Consent management is a business requirement for companies that hold the personal data of customers, associates, or employees. The issue of getting consent for data management actions related to Personally Identifiable Information (PII). It is an issue for businesses that handle payment transactions, work with the US health care sector, or, in certain areas of the world, deal with members of the public in any way.
Here is our list of the seven best consent management platforms:
- OneTrust EDITOR’S CHOICE A privacy and governance platform that offers a long menu of services from cookie consent through to a legal bulletin. Addresses GDPR, California’s CCPA and CPRA, Virginia’s CDPA, Brazil’s LGPD, Canada’s PIPEDA, and South Africa’s POIA.
- TrustArc Privacy Management Platform A list of privacy management modules that monitors PII and cookie handling functions. It covers GDPR, CCPA, and LGPD.
- Osano Consent Manager This consent management platform offers legal advice bundled with its paid plans and there is also a free version. Works with GDPR, CCPA, and LGPD.
- Cookiebot A consent management platform for cookie deployment that is available in free and paid versions. It addresses GDPR, CCPA, and the ePrivacy Directive.
- CookieYes A straightforward cookie consent management service that is available within content management systems, such as WordPress. It covers GDPR requirements but doesn’t manage PII.
- Quantcast Choice A free consent management service compliance that works alongside a targeted marketing system that offers user behavior tracking and is also free. Works with GDPR and CCPA.
- Piwik Pro Consent Manager A cookie consent manager that can be self-hosted on a cloud platform in the location of your choice. For compliance with GDPR, CCPA, and LGPD.
Although the US health care sector is very lucrative, the requirements of HIPAA, which is the US regulation on the management of Protected Health Information (PHI), don’t impact many businesses. The issue of cookie consent is much bigger.
If even the creator of a website doesn’t know what cookies and tracking libraries are used in the code, a business that commissions a new website from a Web development enterprise has even less chance of knowing what the site is doing behind the scenes. If you don’t know what cookies your site is downloading onto the computers of site visitors, you don’t know whether you have broken a law.
The issue of user consent is not applicable everywhere in the world. However, websites are accessible from everywhere. So, if you just want to run a website without including consent management, your alternative strategy would be to block the site loading in the browsers of surfers located in several countries. That task is probably more complicated than deploying the services of a consent management platform.
The biggest legal requirement for PII management springs from the EU’s General Data Protection Regulation (GDPR). It is codified into the legislation of every EU member. There is also the ePrivacy Directive, which is an EU standard. In most EU countries, GDPR and ePrivacy legislation are bundled together. GDPR deals with the management and storage of PII and issues surround its movement. The ePrivacy Directive is really where the rules around cookie consent are formulated. However, as the same laws implement both, consent management platforms refer to their cookie consent systems as being “GDPR compliant.”
The issues of PII and cookie management don’t stop at the EU’s frontier. California has the California Consumer Privacy Act (CCPA), which covers the use of PII, except for financial and health-related sectors, which are already covered by national PCI DSS and HIPAA rules.
CCPA doesn’t require businesses to gain consent for cookies. This legislation is focused on the use and sale of PII. However, websites have to inform visitors what data is going to be collected by its cookies and trackers and how that information is going to be used. If that data can be linked to a specific person or household, the storage and use of those records are covered by the act.
GDPR and CCPA are the two biggest headaches that a website owner has to worry about. However, the EU and California are not the only places in the world that has data and cookie consent requirements. Virginia’s Consumer Data Protection Act (CDPA), which comes into effect in 2023, covers the same requirements as CCPA.
Brazil’s Lei Geral de Proteção de Dados (LGPD) legislates on the management of PII but not cookies, unless they lead to the storage of PII. Canada has PIPEDA, which is the Personal Information Protection and Electronic Documents Act. Again, this covers PII and only relates to cookies in a PII context. South Africa’s Protection of Personal Information Act has been in force since 2020. POPIA is a very close copy of GDPR but not the ePrivacy Directive. This controls the use of PII and includes responsibilities for cookies and site trackers if they include the collection of PII in their functions.
Other countries around the world are currently formulating data privacy laws that will require consent management. These include India, Chile, and China.
Consent Management functions
Typically, a Consent Management Platform (CMP) will be integrated with other functions, such as data discovery and protection. However, strictly speaking, these protection measures are not part of consent management.
Consent management is specifically concerned with gaining approval from users for the storage of PII and consent for several different actions, such as transferring the data to other organizations or moving it outside of a particular location. For example, GDPR specifies that PII should not be moved out of the EU unless the person that information relates to gives consent.
The main task of a CMP is to identify which data types are subject to the ruling or, in the case of the ePrivacy Directive, which cookies and trackers are subject to legislation. In most cases, CMP will categorize cookies and trackers so that consent to their use can be sought in groups. Some sites include a very long list of cookies and trackers and listing them all would be off-putting to site visitors.
Once the presence of PII data stores or relevant cookies has been confirmed, the CMP should create an appropriate consent notification with options to allow the customer to accept or deny cookies. In the case of CCPA, the notification should inform the customer of data statuses and the individual’s rights.
