Those preparing for May 25, when enforcement of the General Data Protection Regulation begins, have likely heard a new acronym: CMP, or consent management provider. What is it, and why is it necessary? Here’s an explainer:
What’s a consent management provider, anyway?
It’s the technical infrastructure a business uses to collect and store what data customers have consented to be used and for what. The CMP then feeds that information to other selected partners in the digital ad supply chain. The idea is that everyone in a publisher’s supply chain understands what data they may use and for what. Some brands, like telcos, have had consent management systems for several years. Some anti-ad-blocking tech providers have started to make it part of their offering.
Does the GDPR require businesses to have a CMP?
No, but it’s advisable. The Interactive Advertising Bureau Europe has said any business that’s classified as a data controller (any website owner with first-party data) needs to have a CMP if it wants to plug into its consent framework, which is a way of standardizing requests for consent across the digital ad supply chain.
What else can a CMP do?
Some can include data-preference centers where people can manage their own privacy settings. It can keep track of the consent process, from the point where a consumer first gives permission to the point when they adjust or remove their permissions, and ensures compliance by any ad tech vendor that’s been given consent by the publisher to use that data. Vendors can find out if they’ve been given consent or if they can no longer use the data via an application programming interface.