KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
GDPR is here to stay and the new ePrivacy regulation is on the horizon, but many organizations are still not yet in full state of compliance. A core requirement for compliance with GDPR is the concept of “consent,” which is fairly new for most data controllers. Now, with the GDPR regulation in force, parties processing personally identifiable information need to ask the user for his/her consent to do so and let the user revoke that consent any time and as easily as it was given.
GDPR is here to stay and the new ePrivacy regulation is on the horizon, but many organizations are still not yet in full state of compliance. A core requirement for compliance with GDPR is the concept of “consent,” which is fairly new for most data controllers. Now, with the GDPR regulation in force, parties processing personally identifiable information need to ask the user for his/her consent to do so and let the user revoke that consent any time and as easily as it was given.
Good afternoon, ladies and gentlemen, welcome to our webinar, how to handle consent to be compliant with the GDPR and the upcoming E privacy regulations. The webinar is supported by high. Welcome the speakers today are Martin students who is west person in corporate development at Y ICOM me Martin equipping our principle Analyst at a Cole. You can reach me at MK, a cole.com before we start just very quickly, some housekeeping information and some general information about a webinar cooking. A call is an Analyst company.
We headquartered in Germany, focus on information, security, identity management, and other areas concerning the digital transformation have a team in various countries, including the us and Singapore and our businesses focused on three pillars. One is research where we cover markets and trends to our flagship product leadership compass and deliver various types of research. Then we have our events. I'll touch this in a minute where we see do things like webinars and conferences.
And we have our advisor business where we support businesses in defining their strategies, roadmaps making decisions about tools and their overall architecture of blueprints. This is what we are doing as cooking a coal in advisory, we focus on benchmarking optimization, so measuring you against others.
And again, sort of our baselines and strategies, support architecture and technology supporting project guidance. And as I've said, we have couple of upcoming events. So the next events are our consumer identity for Singapore. So we had already had two events, one in the us, one in Europe, and we will have then one in Singapore as well. Plus we have our cyber security leadership summit and the German language, cyber access summit, both running next week and Berlin.
Then next year, obviously our European identity conference in may will follow and blockchain enterprise event will be, will run in February in Frankfurt, some guidelines for the webinar Ute centrally. So you don't have to mute around with yourself. We're controlling these features. We are recording the webinar and we'll make the podcast recording available by usually the latest tomorrow, as well as we will make the slide X available for download. So you don't have to sort of print down everything we are doing, and there will be a Q and a session at the end.
I always recommend that you enter questions during the flow of the webinars when you have these questions so that we have a good list of questions for lively Q and a session at the end of our webinar, having said this, let's have a look at the agenda. The agenda as usual consists of three parts in the first part, I'll talk about the business aspect of content management. So why is this a primarily business topic and not pule it topic? And the second part, then Martin studios will talk about the technical found for content and how to do it right for the consumer.
And as I've said, and third part, we will do a Q a session where we can answer and cover all the questions you might have on this topic. So let's start with a quick wrap up. So I assume most of you are to some extent familiar with what the GDPR brings, but let's start as a quick wrap up of some of the key aspects of GDPR. One of the most important things and particularly around consent is unless another legal basis in place consent is required prior to processing personal data, such basis could be a contract. Such basis could be a law, but if there's nothing in place, it's about consent.
There's a concept of legitimate interest, but this is a pretty weak concept. So better go for contracts or explicit consent. It's the safe way to do it. So this consent has to be freely given, informed and ambiguous, and it must consist of clear statements of affirmative actions. So it's not that you just say, I understand this as consent given. It must be really a very explicit and clear process. We have consent per purpose, and it might be also be revoked as in general. So all of the consent you gave are per purpose. So I can revoke my consent for the use of my data for certain purpose.
We needed data protection officers, which can be external for certain types of data processing. We need to perform more complex, specific data protection, impact assessments to understand the risk and the proof that we're doing, what we need to do. We have the data breach notification requirement within 72 hours, which is not that long.
