~things that matter~

Blindly Trust Your CMP (Consent Management Platform)?

Bombarded your website visitor with annoying pop-ups asking to accept cookies? And you thought the consent management platform (CMP) was doing great?

Things were almost always the same, every time I got involved in a CMP vs. Adobe Experience Cloud situation.

Though the CMPs do a great job helping websites manage the collection and storage of user data by obtaining and storing user consent, I would not bet on (just) them. Especially when it comes to compliance and consequences.

Most often your CMP vendor helps present a pop-up or banner asking users to agree to the site’s privacy policy, cookie policy etc with an option to go granular in terms of selecting what cookies would be okay and what would not. And, as you might know, the preferences are usually stored in a cookie for future visits.
Would you trust that cookie? Or even the JavaScript that pops up the banner? Depends.

Client-side tech is prone to accidents and environmental factors. Whether mentioned in Murphy’s Laws or not, client-side tech does fail. And so do the banners, cookies and whatnot.
To top this up, there are “intelligent”, “automatic” features by various vendors that claim to detect and block network calls to endpoints until (the above) consent is granted for the respective categories. What you might not have noticed is that their documentation also says the tech is not foolproof (i.e prone to failures).

I am writing all this because we had been solving these problems all this time. Techniques employed by some CMPs fail to understand certain types of trackers and fail to detect certain network calls being made. In fact, when pointed out, a CMP rep. himself explained why their detection techniques were “dumb”. And did I tell the auto-categorization by the CMPs is something you must manually review? You should.

In short, your website may still be collecting data without consent or sharing user data with third parties. What you can or cannot (or shouldn’t) do is often subjective, and best handled by business goals and security guidelines. However, assuming consent granted until your CMP says otherwise, or leaving the responsibility fully with the CMP can end up being painful (and expensive).

What do we do, you may ask. “allow none” as a default behavior for trackers may be a safe approach. Then let the CMPs evaluate what can be allowed based on consent. For Adobe Experience Cloud products, as an added layer, you may want to explore the consent/privacy options with the Visitor API.

Previous

Long Live the DMPs

Next

Protected: Web SDK worth it?

2 Comments

  1. Pravin

    How to handle consent with the new WebSDK from Adobe? We are using OneTrust.

    • DRK

      Web SDK doesn’t (yet) support granular consent management to tie with categories in your CMP. Stay tuned!

Leave a Reply

Your email address will not be published. Required fields are marked *

Deepak Ranjan Kar