All responses to consent requests should be recorded or, in the case of notifications, the fact that notification has been given should be noted. The consent database itself is subject to PII rulings and it has to identify each person in its records.
Cookie consent systems need to be able to block cookies and trackers from downloading if the site visitor does not give consent.
In the case of PII consent systems, the CMP needs to provide an avenue for users to enquire about the records held about them. This is called a Data Subject Access Request (DSAR). Users should also be allowed to request that their data is corrected if it is discovered to contain inaccuracies or even demand its removal. In the case of a removal of data, the business is within its rights to withdraw service from that user, should the retention of PII be a necessary element in the provision of that service.
The best CMP Tools
The best consent management platform for you depends on the scope of your business. If you just want a cookie consent popup for your sites, you will have different requirements for businesses that run a targeted marketing tracking campaign or large corporations that have legal departments that want guidance on data privacy standards. A big difference in requirement spins around whether you hold PII or not.
What should you look for in a consent management platform?
We reviewed the market for consent management platforms and analyzed the options based on the following criteria:
- A platform that includes PII management policy guidance
- A system that includes consent request form generators, response capture and storage, and DSAR handling functions.
- A minimal, easy-to-use cookie consent system
- Options for legal advice
- A fully hosted service
- A free trial for a no-cost assessment period, a free version to test, or a tool that is completely free to use
- Good value that is found in a fair price for the quality of service and range of functions offered
In compiling this list, we looked for variations of services because not everyone needs all of the functions for consent management. For example, some businesses will need PII consent management, others won’t. Some businesses are looking for a full-service platform, others just want the bare minimum for as little money as possible. So, we put together a range of options.
OneTrust offers solutions to all aspects of consent management from its cloud-based platform. This service presents tools to identify, protect, and manage PII stores and others to seek consent for data usage, ask permission for cookies, manage cookies, and handle DSAR actions.
The system includes legal services as well as IT systems. It also provides toll-free numbers, which are needed to provide cost-free access to customers enquiring about PII. All of the digital services are hosted on the OneTrust server and are implemented through APIs or the cloud-based dashboard. Each service is charged separately, so you can tailor your package and only pay for the services that you need. The OneTrust system is available for a 14-day free trial.
The OneTrust platform is our top pick for a consent management system because it offers modules that take care of every aspect of legal consent management. The system includes governance and risk management services and legal advice that would interest the legal departments of large corporations. It also has security features that identify PII stores and protects them from tampering, laying down an audit trail for compliance proof. Businesses that just want a cookie consent system will also find a solution with OneTrust.
Get a 14-day free trial: onetrust.com/forms/free-trial/
Operating system: Cloud-based
TrustArc offers a menu of services from its Privacy Management Platform, so you can pick just the services that you need. This list of tools includes policy management, PII identification and management, and cookie consent management.
The system offers data disclosure reporting tools and DSAR management services. There are legal support systems available plus consultancy and training services from TrustArc. You can get a 14-day free trial of the platform’s Cookie Consent Manager or ask for a demo of the wider system.
The Osano Consent Manager is a platform of services that are offered as bundles in four editions. The lowest plan is free. All plans include cookie management features and the paid plans also include PII discovery and management services.
The cookie consent system scans for existing cookies and trackers, generates a consent form, and then receives responses and stores them. You integrate this feature into your site by inserting a piece of code that fires up the processes running on the Osano server. The system can also assist with DSAR requests.
You can get a 30-day free trial of a paid plan from the Osano Consent Manager.
CookieBot focuses on cookie consent functions and doesn’t include PII management services. This is an API-based system that you integrate into your websites by inserting a line of code. That code is specific to your site and is generated by the CookieBot dashboard after a scan of your website.
The CookieBot system includes policy notification banners and cookie consent forms and it will collect responses and store them. CookieBot is free to manage one site with up to 100 pages and three paid editions cater to successively larger sites. You can get a one-month free trial of the paid service.
CookieYes is another cookie management system; it won’t give you PII management. The big marketing advantage that CookieYes has is that it is available from the plug-in marketplaces of all the major content management systems. You can load it directly into your site in WordPress, Drupal, Magneto, Blogger, Joomla, and Wix.
There is a free version of CookieYes and three paid plans. The free system provides a consent form generator and will block cookies that haven’t been consented to. The higher plans include customizable consent banners plus geo-location targeting and multiple languages. The paid editions can be accessed on a 14-day free trial.
Quantcast Choice is a consent management service that partners with targeted marketing and consumer tracking service called Quantcast Audience. These two modules can operate separately or as a bundle and both are free to use.
The features in Quantcast Choice identify all cookies and tracking libraries used in a site and then generate a consent popup for them. The system also includes a DSAR management service. Of course, many of those trackers might have been created by Quantcast Audience, so if you are going to use that marketing tool, you will need the consent manager as well. The Quantcast Choice service also includes a partner business risk assessment system.
The consent management platform is comprehensive. It also includes functions for managing PII and has a DSAR system that is implemented through a self-service portal. The Customer Data Platform, which serves DSAR requests also includes an analytical function that lets you assess approval rates and buyer journeys through your sites.
Piwik Pro is available for a demo.