However, this is towards the data protection authorities, not towards the individual data subject. So the data subject must be informed in certain scenarios, but not in all.
Again, something you need to look at. There are a lot of data control rights, such as the right to be forgotten the right to freeze data, processing the right to export data and to edit it, we need to support, and we need to have privacy by default and design, which are mandatory concepts. So as you all know, these days, GDPR is changing a lot of aspects of how we collect personally identifiable information, how we process it, how we deal with that. And one of the still very fundamental concepts is consent.
And obviously consent is something which changes the way we work with the customers and consumers. When we look at it from a, from a consumer identity perspective, because it means we need to gather that content, we need to enable people to change their content concept. So we need to also change sort of the customer journey because it's about someone who's coming in. We need to ask him for consent. We need to give him the ability to manage his consent, cetera. And that is a change in the customer journey. So there's obviously an impact on the way we interact with others.
So there's an business impact of consent management. And as I've said, there are a couple of requirements in this play between the business and the consumers. So it is the clear affirmative action. So which on the other hand means silent. So brief tick boxes or inactivity is presumed in adequate to confer consent. So it's not that you could say if he doesn't say anything, I assume that he gave consent. And that is for instance, when you look at most of the websites today, this, if you continue using that website, you give consent for collecting data. We are cookies, etcetera.
No, that is not GDPR compliant. It also needs to be freely given specific. So what is collected that is also informed part and the big risk. So we can't drive someone in just the situation of you have to give consent for being allowed to do that. It shall be as easy to withdraw consent as to give it another big challenge. So if you only once say click, okay, to accept everything when you visit our service, but have no simple means to revoke it. It's not sufficient explicit consent I've talked about is parental consent for processing children's personal data.
And also when it's about automated profiling and other things. So decision making, we have again, specific and complex consent requirements. And that means we have to think about how do we do that, right? How do we deal with our customers, our consumers, to gather the consent we need for our business models. It might even lead to a situation where we need to think about will this business model continue to work or do we need to change the business model? So there's an obvious impact of this consent on the user journey and the consent life cycle.
As I've said, it must be simple and clear to understand. So we shouldn't leave the customer back with questions about why to give consent. So if you trust that we need that consent, but don't explain the benefit the customer has. It is not very likely that he will give the consent. So in this balance between the consumer on one hand and the, and the business on the other side, it is about showing we need that information from you to deliver that benefit, that service to you.
So this is what we need to, to, to explain because otherwise people will be in te reluctant to give consent particular when they understand what exactly is collected. And we have to explain what is collected exactly for which purpose. So we also need to find easy and low intrusive ways for requesting additional consent. So if we have another purpose, we need consent for this new purpose. We need to be prepared, prepared for this. We need to understand, okay, there are new business cases, and that changes the way we interact changes. The customer journey requires additional content.
So we need to bring these things together. So what happens in business? What is the business model?
What, why is business collecting this and how do we, how do we shape our customer journey or our user journey in the content life cycle? And we, we in fact, will have particular with also the upcoming I directive regulation, even more need to do this far more explicit than it is done these days was at most website was just still, oh, you need to accept the cookies to continue using that website. It will not be sufficient than Martin in his presentation will go a little bit more into detail on this. And obviously the entire thing around consumer identity is that it's not only an it play.
So when we look at who's involved, it becomes very clear that we need, for all these things around consumer identity, privacy content, et cetera, we need to bring a lot of parties to a table and to make them work together. So we obviously have sales with their CRM system. We have marketing with their marketing automated automation systems. We have the IM people who look at managing the identities, authentications, things like that.
We might have the chief digital officer or chief digital business officer who looks at the customer from the digital transformation perspective and how to change the business with these who looks at new business models. And we need to understand what does it mean from a privacy perspective, from the perspective of collecting data, which new consent do we need for that? How does it change the interaction, which new types of data subjects or customers consumers have really to deal with, et cetera.
