Analyst Chat #108: Privacy and Consent Management

Welcome to the KuppingerCole Analyst Chat. I'm your host, my name is Matthias Reinwarth. I'm Lead Adviser and Senior Analyst with KuppingerCole Analysts. My guest today is Annie Bailey. She's an analyst working on a variety of topics, including emerging technologies, and we want to pick up on a topic that we covered earlier already. Hi Annie, good to see you.
Hi, Matthias. Thanks for having me back.
It's great to have you back, and it's great also to have you back for this topic, which we covered in late summer of 2020 once already, and we want to give an update and want to show what has changed in that area. We want to talk about privacy and consent management, and that is based on the fact that you just published an update to the Leadership Compass document around this topic privacy and consent management just this week. From a definition point of view, what do we need to think of when we talk about privacy and consent management?
Yeah. So this is one of those terms where you could spin it in a lot of different ways, you know, privacy is so much in the public discourse that it doesn't really have a concrete definition anymore. So I thought it might be useful to get us all on the same page before we talk any more about it. So the way at least I have defined privacy and consent management in this most recent report. It's, of course, considering organizations and it's their administrative and governance capabilities over data privacy within their organization and of course, the tools and the solutions that are there to make that happen. So you could think of it then in a simplified manner about the capabilities that such a tool or a solution would have to the first group of capabilities, would then to be able to manage any incoming signals about privacy and consent. So these are things like being able to manage cookies and trackers that are on websites, being able to accept and then implement those consent or preference choices that an end user would make. And that would be over the range of different channels. So on a smart TV, on a mobile device, on a website, over the phone, via email in person interactions as well, should be considered. So that's all about managing the incoming signals. But what's also very important as well is the organization's ability to take care of their own internal management of privacy. So being able to govern sensitive data, which is in the organization and private data, being able to document their steps towards compliance and something which is a buzzword in this most recent report is being able to operationalize privacy.
OK. When we look at this Leadership Compass from the document format, you are comparing different products to services of different vendors, and we get to this comparison charts and we need to understand which vendor is good at what and especially also when we look at this updated version of this Leadership Compass, What has changed over time? Who has improved, who has drastically changed their offerings, etc. When you look at the market and you look back on the two editions of this Leadership Compass, what has changed? What are the changes in the market that you can observe that you want to share with us?
Yeah. So this is an especially dynamic market area. Things are always changing. And so we can see some pretty big market changes between the report which published 18 months ago or so and the one which just came out this week. And that's in the types of vendors that were interested in participating. So what we saw in the last report were a lot of vendors that really focused on being able to manage those incoming signals, so being very focused on cookie management, on being able to collect consents and preferences and make sure that those are all able to be implemented in the many different connected systems within an organization and all the downstream vendors that may impact. Very focused on this incoming flow of information from end users. And what we saw, which was different in this report, is that there were more vendors that are really focused on data governance and using that as a foundation for privacy. So being able to operationalize and take action within the organization to further their privacy goals. And so we could think of that as an example. So being able to identify a privacy weakness of some sort in a process and then from that same administrative screen, then be able to do something to address that weakness. I guess we could go into more concrete details on what that could be. So, you know, if there was a scan done on a database and that scan returns the notification that there is private information in this database, there would then be the chance to leverage automation to go and anonymize those sensitive fields. So you're then connecting information about the status of privacy in the organization with an action to then improve it. So that was something that we noticed among several of the vendors that they're moving more in this direction. And that also does connect back to the relationship between the end user and the organization. So there was a big focus on being able to provide support for data subject requests and being able to process those. So in the same way of operationalizing privacy, if a consumer then submits a data subject request, the administrator would then be able to scan and automatically compile a report containing their personal information rather than needing to do that manually.
Right. But if you look at the market of these products and they provide these products or services globally, of course, internationally, they cover the whole globe as their market. When we look at the changing privacy and consent requirements that we see, I think this is also a challenge for the vendors, for the service providers to catch up with what is happening. And we as analysts, we're looking at these changing privacy regulations, laws around the world in different regions. Is this something that they can deal with that they catch up with?
Mm-Hmm. Yeah. And frankly, this is really hard to stay up to date with because given our very globalized presence on the internet and connection with consumers all around the world, many organizations do have to stay up to date with the regulations that are not just for their own jurisdiction and in the region where they reside, but they have to pay attention to where their customers are, where any of their downstream suppliers or, you know, MarTech partners may reside and where this data is moving. So they have to be aware of a much wider legal domain than they've been used to before. And as I mentioned before, this is a really dynamic space. And part of that is because there are many privacy regulations which are being released all around the world. So this is something that we've identified as a really key capability in privacy and consent management tools, is that having some basis, some support from legal experts in-house to be able to keep up with all of these changing regulations and be able to pass that knowledge down to their customers is a really valuable thing.
Absolutely, in an earlier episode, we talked briefly about the risk that comes with third party cookies. Is this something that these solutions also look at and where they might help because in general, we consider them as privacy intruding?
Mm-Hmm. Yeah, this was quite interesting. It was rather de-emphasized by a lot of vendors that the phasing out of third party cookies is not going to completely disrupt the industry. So that could be, you know, a strategic choice to de-emphasize that on their part, or we'll have to see. But yes, this is there will be a phasing out of third party cookies. But it could lead to some really interesting repercussions, which would be then the emphasis on first party cookies. So a more direct relationship between the service provider and the end user.
Right, if you take that step back as an analyst and see, OK, I have this edition that came out 18 months ago and through research then covers two years ago or something like that. And now you have this insight into the market as of now. If you now take your crystal ball and say, OK, what do you expect from the market to do, say for the next 18 months or for the next two years? Where's the market moving? What do you expect to happen?
