1 Introduction
Nearly all enterprises have an online presence and seek to better serve their customers and end-users by understanding who they are and what they want. Compiling customer profiles from personal interactions has long been standard practice to deliver personalized services, but data collection in the era of tags, cookies, and numerous other technologies that reside on web browsers to gather information are now considered essential for marketing and functional purposes. Many are first-party technologies set by the site owner, and many are set by third parties that elongate the data value chain beyond the organization’s boundaries. The implicit consent from end-users that such cookies and trackers are active on any site that they visit has been the modus operandi since the mid-1990s, with their derived insights gaining sophistication over time.
Cookies and trackers are highly desirable from a marketing perspective but generate concerns for privacy and use of data without the consent of end-users. There is a wave of privacy regulations across the globe that have been or will be released: EU GDPR, US CCPA, Canadian PIPEDA, Singaporean PDPA, Australian Privacy Act, Brazilian LGPD, Japanese APPI, Indian PDPB, Russian 152-FZ, and many more. Most countries require privacy policies on websites as part of their privacy laws. Vendors did offer enterprise tools to safeguard the privacy of their customer data before the 2018 GDPR, but its and the subsequent release of other privacy regulations have stimulated the growth of Privacy and Consent Management solutions, and increased the demand for solutions that offer a path to compliance.
This Leadership Compass analyzes vendors in the Privacy and Consent Management segment that provide tools to manage cookie consent, preference management, privacy statements, data usage, and compliance for global data protection and privacy regulations. These solutions are often called Consent Management Platforms (CMPs), a user interface for end-users to register or revoke their consent and adjust their preferences. There is a clear trend that prioritizes cookie consent management for ePrivacy compliance for companies in the publishing industry, but we consider this market segment to have a broader definition to include privacy tools for all verticals and for data collected via channels other than browser cookies, attempt to integrate principles of privacy-by-design, and innovative efforts to align the – at times – conflicting needs of marketing and legal departments.
You gain a full insight into the Privacy and Consent Management market with this report. The key capabilities that make a comprehensive solution are explained, and the different approaches that vendors take to providing a solution are evaluated. The leading vendors are identified according to Product Leadership, Innovation Leadership, and Market Leadership, each with detailed profiles and assessments.
1.1 Market Segment
The enterprise Privacy and Consent Management market segment has its roots in processes for the responsible collection and handling of customer data, but has recently entered the public consciousness with the rollout of GDPR regulations and mass data breach scandals. Strict, binding regulation and strong public demand have attracted new entrants to this segment. This has yielded a dynamic and competitive space where vendors provide the means to collect consent for processing of end-user data.
This Leadership Compass analyzes vendors in the Privacy and Consent Management segment that provide tools to manage cookie consent, preference management, privacy statements, data usage, and compliance for global data protection and privacy regulations. These solutions are often called Consent Management Platforms (CMPs), a user interface for end-users to register or revoke their consent and adjust their preferences with an administrative dashboard for a customer to customize privacy policies, cookie notifications, and integrate with marketing systems, CRM systems, and analytics platforms. There is a clear trend that prioritizes cookie consent management for ePrivacy compliance for companies in the publishing industry, but we consider this market segment to have a broader definition to include privacy tools for all verticals and for data collected via channels other than browser cookies. Solutions should attempt to integrate privacy-by-design principles, and make innovative efforts to align the – at times – conflicting needs of marketing and legal departments.
The current rapid growth of the Privacy and Consent Management segment for enterprises is dependent on the opposing pressures of marketing technology and the increasing number of privacy regulations. In an ideal world the goals of these departments should be aligned, and with the help of innovative products in the privacy space, they can be. Marketing technology (MarTech) has a strong influence on a company’s revenue, nearly irrespective of industry vertical. In the publishing and content-production industry, revenues can be solely dependent on advertisements and successfully understanding the end-user’s behaviors and interests to deliver personalized ad experiences. This strategy is heavily dependent on collecting personal data from end-users, often through cookies and tracking technology. Collection of this data has come under heavy scrutiny in recent years, with regulation eventually following. The EU was the first region to take meaningful action with the GDPR, ePrivacy Directive, and PCER in the UK. Other regulations from the US and globally are in development, among these being the California Consumer Privacy Act (CCPA). The concern over end-user privacy and data usage predates the 2018 GDPR, and many of the vendors assessed in this Leadership Compass have been offering privacy solutions before the GDPR was enforced.