We have obviously a lot of websites where, which are owned by someone who runs a certain type of whatever e-commerce service or other things, which store certain types of data. We have the business departments for all their Porwal. We have corporate audit, which looks at KYC. So they know your customer stuff, the data protection offices.
So we have a lot of parties which are involved, but at the end, it becomes very clear that it for itself canceled this issue, because it's not only an it issue the entire aspect of managing consumer identities, managing the customer journey, defining which authentications are supported and particular how we work and how we deal with consent and how this influences our customer journey is something where we need to bring the relevant parties to one table and to understand what does it mean down or up to the business model.
So where the chief digital officer or the business department need to be involved, because obviously the way we collect consent, we gossip consent and the ability to gossip consent affects many business models. So when we go a little ahead again, it's about convincing the consumer about the value of consent. So demonstrate or explain the benefits. You might add benefits for instance, lotteries. And I remember my gas and water utility company a while ago sent me a mail and said, okay, we we'd like to whatever spam UVI.
They've said it a little different, but if, basically we like to spam you with mark marketing emails, etcetera, please give us our consent. And oh yes. When you give the consent, you can, we will have this lottery and there are some super attractive prizes. And there were some really interesting one I really considered giving my consent until the lottery is done and then revoke it again. So things like that might work to some extent, but we also should think at this from a more positive perspective.
So how can consumer identity management also maybe improve the user journey or improve the way we do business with people? So we have this inform consent. So why do you want my data? What are you going to do with it on basically the customers asks the question, what do I get out of it? So what are my rewards for granting consent, which also might on the other hand, open the doors for new business models.
So I'm when I have audiences in front of me, I every now and then I ask questions about, so who of you would be pay would be willing to pay for whatever amount for that or that type of service. So who would be willing to pay two euros for a search engine that delivers super good results without collecting all the data and sharing all the data about you. And there's a significant portion of people who say, yes, I would be willing to whatever, spend two euros or dollars a month. There are a couple of people as well, probably the same group, which says, no, not at all.
I just pay with my privacy. And there are some which are sort of indifferent, but there's significant portion of people who are willing to pay for more privacy. And not only in Germany, this works quite well in other countries as well.
So, but if we do that, if we look at how we work with that, it's always about understanding how does this really work? Well, this user journey and the, all the things we are doing for the customers. And there's some simple things and the trust and on the next slide, trust some, some samples for, for things we can, we should keep in mind. So basically it's about getting the balance right? Less data means low friction, much data means high friction. So the more we collect, the more friction potential is there, the bigger the value must be, and we need to understand what we really need.
And there are very different scenarios. So if we use a taxi in a very traditional way, we don't need a phone, we don't need an app. We don't need an account, no password, no registration. There's not even PII store. At least if I pay cash.
So I'm, I'm from Germany. We still tend to pay by cash. So I'm totally autonomous when I'm using a taxi. As long as I don't talk too much with the taxi driver, if I would go to Uber or Lyft or whatever, I need a phone on app, an account registration process, a lot of PII stored. And obviously a lot of people go for that approach because they say the benefit of doing so bigger than what I have to to share, but the more they learn about what I have to share, the, the different their decision might look like, and that is something we need to understand.
We need to understand up people considering this, what we are doing valuable enough to give their consent, will they use their service with all the other restrictions, GP brings visits. So we, we don't need to. So the unambiguous thing, for instance, but it's, it's something we need to understand. And we also need to understand that we shouldn't in whichever way, push our customers too much into answering questions into, in fact, into one or other way, annoying them by sort of gathering some sort of content or other information in two intrusive way.
So probably all of us are annoyed to some extent of dialogue boxes popping up. When we are looking at a website saying, oh, do you have questions about that type of questions? Do you want assistance? So you're rarely five seconds on a website. And they ask for that pop up window pops up from the chat bot saying, oh, do do you need help, et cetera, frequently, it's annoying.
Or this, oh, the mailing list. And you will get some totally I things here. So if you give something, then give something relevant back and better convince your customer of the value of sharing the data. Because you use the data for a purpose for concrete purpose, where customers benefit than annoying the customer and trying to gather a lot of data where you maybe not even know why you are collecting it. And I still believe that a lot of businesses are collecting too much data, which they, they not really need.
