How to manage data across your tech stack based on customer consent

Just a few years ago, discussions about customer consent and the systems used to manage it were limited to the four walls of the DPO’s office. Today, with the introduction of GDPR, CCPA/CPRA, and similar legislation across the world, compliance with customer consent preferences is at the forefront of every marketing and product decision.

Although this change has presented a short-term shake-up in the way that growth teams design customer experiences, the increased focus on customer data privacy is ultimately a very good thing. Privacy is a fundamental human right, and increased trust between customer and brand results in better experiences for all parties involved.

In order to stay compliant and build customer trust, brands must understand the regulations that apply to their business and implement a scalable system that allows them to manage how customer data flows between systems based on consent.

The data privacy regulation landscape is constantly evolving. As you design customer experiences, there are several significant legislations that should be informing your decisions (As of February, 2021).

The GDPR, enforced in 2018, has been one of the most impactful privacy legislations in recent years. The purpose of the GDPR is to provide European consumers with greater control over how their personal data is handled by businesses. It does so by requiring any business that serves residents of the EU to provide those residents with the opportunity to: 

1. Access any data collected about them
2. Rectify any errors in the collected data
3. Erase data they don’t want retained or distributed
4. Review and object to automated decision processes using the data
5. Move collected data from one company to another

In addition to personal rights, the GDPR establishes the principle that companies can only collect and use data if they have a lawful basis for doing so, aligned with the purpose of the data processing operation. The data processing mechanisms under discussion by most marketers are: a) legitimate interest, b) explicit consent of the individual, and potentially c) contract. The GDPR carefully specifies that this consent must be based on clear, advance disclosure of what is being collected, how it will be used, how long it will be stored, and who else may receive it for processing. There are some narrowly defined exemptions to consent and legitimate interest including a legal basis that can be derived from performance of a contract, fulfillment of legal obligations, public interest, and similar factors. 

You can learn more about the GDPR here.

The CCPA, effective as of Jan. 1st, 2020, a state-wide data privacy law that regulates how businesses all over the world are allowed to handle the personal information of California residents. Under the CCPA, California residents (“consumers”) are empowered with:

1. The right to opt out of having their data sold to third parties 
2. The right to request disclosure of data already collected 
3. The right to request deletion of data collected

Additionally, California residents have the right to be notified and the right to equal services and price (i.e. cannot be discriminated against based on their choice to exercise their rights).

You can learn more about the CCPA here. 

The CPRA, which comes into effect on Jan. 1st, 2023, functions as an addendum to the CCPA. It expands upon the original legislation by requiring businesses to offer California residents:

1. The right to rectification 
2. The right to limit use and disclosure of sensitive personal information

Additionally, while the CCPA stated that the Attorney General of California was responsible for enforcing the law, the CPRA has created a California Privacy Protection Agency to enforce the legislation.

For more information on CPRA and how it expands on CCPA, you can view an in-depth comparison here.

The GDPR, CCPA, and CPRA have already had a significant impact on the way growth teams manage customer data, and many believe these legislations will be followed by similar laws across the world. Gartner predicts that by 2024, more than 80% of organizations worldwide will face modern privacy and data protection requirements.

To support regulatory compliance, earn customer trust, and continue to deliver the contextual experiences that customers have come to expect, it’s important to have the right consent management system in place. The best place to start is a Consent Management Platform.

Consent Management Platforms (CMP) help brands comply with consumer data privacy regulations by making it easier for them to track user consent state. CMPs enable brands to display a consent pop-up upon a user’s initial visit to a website or native app, providing the user with the option to accept or prohibit tracking. Most CMPs will also store a user’s consent data, making it easier to provide contextual experiences in the future and handle data subject requests.

Here is an example of a consent pop-up displaying on mparticle.com.

CMPs have been on the market for a few years now, but they've become increasingly important for businesses today due to the introduction of GDPR CCPA/CPRA, and ePrivacy.

Consent Management Platforms serve as the gateway to a business’s website or native app, both in terms of the user experience and the codebase itself.

For users, a consent pop-up displaying initially upon a website visit or app open has a significant impact on the customer experience. The offer immediately puts the user in control of the treatment of their customer data and offers transparency into data collection and usage, laying the foundation for trust. Today, consent pop-ups have become so ubiquitous (particularly in regulated areas such as the EU and the state of California), that the lack of one upon an initial website visit can be perceived as suspicious.

On the technical side, a user’s engagement with a consent pop-up determines which libraries will be activated as the user continues to navigate through the website or app. For example, if a user visits a retail website and opts-in to tracking for analytics purposes but not marketing purposes, your CMP will be able to process that request and initiate the tracking snippet for your analytics tool, but not the snippet for your marketing automation platform. If that customer makes a purchase, therefore, the purchase event will be collected by your analytics tool, but not your marketing automation platform. For example, OneTrust’s Preference Choice consent platform allows you to automatically block trackers from deploying until proper consent is gained or leverage traditional blocking methods like tag manager integration and script re-writing to support compliance.

Consent Management Platforms are invaluable for collecting consent preferences when a user engages with your app or website. But when customer data is being collected from multiple channels (mobile, web, OTT, server-side) and stored in many different applications (analytics, marketing automation, paid media, etc.) at once, or if you’re tracking consent across multiple brands, it’s important to have a central customer data infrastructure in place that enables you to monitor changes in consent state in real time and manage how data flows between systems. 

Customer Data Platforms (CDP) help by tying the consent states collected from your Consent Management Platform in each channel to a unified customer profile, along with engagement data from across channels. Once profiles are updated, you’re able to manage how data is forwarded to each downstream tool based on consent state, and send user consent state data to data warehouse, analytics, or marketing automation integrations.

For a detailed description of how a CDP supports consent management, check out this video walkthrough led by Sam Dozor, mParticle Sr. Director of Engineering.

mParticle integrates with OneTrust, a leading Consent Management Platform. OneTrust works similarly to other CMPs, in that it launches a module with customizable consent preferences for both cookie and universal consent. Customers can then opt-in to tracking and dictate what information is collected and how it can be used. OneTrust collects these preferences and integrates them into your existing consent collection workflows.

When OneTrust is integrated with mParticle, consent decisions made in the OneTrust UI are tied to persistent customer profiles in mParticle, where they can then be used to control how, when, and where customer data is shared with 280+ partners in the mParticle integration ecosystem.

Once consent is logged, consent state properties can be viewed in the mParticle UI and provide proof of consent. For companies with many brands, OneTrust and mParticle’s data governance capabilities ensures that customers’ consent dictates who within the organization can access specific subsets of customers’ data, using role-based permissioning.

This integration is one-directional, with only OneTrust sending consent events to mParticle, so customer consent records are only changed when new customer consent decisions are recorded. Using mParticle’s GDPR and CCPA-compliant consent controls, and OneTrust’s cookie and universal compliance tools, you can control what data is collected, stored, accessed, and shared on a granular level, providing both you and your customers with a greater level of control over personal data.

For example, a global media company was looking to manage identities across their 17 brands and respective technology partners, applying consent preferences across each of their digital touchpoints. Using OneTrust and mParticle, this global media company was able to manage how customer data was integrated between systems based on consent state within weeks of implementation.

To learn more, you can explore mParticle's data governance capabilities here.