The beginner’s guide to consent management for customers

Ah, the summer of 2018 … the sun, the ocean, the slew of GDPR emails.

If you’ve been online for more than 5 years — and if not, congrats, you’re our youngest reader! — I bet you remember it, too. In just a few months, every one of your online accounts slid into your inbox just to say “hi”. And to ask for permission to keep sending you emails. 

The Great Email Flood came courtesy of Europe’s massive overhaul of consent management (among other things) and overnight, every sign-in journey changed for good. 

And I do mean good. Before the General Data Protection Regulation (GDPR), many brands opted us all in by default—for cookies, marketing emails, and a host of other unwanted “services.” 

So let’s take a look at consent management today and talk about what brands need to know (and do) to get it right.  

In simple terms what is consent management?

Well, in (not so simple terms) GDPR defines consent as <takes deep breath> “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data.” 

But wait, there’s more! Specifically, Article 7 of GDPR lays out four conditions for consent.

More simply, consent management is your process for telling customers how your brand uses their data, getting and recording their agreement (or disagreement), and giving them a mechanism to change their minds by adding or revoking their consent. 

We think consent management is good for everyone. Here’s why:

• If you’re a lawyer or exec at a company, good consent management helps you stay compliant with different privacy laws and guidelines so you can avoid consumer lawsuits and regulatory fines.
• If you’re a marketer or a customer, all of those checkboxes that show up when you create an account or sign in are signals that the brand is transparent, trustworthy and takes your privacy seriously.

For customer identity and access management (CIAM) vendors, consent management is increasingly a “table stakes” capability that should make serving up and auditing consents a heckuva lot easier. 

What types of consents are there?

If you’re just getting started mapping out your approach to consent management, it’s important to understand the various flavors of consent: implicit vs explicit (aka opting in vs opting out) and optional vs. mandatory.

Explicit consent (aka express or direct consent) or opting in

When a customer has to take deliberate action to make something happen, that’s explicit consent. For example, they might need to check a box to allow your company to share their information, or provide their email address to subscribe to a newsletter. Those “this site uses cookies” notifications you get everywhere on the internet are good examples of explicit consents.

(Spoiler alert: Explicit consent is almost always the way to go.)

Implicit consent (aka implied, inferred, or indirect consent) or opting out

Implicit consent used to be the norm. These days it’s much less common. In short, when you see a checkbox with the check already checked, that’s an implicit consent. A good example are those forms that include explanatory text, like “by clicking Submit you agree to…”

Optional consent

Like its name suggests, these are “nice to have” consents. It’s truly up to the user whether they agree or not. A good example is when sites ask if they can send you marketing emails.

Mandatory consent

This one’s also pretty straightforward. You’ve got no say in the matter. If you want to use a site or an app you’ve got to agree. Terms and conditions are a common example.

As you look at your laundry list of all the things you (or your lawyers) want your customer to agree to, think about which type of consent they are. This will drive when, where and how you capture those consents along the customer’s sign-in journey. Here’s a cheat sheet with some of the most common examples.

What makes consents tricky?

Look, consent management is complicated. 

First, there’s what the law requires based on where you do business. For example, depending on where your customers live and access your services, different legal standards may apply. GDPR, the California Consumer Privacy Act (CCPA), or the California Privacy Rights Act (CPRA) are three examples that every brand should review and understand. 

These laws and regs encompass more than consent management, and summarizing them is beyond the scope of this post, so here are a couple helpful resources:

• GDPR vs U.S. state privacy laws: How do they measure up?
• CCPA vs CPRA: What’s the Difference?
• CCPA and CPRA
• GDPR for marketing

Another thing that makes consent management tricky is that it’s about more than managing a checkbox or two. You also need a system for storing the consent receipt for each customer so you’re ready when auditors come calling or – worst case – if you get tangled up in a lawsuit. 

And once you have a few different consents with multiple versions, keeping track of which one(s) your customers have consented to adds yet more complexity.

It’s no surprise then that if you start coding up a solution from scratch, it can quickly drain your engineering budget. 

Many companies turn to third-party consent management products and have their development team integrate them into their existing CIAM platform. Some CIAM platforms, like Strivacity, offer native consent management capabilities that cover most use cases, eliminating the need to buy and integrate yet another product.

Curious to learn more? Take a closer look at our capabilities or get in touch.