I had this morning, I had a scenario where dried out one of these new reusable ID schemes. We, we see popping up these days where I can use that one ID for a lot of services that I access the first service. And I said, that service set, I also need your birth date. It was a eCommerce side and there's absolutely no need for them to know my birth date. What they might need to know is whether I'm a certain age, that case, not even that, because it was not about alcohol is, was not about drugs anyway, weapons also not I'm Germany, etcetera. So it was ridiculous.
It was totally unnecessary, but they're asking. And the one thing I did is I trust stopped the process at that point. So stop annoying your customers, but think about trust and usability and providing the alternatives for the customer. So you want to have a long term, sustainable relationship with your customer, and that is built on trust. If the customer trusts you, he will tell you more. He will do more with you. The business will be better. It's about usability. So make this flow, the customer churn simple, even with Martin will talk a lot about that and think about alternatives.
So if someone doesn't want to share the data, how do you keep him as a customer? So particularly if this data is not really required for your business model, or maybe there's a business model for you where you can earn potentially even more money without driving the customer and giving away all information about him. So what you definitely should do as one part of rethinking consent and the where, where really the business and the it, things come together is stop thinking inside out and thinking outside in. So most businesses think very much inside out.
So to think about what works best for us, how can I collect as much PII as I want, which our syndication works best? How should this process look like all that stuff? And they say, okay, consumer, you do what we want you to do, but I think that's not the right way to treat a customer and to build a long term successful relationship. Think it different, think about what works best for them. So why should they share information with us? Because they have a benefit? How can I shape my authentication? How should a process look like not no cumbersome registration?
How can you use the way to authenticate he wants to use and do what the customer wants to do. And that obviously is not a decision it can make for itself. It can support it. Consumer can support it, but it goes well beyond that, with that hand over to Martin, who right now will talk about the technical foundation for consent and how to do it right for the consumer. And he will also touch probably a lot of other topics around consent, consumer identity and all his experience from a lot of customers.
So Martin, the stage, yours, Thank you very much, Martin, for this introduction. And very welcome for the audience. I welcome as in a very short introduction is an identity. As a service provider, we provide a platform. We are a European based company.
Actually, we are based out of Amsterdam. And as we are focusing on external users in our platform and mainly consumers, we had to foundationally implement GDPR. And one of the main components, of course, in GDPR is consent. I will talk about our experiences with these implementation, what it meant for us, how we have solved things and how we are serving our customers with, with platform. And also with challenges that still resides on their side. Cause in the end we deliver a platform. I'm not a lawyer, so I'm not, will not go in details in, in the law.
And what I want to emphasize is exactly what Martin already emphasized. It is about delighting the customer. It's about building trust and getting retention. And actually for the internal side, it is about creating actionable consumer data. If you don't have consent, then by law, you cannot use that data for marketing and sales. So the internal value is about creating actionable consumer data. This picture shows you a bit and, and gives a bit of the flavor that we want to do. We want to delight that customer.
We want to think outside in with regard to consent, well, a bit more in, in, in some details what we did and what we started about a year ago. If we talk about GDPR, then it's about empowering the customer. And we have seen all kinds of GDPR programs focusing at the internal side for getting GDPR compliant, identifying where PII resides, who has access, et cetera. But we have started a research and we've looked outside in. So from the consumer's perspective, what is the consumer deliver in terms of controls with regard to their data? So for us, we, we talk about the proof is in the pudding.
We've looked at organizations across Europe in total 89 organizations in seven countries and in six verticals. And here you can see the list of verticals and for the GDPR compliancy, we have looked at the criteria that are relevant from a consumer's perspective. So in terms of the controls that the consumers have, well, obviously consent as one of the key controls, the ability to withdraw right of access, right of recertification clearness about the retention period. I will not talk a lot about data retention, but that's a topic in itself because data retention may change over time.