Yeah. So. I do expect some of these trends to solidify. And one of those trends that I think we're going to be seeing much more of is data governance and connectedness with automation. And again, this shift and more prominence that we've seen from data governance in the space, I think that's going to gain momentum. Data has had really emerged as the foundation of privacy. And this is in contrast to where the conversation was going two years ago or so, where identity was really considered a foundation of privacy. And that's still very, very true. But what we've seen is that in this market in particular, those vendors which have strong data governance capabilities are really very, very competitive. And we're it's shaking out to be offering protections around that data, private data itself, regardless of who it belongs to, rather than framing that conversation around protecting the data of known individuals of those that you are able to identify. So I think we're going to see that trend solidify more, and we'll of course, see identity as a foundation for privacy in other areas like decentralized identity. And that could be very, very interesting, as these two areas then begin to collide again as we start to think about the privacy and consent of not only consumers, but of employees and partners of suppliers, of other stakeholders that are interacting with an organization. And that's probably where we're going to see identity come back into this conversation as perhaps decentralized means of sharing a verified identity come into play. So it'll be interesting.
Absolutely. And so we've talked a lot about functionality, about being compliant to regulations, to making sure that everything happens as the privacy regulations and laws require. If we do the tests for ourselves and go to a website and try to change data, try to issue a data access request that can be cumbersome, that can be, yeah, very well hidden. What do you think will happen when it comes to user experience for somebody who really wants to execute their privacy, yeah, their rights in privacy, and try to get access to the data, to change data, to have data deleted? Is this something that they're looking at as well?
Yeah, absolutely. So you know what this report does, it focuses very much on the ability of the organization to facilitate privacy, to be able to collect the information that they need about end users to be able to conduct their marketing for being able to conduct many of their internal actions. But I don't think there are many who would say that as an end user, you know, entering or accessing a website and being presented with a cookie consent form, that doesn't inspire confidence in the privacy actions. It's a cumbersome step and it's not really a meaningful privacy experience. And so what's hopeful, and especially with a trigger of the decrease of third party cookies being used that one to one or direct relationship between the consumer and whatever service provider they're trying to be in contact with, that information that the service provider is actually wanting to collect from an end user will be much more transparent. And so because there's not hundreds of other requests from other third parties about information to be collected. So it's going to be really clear who wants what and what the stakes of that relationship are. Hopefully, at least much more clear than it has been in the past. And so hopefully, as that becomes a more relationship based collection of personal information, that's hopefully going to spur some innovative change for how that consent is actually collected. So it's not such an invasive, uninspiring experience.
We've talked about the areas that you looked at. We talked about how the market is evolving. Of course, in the end, we want to have a short peek on what are the vendors, what is this market like? Is this something of the usual players, are there startups? What are the leaders that you could identify, just to name a few? Not as an endorsement, just to show what are the results when you execute this Leadership Compass assessment?
Yeah. Yeah. So this is as if this is very exemplary, that of a really dynamic market space because we've got some vendors who have been around a while. You know, some public, some private, some startups, some monster, some very small competitors. So it's a really mixed bag here. So we've got vendors like OneTrust, like OneWelcome. They've got a more identity focused approach here. Vendors like Syrenis, and they're kind of more in the consent management platform, directed, very focused on those incoming signals, but branching out into developing more nuanced internal management capabilities. Vendors like TrustArc that are known names in the space and then startups like Securiti, which are really at the forefront of this data governance role that's now playing in privacy and consent management.
Right. So if we look at the leadership compass, we're looking also at the different dimensions where these vendors as players can take different positions, so you're looking at leadership and with regards to innovation to market relevance, but also to get the completeness of the solutions or the product leaders and the overall leader. So everyone who's really interested in learning more about that market and trying to identify potential solutions for looking further into identifying the right product, the right vendor for the individual use case, I would highly recommend just to go to our website. You've mentioned it, it's just published, so the new version is available can be accessed with our test subscription with our subscription, which is very easy to get and really affordable. So this is something where they could get access to your document, and I really would highly recommend that for everybody who's interested in adding more functionality around privacy and content management to their services. And they should, I assume. Any final comments from your side before we close down? This is really interesting. But what are your final words here?
Yeah, I mean, the privacy space is such an interesting area to be working in. So I'm always really interested to be having the conversations with vendors and hear how they're approaching it. But I think the conversation is really going to continue to change in the next couple of years and we've come to a point where in a way, at least at the private individual level where privacy is, is kind of demanded by individuals as a constant ideal state. And I don't think that's necessarily correct. It should definitely be a default state, you know that an individual's privacy is respected, but that's a default state until the relationship has developed to the point that both parties are agreeing to transact on more personal terms. And what's really important is that both parties have the agency to withdraw from that relationship and be able to move into that, that private default state again. So this agency in privacy is something that I think should be emphasized more in the future, rather than kind of putting up the barriers of privacy as a constant state. So that'll be interesting to see then how vendors are responding to that and being able to enable that in a in a really meaningful way with the experiences that end users can trust. And of course, eventually that the employees and the partners are being able to spread that into other types of identities and entities.
Yeah, great summary. And it also brings us back to why we are actually doing this. It's really to respect the privacy and to get to this, as you said, default state, which should be then the full set of privacy, the full - in best case - anonymity there. Thank you very much, Annie, for joining me today. I'm looking forward to continuing this conversation as the market evolves, as regulations evolve, as services evolve and for the time being, thank you very much for being my guest today.
Yeah, absolutely. Thanks for the great conversation.
Thank you very much. Bye bye.
Bye.