked about making sure that our collection of consent matches the service that we are requesting and making sure that the consent is managed so that we can locate that consent code. And in fact, see how it matches the relationship that's being built as time progresses. The, the general consensus of the people that are monitoring consent, the trends in this space, looking towards this consent transaction that we're going to be moving into. And a consent transaction is basically going to be a two-way thing. It's no longer a customer providing the information to the service provider. It's now a service provider saying to the customer, okay, you are providing this information to us. This is enabling us as a service provider to monetize our products. I guess the cleanest environment to that to look at here is Facebook.
So we can use Facebook for a minute. They have an immense amount of information they use for their purposes, their business purposes. And we're all aware of Cambridge Analytica, which became a sort of a litmus test of how this information is being used. And some people were aghast at how much information Facebook had and how much they were using it. They shouldn't have been surprised is what's is Facebook's business. And all Facebook were doing where it was extending, you know, marketing practice to the capability that they now have. And, and, and, and it was very impressive as we, as that progresses there's room now for the service providers, such as Facebook to say, okay, Graham, we have this information on you. We would like to include this in the service we're providing our customers. And for this service, we're going to actually recompense you for that information.
So we it's now becomes a two way situation where we are participating in determining what we want our data to be used for. So it provides us the capability of saying, yeah, yeah, well, in exchange for what you're doing for me, I will allow you to use my information for what you're doing for your customers and to be recompense for it. I mean, we're seeing the beginnings of this in, in, in customer loyalty programs at a number of companies are used. So for instance, my wife is very pleased to provide information to the local grocery store that then sends her coupons to use in the store, in exchange for the information that's she's been providing. So it's an extension of that, where we're going to be seeing a consent the basis for a transaction that we agree to. And again, as we, as the CIM environments expand and develop, there's this managing the consent and being able to take that information and manage the, the environment around that is going to be very important for companies, right? So concept
Management is also a bit changing in the, in the perception of those who are, who have to do it because it is no longer just a must, because it is a must, we can change that we'd need to do to, to, to be compliant to regulations, but it's also an opportunity to, to create new business models or to extend your business models when it's done. Right.
Exactly. And as those companies that can catch can glimpse the future, they're, they're going to do very well. The basic though, is that you're quite right. It's a matter of, of, of adhering to jurors, jurisdictional regulations. So we are going to be forced as companies to do a basic level of consent, whether we like it or not consent management, whether we like it or not, but in terms of the potential and opportunities that it brings to the, to the foreground for us, that's can be very significant. And the companies that can do that and can build that relationship with their customers, I believe are going to do very well. Well, that
Was really a great closing remarks for this episode of this podcast that sums it up. Very good. So if we have to do it, why don't we do it properly? So I think that's a good thought for, for the end of this episode. Thank you very much, Graham, for, for joining me today, for this episode on consent, any final closing words from your side recommendations, where should we start?
Yeah, well, as I am professionals, we need to make sure that the groups within our organization that are using our identity information, do this properly. And so we can lead the discussion in regard to consent development with our organizations. We will have done the companies. We work for a great service.
Thank you very much. And as a final remark from my side, there will be a lot of information available, of course, on our website. It is already available. There will be a CIM event, a virtual event from KuppingerCole later in July or August, I think. And that that is, will be free to join free to register, just join us there and join the discussion. And if you are interested in the process of joining IAM and CIM, that that Graham mentioned there is all about the identity fabric concept all on our website, please visit KuppingerCole dot com. If you want to learn more about that, thank you again, Graham for joining me, and I'm looking forward to having another episode together with you very soon.

Video Links

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Erfolgreiche IAM-Projekte: Von Best Practices Lernen

Häufig beginnt die Suche nach einer Identity-Lösung mit einem ganz konkreten Schmerzpunkt im Unternehmen. Ein nicht bestandener Compliance-Audit wegen überhöhter Zugriffsberechtigungen, technische Probleme, wegen komplexer Systeme frustrierte User und eine…

Event Recording

The Role of Managed Security Service Providers (MSSPs) In Your Future IAM Application Landscape

Trying to “do identity” as a conventional IAM or Security workload with in-house resources and vendor platform deployments may not satisfy identity and access today’s requirements for IaaS, PaaS, databases and other cloud infrastructures. There are now a growing number of…

Event Recording

The IAM Fabric and How It Integrates With Your Cybersecurity Program

Architecture, operating model and governance are key viewpoints for every business as a whole and its subdomains as well. Depending of size of the organization, information security may be managed as single domain or divided into multiple subdomains. Viewpoints and domains are still static…

Event Recording

Identity Management and its key role in the Zero Trust strategy

Since any resource access is subjected to a “Zero Trust enabled” step-by-step process, where  policy engines define and enforce the appropriated access level, apart from device, network, identity systems and resources, we need also a “ZT enabled” identity…

Event Recording

Expert Chat: Interview with Neeme Vool

KuppingerCole CISO Christopher Schuetze engages in a fun discussion with Swedbank's Neeme Vool on what the future holds for Identity and Access Management.

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00