We can store certain data for a specific purpose, but that will change over time. For example, in the first year, I can use data for marketing purposes and later on, only for statistical reasons. So that is a topic in itself. We have tested the websites of these 89 organizations over almost a year. We started November last year and we com we, we just completed the research where we included to us because we also see developments in the us with regard to GDPR alike implementations. Some of you probably have heard of the privacy law in, in California.
And if you look at, from a country perspective about to the compliance of these, of, of two GDPR in these various regions, then you see that there are some countries that do overall pretty well here. In this case, it is UK and Germany, Martin. So you can be proud on, on your home country. And we see other countries and they are really staying behind the light. Green is good. The dark green is okay. And if you go in grade and there are significant gaps in the implementation, of course, 89 organization sounds like a lot in practice.
If there are a few outstanding ones, then they influence the, the category. If you look at it from an industry perspective, then we see that media and publishing and retail are doing better than other areas, especially striking was that insurance companies are not very compliant to, to GDPR.
Well, a bit of analysis here. We think that the media and media companies, as well as retailers, they have less of a, let's say strong relationship with customers. Customers can easily move from one organization to another. So they have to invest in trusted relationships. Whereas if you are a utilities company or an insurance company, then the stickiness or the retention is of course higher. So that could be an explanation of the compliance. The key findings, all in all, is that about 34% of all organizations are well pretty compliance to most of the GDPR requirements. Also what we've seen.
And you could not read that from the previous slides is that there are, if you look at the GDPR requirements, then the basic GDPR requirements, right of access, right. Of re-certification ability to withdraw have been implemented by most organizations. If you look at the more complex GDPR requirements, I already touched on data retention and we'll talk more about consent. They have hardly been implemented where we thought our researchers thought that that consent was needed. Only 12% of the occasions it was actually implemented. And that was quite a for us.
Well, an expected experience. If we look a bit deeper into a consent, then there are several things that have to be taken into account. Martin already touched on a few of those. One of the things that is important is that you do not put a, a kind of a consent blanket over all user data, but that you have to be specific and a specific with regards to the purpose of use, but also on specific well data that you collect. So let's in it terms that you would refer to an attribute.
If you look at the progress between November last year and this summer, then there has not been a lot of progress in implementing consent. So we see that organizations have mainly been focusing on the very basic requirements with regards to GDPR. If I look not only at GDPR, but also at the E privacy, then we will see an EPRI law is about collecting data mainly for marketing purposes or personalization.
We, we know that as, as cookie, it is currently implemented in local laws and it's a directive. It will become a regulation soon. It's still being detailed, but it will be even more strict on GDPR. So with the new EPRI law, there will be a, a bigger focus on consent in GDPR, collecting data can be on various grounds, including a contract legal ground, et cetera. In the EPRI law, it can only be with consent with explicit consent. So there will be more emphasis on consent.
So we looked at it on, let's say the adoption rates, but others also have looked at the adoption of consent from perspective of individual site. And they've been looking at these large gobbler, like Facebook and Google, how they have implemented consent and in one of their reports. And I can really recommend you to have a look at it.
You will see that in, in that report that these large organizations have designed to well, as they, and I quote the organization, manipulate users and users are nudge towards privacy, intrusive options, and they use all kinds of techniques of doing that like misleading wording or buttons, where the happy flow is with a blue button and unhappy flow is a white button on the white background. So it's not only asking for consent, but also how you implement it. And if you truly commit as an organization to serving customers and, and working in line with, in accordance with GDPR.
So what we see here is that organizations are preparing a legal case for these type of well misleading implementations of GDPR. Of course, as a technology provided, the question is not only what do we see in the market, but also how, why has it not been implemented more? And how can we as a technology provider, help customers in preparing for that? And there are, I think, few root courses why we are where we are and how we can progress from here.
One of it is a scattered landscape, a scattered landscape that we know from the internal side of, with our internal it systems, we have exactly the same and it's growing pretty rapidly on the outside for the outside world. So there are Porwal and apps. There are backend applications, E R P systems, or what, what have you. And in the external landscape, we have not seen so much architecture. As we see in the, on the internal side, Martin already touched on the different personas that are involved in managing consent.
