A Consent Management Platform (CMP) is a web software or SaaS that website operators or providers of web apps use to obtain and store data protection consent from visitors via a banner or pop-up before user data is collected via website scripts.
The Interactive Advertising Bureau’s Transparency and Consent Framework (TCF) defines the term consent management platform as “the company or organization that centralizes and manages transparency to and end-user consent and objection.”
In February 2022, the Belgian data protection supervisory authority APD, in consultation with the European Data Protection Board, ruled that the Transparency and Consent Framework, which many companies use to obtain consent via common software solutions, is unlawful. The IAB appealed against this decision.
---
1 | https://iabeurope.eu/all-news/iab-europe-to-appeal-belgian-data-protection-authority-ruling/ |
The processing of personal data is not otherwise permitted, it requires the consent of the data subject, in the EU by section 6 (1) (a) and (7) of the General Data Protection Regulation. Consent must be given voluntarily before the start of data processing and based on sufficient information for the data subject. With a consent management platform, effective consent can be obtained from users through an upstream query when a website or web app is called up for the first time.
When a website is opened for the first time, i.e. the first HTTP request, the Consent Management Platform displays a banner or a pop-up as its HTML element. Website scripts defined by the operator, which collect user data and require consent for this, are only executed after consent has been given, for example by ticking a box or clicking a button. The user’s details are stored by the Consent Management Platform so that the consent banner does not have to be displayed again when the website is called up again and thus consent is secured for evidentiary purposes. Finally, the Consent Management Platform enables a subsequent change or revocation of the consent given, for example via a button in the privacy policy (opt-out). The scope of user consent can be made available to partners and third-party providers by transmitting an encoded character string.
