For the GDPR-curious: WTF is a CMP?

Those preparing for May 25, when enforcement of the General Data Protection Regulation begins, have likely heard a new acronym: CMP, or consent management platform. What is it, and why is it necessary? Here’s an explainer:

What’s a consent management platform anyway? 
It’s the technical infrastructure a business uses to collect and store what data customers have consented to be used and for what. The CMP then feeds that information to other selected partners in the digital ad supply chain. The idea is that everyone in a publisher’s supply chain understands what data they may use and for what. Some brands, like telcos, have had consent management systems for several years. Some anti-ad-blocking tech providers have started to make it part of their offering.

Does the GDPR require businesses to have a CMP?
No, but it’s advisable. The Interactive Advertising Bureau Europe has said any business that’s classified as a data controller (any website owner with first-party data) needs to have a CMP if it wants to plug into its consent framework, which is a way of standardizing requests for consent across the digital ad supply chain.

What else can a CMP do?
Some can include data-preference centers where people can manage their own privacy settings. It can keep track of the consent process, from the point where a consumer first gives permission to the point when they adjust or remove their permissions, and ensures compliance by any ad tech vendor that’s been given consent by the publisher to use that data. Vendors can find out if they’ve been given consent or if they can no longer use the data via an application programming interface.

Are all CMPs the same?
There will likely be different degrees of sophistication. A basic version manages capturing consent, while a more advanced version takes in data on different stages of consent — not just opt-ins and opt-outs, but opt-downs, which is when customers want fewer messages from a business but don’t want to opt out entirely. “[A CMP] can integrate with existing data systems specifically to manage consent,” said Chad Wollen, CMO at ad tech vendor Smartpipe. “It integrates with your [customer] touch points [such as call centers and stores] so you can collect consent at different stages and at different occasions.”

Sounds straightforward. So what’s the catch?
Nothing is simple when it comes to the GDPR, and CMPs are no different. First, the more features a CMP has, the more it will cost. Publishers with multiple titles need to manage consent for the parent company, but also on the individual brand level. Publishers also have to gain consent not just for themselves, but for their ad tech partners. Also, once consent is given, that data can only be used for one purpose.

“The GDPR has caused people to think about this in a broad way, putting too high a focus on the initial gathering of consent — that one moment,” Wollen said. “But really, people need to think of the entry-level consent and then build the steps and paths to adding more consent for more products.”

https://digiday.com/?p=286992

More in Media

Assessing the fallout of Google’s ad tech antitrust trial

Parsing the probable, possible, and plain absurd, including what a divested entity may look like.

Digiday+ Research: How programmatic shook out for publishers in 2024

Programmatic ads have remained a significant source of revenue for publishers throughout 2024, but it’s possible that in 2025 they could pull back from their focus on programmatic.

What publishers can be thankful for this year

In honor of the Thanksgiving holiday, here are some things the media industry can be thankful for.