And we see that the, the data model that we need for a proper consent management, as well as how to expose that data model is, is really a lot different than what we had in the past that has to do with the data model, the user interface. So how do we interact with users? How do we report and how can we integrate that in the landscape? If we look at a typical implementation of consumer facing services in most of organizations, we see that, for example, in insurer, they have multiple brands. We see these back office applications.
And so customers have different touchpoints and these touchpoints are not integrated data reporting, et cetera, is, is hard. So very similar to what we see in the internal side of it, where organizations have been implementing a kind of an identity platform for integrating internal.
It, we see the same need on, on the external side. Initially, we have been doing this for, let's say the 360 view on the customer, but now we also need it for compliance readings. If a user gives consent or revokes consent, then that has to be, that information has to be centrally stored. The DPO now can just work from one database with, well, the single source of truth, if you like for consented data. So working towards an architecture with a central store for consented user data is key for scaling this out to well being compliant and, and scaling it out.
If you look at the people that are involved in a company in implementing these consent, then most often of course, the, the chief digital officer or the marketing, or the let's say the business, if we tend to refer to it, they are one of the key players. That's what we always see. We see relatively little and I would see two little involvement of architecture and it, they have different interests. We see more and more involvement in our customer implementations of the DPO. And a as one of our customers said, I'm not so worried about penalties, but I'm very much worried about reputation.
So reputation risk is probably for really, for the board, one of the key topics. So that means that an activist customer who has just revoked consent will be giving a, an email that he didn't want to receive. And he will go on social media and what have you to explore his her to, to, to let everybody know that he's annoyed by the brand.
And, but in practice, in, in, in most implementations that we are doing now, the implementation of consent is something that is mainly handled by the business, the chief digital officer in, in this persona and the, the DPO, if you look at how to cons to, to store consent, that is not so easy. We all know the golden record of customer data with a user, with all kinds of attributes. So this can scale to maybe 50 or 60 attributes of a user, and it can be millions of, of, of user consumer identities that you want to store. But with GDPR, you really need to add the consent to an attribute.
So that means that for each and every attribute, you can have multiple purposes of use. And so you have to get multiple consents over time. So we also talk about consent life cycle management. In other cases, there is parental consent needed. So then you need to store which parents can or have given consent for that user. So the data model or the, the requirements with regard to the data model have changed quite a bit with the implementation, with the demands of GDPR and specifically of consent management.
Luckily the national Institute for system and technology in the us has a, has developed a standard for metadata. And that is some standard that I can recommend you to have a look at, cause that pretty much solves the requirements for storing consent. It is not about, only about storing consent. It is also about how can you collect those consent and how can you share that consent with back office, with backend systems? So you need in the landscapes that I have just shown in AOUS environment, you need to share that consent through APIs.
So there you also need either provisioning or consent API, or you need to be able to integrate information in, for example, in a search search, if it's protocol, then there is the challenge, how do interact with, with users when collecting consent. And that is quite a sensitive thing. What we do with our customers is we make all kinds of mockups and that is very much to inspire the customer on how they can get a consent. And there's a cultural aspect, so it can differ per country, but also differ per industry.
Or even let's say the challenger in an industry, a FinTech company probably communicates different than a large existing bank. So it's about capturing this consent. It is also about asking consent at the right way in, in the right, with the right wording, instead of asking for consent in a big form where you have to, to give all kinds of data.
If I, if I meet a person, then I only ask for a few data right at the beginning that I really need to know, or that are appropriate for the relation that I have at that point. If in a later stage you are of course able, and, and you should ask for further data, you want to do identity proofing, identity validation, all these type of things come in a later stage. So we talk about just in time consent and about this dialogue design, what we see in dialogue design.
