Beware of the Not-So-Legitimate CMP
GDPR was the catalyst for many publishers to onboard Consent Management Platforms (CMPs). According to eMarketer data, 1 in 3 UK publishers had a CMP partner by the end of 2018, while US publishers trailed slightly behind with 29% adopting CMPs that year.
There’s no recent US-specific data on CMPs, but state laws like CCPA and the likelihood that we’ll eventually have federal privacy legislation, make CMPs a hot topic for publishers. Here’s what they need to know.
What Should a CMP Do Right Now?
Broadly speaking, US publishers need CMPs to perform two functions. First, a CMP needs to provide an audience-facing tool for users to manage their tracking preferences. Second, a CMP needs to be able to fulfill data requests by allowing users to see, download, and delete their data.
Whether or not a CMP actually does these things, however, is another matter. As a Digiday article from October 2019 made clear, fraudulent consent strings are an issue. That said, publishers can guard against fraud by educating themselves and testing potential CMP solutions against the two broad capabilities.
Compliance Promises Are a Clear Red Flag for Now
Unfortunately, there’s no “easy button” publishers can push to achieve compliance. In fact, as of this writing, it’s difficult, if not impossible, to say for sure what compliance means. Privacy laws are new, and they’re likely to remain a work in progress for the foreseeable future.
Last year, a report commissioned by the California Attorney General estimated that companies could spend up to $55 billion on legal fees, technology, and operational costs to become compliant. More recently, California’s AG modified draft rules, while industry trade groups asked for an enforcement delay due to the COVID-19 pandemic.
What this means for publishers right now is that any solution pitching immediate compliance should be taken with a grain of salt. There are certainly vendors out there that are committed to helping publishers navigate an uncertain and ever-changing privacy landscape. But if a vendor is pitching a solution that sounds too good to be true, it probably is.
How Should Publishers Proceed?
All publishers face a great deal of uncertainty here, but that uncertainty is especially hard for smaller publishers. To begin, those publishers should take the time (a few hours) to read the CCPA. Doing so will give them an understanding of the spirit of the law — that is, the broad goals the law seeks to achieve. Armed with that knowledge, publishers can weigh their options accordingly by asking whether the solutions they’re considering move them closer to following the spirit of the law.
Next, publishers should think about their level of exposure. Analyzing that question will depend on the size of the publisher, as well as the type of data they collect. If you’re handling sensitive information like credit card numbers, your exposure is going to be greater than a publisher that simply collects email addresses, or a publisher that deals entirely with anonymized data. Thinking about your overall exposure will help publishers source a CMP that addresses their specific needs.
What Does a Reputable CMP Look Like?
Once publishers have taken the time to educate themselves on the challenges of compliance and considered their exposure, they’re ready to source a CMP. Here are some questions publishers should consider:
- Does the CMP make realistic promises, given the uncertainty around privacy laws? As I said before, if it sounds too good to be true, it probably is. At this point, you aren’t going to find a vendor that has all the answers.
- Can the vendor provide a written declaration of what capabilities/functions the CMP provides? Any vendor worth their salt ought to be able to describe what they do, and they should have no problem putting that information in writing.
- Does the vendor provide liability protection (e.g. indemnification) if their solution fails to meet compliance standards? Here, the answer may vary because only the most robust paid solutions are likely to provide liability protection. But asking all vendors this question will reveal plenty about their operations.
- Is the CMP product the company’s primary product, or an add-on to another solution? Free or bundled solutions may end up being worth exactly what you paid for them. At the other end of the spectrum, there are CMPs that have invested in Data Subject Access Rights solutions, which are expensive to build and maintain. While those vendors might be costly, their value proposition is that their business model incentivizes them to continue to iterate as the nature of compliance evolves.
No matter how publishers address their CMP needs, they need to prepare for a long period of uncertainty. Educating yourself and working with good partners aren’t perfect solutions, but they are a good start toward controlling your destiny in a changing publishing environment.
Kurt Donnell currently serves as President and CEO of Freestar and has a background in both business development and law. Before Freestar, he was the EVP of Corporate Development and General Counsel at YogaWorks where he saw the company through its IPO, and prior to, he led SheKnows Media through several successful acquisitions. Before entering the digital space, he was a corporate attorney with Am Law 100 law firms Jones Day and Ballard Spahr.