Although Privacy and Consent Management solutions are necessary in all verticals, the business models of publishers and content creators are especially intertwined with the collection of end-users’ data. This causes publishers to have very complex and multi-layered tag and tracker ecosystems. Many CMPs are primarily concerned with creating transparent and standard data exchanges between publishers, advertisers, and the vendors that fire third-party http/JavaScript cookies, HTML5 Local Storage, Flash Local Shared Object, Isolated Storage, IndexedDB, ultrasound beacons, and pixel tags. Gathering consent and implementing end-user choices can be relatively straight-forward for first-party owned cookies and trackers – those that are set by the organization owning the website they are fired on – as the process can be managed internally, although this is challenging for companies that own numerous domains and high volumes of site visitors. First-party control of third-party tech and wholly third-party cookies are cookies that belong to a domain that is different than the hosting website, and implementing end-user choices means interacting with external vendors. Piggyback tags are usually from third-party vendors that are invoked by another tag, making it possible for third parties to set cookies on a website without the site owner’s permission or knowledge. These cookies and trackers have many purposes, including personalization and collection of preferences, session management and login activities, and tracking end-user browsing behavior.
Data usage is a key aspect of protecting the privacy and enforcing the consent choices of end-users. Effectively communicating an end-user’s consent choices to relevant departments within an organization as well as to downstream partners in the digital advertising chain is critical to a Privacy and Consent Management solution. This is typically achieved in one of two ways, and sometimes in combination: either by scanning websites for cookies and trackers then blocking these from firing until adequate consent has been collected, or by following the IAB Europe Transparency and Consent Framework (TCF) that whitelists compliant cookie and tracker vendors and proactively communicates via standardized signals. A non-exhaustive list of other data usage aspects that should be considered are: data protection (including data minimization, storage limitation, etc.), breach notification, consent per purpose, extension of data subject rights (such as the right to be forgotten), data portability, Data Protection Impact Assessments (DPIA). Privacy-by-design that considers these aspects should be a goal for all Privacy and Consent Management solutions.
At this point, there are no universally recognized interoperability standards for Privacy and Consent Management. There is a voluntary framework called the IAB Europe Transparency and Consent Framework (TCF) to assist participants in the digital advertising chain – including publishers, advertisers, vendors, and Consent Management Platforms (CMPs) – to meet the requirements of the ePrivacy Directive and GDPR. This is heavily focused on cookie and tracker management by establishing standard signals that indicate an end-user’s consent choice to easily and instantaneously communicate with participants downstream. There are four aspects to the TCF: a Global Vendor List, a Transparency and Consent (TC) String for data storage, an API for Consent Management Providers or Platforms (CMPs) to create and process the Transparency and Consent String, and the governing policies of the TCF. Many solutions covered in this Leadership Compass that specifically serve the publishing industry are certified IAB CMPs, meaning that they offer an option to their customers to configure the CMP according to IAB specifications. The benefits of such a framework include the ability to identify cookie vendors who are also part of the framework, which increases the transparency and auditability of data and consent collection throughout the digital advertising chain.
An IAB compliant cookie notice shows different categories for cookies than the typical four of strictly necessary, functional, marketing, analytics. These different categories are personalization, linking devices, experience enhancement, precise geographic location data, and provides information on individual vendors. In an IAB-compliant CMP, consents and preferences are packaged in a standardized payload called the TC String, which carries additional information such as the metadata, legitimate interest, publisher restrictions, and specific jurisdiction disclosures. The API provided by the TCF is a standardized means for parties in the digital advertising chain – being a hosting publisher, CMP, or an advertising vendor – to access the consents and preferences in the TC String.
The uncertainty that impending regulation brings for companies creates the conditions for this market segment to develop rapidly. But until the regulatory environment is stable, the Privacy and Consent Management segment will continue to grow with a variety of service offerings to help businesses achieve privacy compliance.