So about gathering that consent, we see customers developing these AB testing, and now you're very much relying on that digital department who is very used to do to, to doing these AB testing. So this AB testing, testing, two kinds of interaction with a customer, how to ask consent and then see how the responses are from the customer. Do they really understand, do they return, et cetera? That is pretty common in user interaction design, but we have not seen that a lot.
I, we seen customers struggling with that right in the beginning. So I strongly recommend to start with these user interaction teams involve the legal team because they know much better than the user interaction team or the digital team. What is really required, how specific we must be with regard to purposes of use, then, you know, fail early, learn quickly. So quick test do it relatively in, in small steps, start with a small group and then extend the group to a larger group of users.
And what we also seeing in, in these practices is that the, where we thought that we, we, we, well, let's say the, it, people had a different expectation of what cost customers would like than what they actually liked. So the user behavior is not always what you expect so well for us, that leads to some conclusions. We think that the, after the basic implementations in organizations, there will be a lot of work going forward with data retention.
But especially with regard to management, the, we see a lot of discussions with our customers where digital departments are a bit afraid for implementing that consent because they expect a kind of churn or they lose certain data. Then there are discussions about legitimate interest, something that we hear all the time, but legitimate interest is not easy. Either legitimate interest requires for example, the necessity. So that means that there is no other way of gathering that data well, and that will pro probably pretty quickly fail with these discussions.
We see that today 12% of where we consider consent should be implemented is only implemented. Of course, there can be an area under discussion where customers will say, well, we choose here for legitimate interest, but we strongly recommend customers just to start with implementing with these AB testing to, to get some experience with implementing consent. And then you can always see where in practice, legitimate interest ends and where consent begins or Pfizer for and in, in the communication with the marketing departments.
We see that if you talk about wordings, like actionable consumer data, that these departments start to better understand that, that we are helping the marketing departments much more than that. We are annoying them with implementing hurdles for the end, with regard to technology and, and standards. We see that there are maturing frameworks. We talked about this metadata. We talked about, we, I did not talk about that yet, but there is a standardization committee in Camara for standardizing consent and consent exchange.
And we see the vendors also maturing in this area, all in all I would say, and, and recommend you to take a few next steps in the, well, what have we, six, eight weeks up to, to the Christmas period. One of the things is except that you need consent and that the current implementations are insufficient. You probably have seen that the first penalties on organizations have been applied on one of the first one was I think, in Portugal with 400,000 euros.
So the, it, it is actually something that penalties are opposed on. I strongly recommend to take an architectural approach and not build consent as, as something that you add on something that you have to take a structural approach, explore this N data model for us. It was very helpful. Not only think of the data model, think of the consent exchange, leverage the upcoming standards, like the consent standards in cont work group, and just start experimenting. And don't focus on exceptions.
We very often end up into discussions where people start with the exceptions for, with mainstream most interesting and really nice to do is work on the consumer interaction and think of how to, how and when. So just in time consent with is AB testing. You can really come up with nice interactions with the consumers. These are the things that have been valuable for our customers and probably for you as well. So with this, I would like to hand over back to Martin. Thank you, Martin. So let's continue with the third part of our webinar, which is the Q and a session.
And maybe let's start with one question. You touched this term AB testing a couple of times. So could you potentially elaborate a little bit more on what it is, how it is done? Cetera. So I believe a lot of more, it, people are not that familiar with it. Okay. So maybe you can touch a little bit more on that.
Yeah, well, especially in consumer size and in consumer interaction, you have to find out what works for consumers and consumers are, as I mentioned, not always predictable think of, for example. And I saw last week, I saw a nice example of a booking site where customers in, in a test in an AB test. So you have one scenario. Another scenario are being exposed with, with a text where, for example, the one test says, do you want to keep this data until the end of your contract? Or do you want us to keep your data until a certain date?
And then you can just test where on, on which of these two scenarios, the customers respond best if they understand it. And then you choose from that scenario that works best, you move more fine grains to a next step. And those are typical scenarios that you see in the user interaction design. And that should be applied to implementing consent as well. Okay. When you say consent and you touch it as well quickly, do we really need consent? So obviously we have the contracts we can use. Yeah. But there's also this concept of interest.
And currently we see a lot of organizations coming up with this idea of interest. Say, I trust recently, read, read, read something on one of these data protection policies of a company, which said, oh, we need to collect the data to stay in business. So we have a legitimate interest of it. So maybe you can also talk a little bit more about your, your precision on whether the things we see in around interest are wallet or not. Yeah.
Well, first of all, I think that interest is used as a kind of a blanket to not have to do anything on a consent. So I think it's not completely well thought over. If you look at the needs for a legitimate interest, that's not easy either you really have to have a legitimate interest. So they have to be a very clear purpose and you have to be very explicit to the consumers that you collect the data, and for which purposes you are collecting it, then the second thing with legitimate interest is that there needs to be a necessity to do it.
So there, there it is not allowed if there is any other way to gather that information. So the requirements for legitimate interest are also pretty strict. And then the last important thing in legitimate interest is that you need to balance the interest, the legitimate interest of yourself as a company with the legitimate interest of the consumer. And that has to be imbalance. And you have to keep a record. So legitimate interest assessment all the time. So legitimate interest is indeed applicable in some occasions, but it's not, it doesn't come for free either.
And yeah, so you need to maintain it. And as from the moment on the responsibility relies on you as a company. So it's your responsibility to treat that data well, and, and your authorities may ask you, well, if you have this legitimate interest assessment, if you really can only use it in, if can gather this data in this way that you do this, did this balancing. So there's a lot to, and if you look at the current implementation, which we consider is 12% of consent management, maybe we're not right. Maybe part of that.
So of these 88 remaining percent should, could be covered by legitimate interest, but it is not a case that a hundred percent of that can be covered by legitimate interest. So start working on consent.
That is, that would be my message. Yeah. And I think it's interesting a lawyer a while ago told, said a nice sentence in a session I've been doing with said, you know, trust earning money is not a legitimate interest in the context of GDPR. So trust because you earn more money, you don't have a legitimate interest. And I think that is very important to understand. So if your business model, yeah, does, does depend on collecting data without consent and without contracts, you don't have to limit interest.
Now, the, the, the intention of the law and, and I spoke with a lawyer who works at European commission, and he said, if you have any questions about interpretation of the law, think of why the law is there. And the law is there to empower the consumer and to avoid misuses. And if you think that by pulling, putting a blankets with leads, legitimate interest over everything that you don't want to ask, or don't dare to ask, then you are not complying to GDPR at all. Okay. So in the interest of time, maybe one last question.
So when you look at applications, you have, you might have a lot of applications. Ideally you have one place where you manage your consent, where you manage your customer identities, because otherwise you might end up with having different states of consent, which makes things even worse.
But how, how, how do applications, how do, how do you work between sort of your central consent and the applications which need to act according to the current state of consent? Yeah, yeah. Yeah.
Well, actually that is a, a, a problem that we have solved in it. And even in identity management in the past, we are familiar with provisioning. So that means that you can provision consent when it changes to consuming applications. We now see API gateways with distribution consent going forward. We expect that consent will be standardized as well. So we see standardization where we now are used to using skim as a protocol to exchange user information. We will see that in consent as well, but that'll take a few years before that is standardized.
The application that has this consent should also provide a get consent. So it's not only push consent, but it's also an application should be able to ask the central consent stores.
Can I get, can I use this data for marketing purposes or for customer care or for whatever reason? So there are various ways how you can exchange. One is pushing it through provisioning one way is getting consent. And the last way that I already mentioned during my presentation is that you include consent information in a similar assertion or in any other authentication token. And that is also pretty well available. Okay.
Thank you, Martin. So we are close to the top of the hour. I hope this was very helpful to the audience. Thank you Martin, for your presentation. Thank you to the audience for attending this group. A cold webinar, as I've said, the recording and the slide text will be available soon for download hope to have you soon at one of our other upcoming events or webinars. Have a nice day. Bye.
