Skip to main content
Table of Contents
< All Topics
Print

Managing Consent: The Key to Trust and Compliance

Initial Publication Date: 13 May 2019

Abstract

The introduction into law of the European Union’s General Data Protection Regulation (GDPR) in May 2018 stimulated a slew of similar data protection initiatives in jurisdictions including California, Brazil, India, China, Russia and others. What all these diverse legislations share in common is greater protection for the rights and interests of individuals in terms of how their personal data is captured, stored, managed and used. GDPR and other legislations are now legally binding and enforceable with considerable penalties.

A key aspect of the GDPR is a user’s right to explicitly agree or consent to how data about them is being collected, stored, managed and used as well as the right also to modify or cancel the agreement at any time. This legislation is indicative of a profound shift in favor of users gaining control over where, why and how their personal data is being kept and used.

These trends have driven most enterprises to at least begin to explore how to manage consent agreements with their employees, customers and partners. This is reflected in the number of vendors that are currently developing user-friendly consent management platforms (CMP).

In this report, we investigate this emerging trend, what the major players are doing, and our recommended next steps for our clients. This report covers:

  • Consent management value proposition and enterprise recommendations
  • Factors that help enterprises achieve the right balance between business needs, consumer rights and risks.
  • TechVision’s shortlist of vendors with consent management solutions
  • Eight steps an enterprise should take to maintain customer trust

Authors:

David Goodman, D. Phil

Principal Consulting Analyst

[email protected]

 

Executive Summary

Enterprise Identity and Access Management (EIAM) has traditionally focused on ensuring that employees have the appropriate access and permissions in place to carry out business securely, effectively and efficiently. As Digital Transformation programs have expanded the enterprise digital footprint to include customers, trading partners and the broad category of “things”, IAM services have evolved to support them. One of the emerging challenges is that new privacy regulations as well as evolving customer expectations are putting pressure on organizations to re-assess their right to the use of personally identifiable information (PII). Collecting, managing and consistently executing on policies consistent with these requirements is creating a new category called consent management.

Consent management isn’t just about managing the explicit consent associated with data obtained directly or indirectly from customers, but also deciding upon the appropriate and permissible use of data if consent is not requested. The new and upcoming privacy regulations across multiple geographical jurisdictions, each nuanced slightly differently but predominately based on the GDPR, are a challenge for both organizations and their IDaaS providers with stiff penalties incurred for any mishandling of personal data. This is resulting in increased attention from regulatory bodies and individuals associated with gaining consent for collecting, handling and potentially sharing PII.  Gaining consent and providing usage control to those identified by the data is no longer a nice to have or an afterthought; it is increasingly a legal requirement and a business necessity that is ingrained in big data, sales and marketing programs.

Consent management is rapidly evolving, and we’ll assess appropriate technical and business approaches. This requires achieving consensus amongst internal stakeholders, led by sales and marketing from the customer-facing LOBs, working with IT to understand the parameters of what is and is not possible, and finally reaching out to a representative group of external stakeholders. Despite the temptation and attraction of going with a home-grown solution (particularly if there is one already in place), TechVision Research’s strong recommendation is that large enterprises choose from among the several vendors offering Enterprise IAM (EIAM) and/or Customer IAM (CIAM[1]) solutions with consent management lifecycle capabilities.

This report separates the marketplace into specialist, marketing consent, cookie consent, healthcare, EIAM/CIAM vendors and corporates, acknowledging that there are many new start-ups, particularly in Europe, that are being opportunistic based on the demand for GDPR-compliant approaches to managing consent. That said, some of these vendors may not be ready yet for main stream market consideration. It is clear that this is a nascent market and several ways in which this space could evolve are identified.

Consumer expectations and concerns about the amount of control they have over data is only going to grow and, irrespective of the regulatory jurisdiction an enterprise is beholden to, it is TechVision Research’s recommendation that all organizations should seek to embrace some form of consent management in order to maintain a competitive advantage and mitigate risk.

We conclude with a shortlist of vendors we recommend as a starting point in the consent management space. For further help with your consent management strategy and the eight steps from start to rollout, TechVision Research offers strategic and practical support throughout this document and via our consulting services offerings.

Introduction – Playing by the Rules

The introduction into law of the European Union’s General Data Protection Regulation (GDPR) in May 2018 stimulated similar data protection regulation initiatives in jurisdictions including California, Brazil, India, China, Russia and many others. These diverse regulatory controls share a common thread in that they focus on protecting the rights and interests of citizens/individuals as to how their personal data is captured, stored, managed and used. Data protection is not new but, notably in the case of the GDPR, compliance is now legally binding and enforceable with considerable penalties. Most large organizations should start with the basic GDPR principles and build their program from this foundation.

From an enterprise perspective the guiding GDPR principles are to:

  • Empower your customers by informing them – with clarity – about what information you’ve obtained and what purpose you’re going to use it for;
  • Show your commitment by providing a user-friendly way for customers to consent and a just as easy mechanism to refuse to your usage of their data, unless your business has a clear legitimate purpose.
  • Offer the tools to control and manage that personal data as and when their situation changes
  • Make your customers aware that they can legally challenge your company if your business changes its purpose or use for the personal data (without revised consent) or loses it due to inadequate care.

Now think of GDPR from the perspective of your customers; from this point of view they have the right to:

  • Object to their data being used for any marketing purposes
  • Full disclosure of how their data will be processed
  • Object to their data being automatically processed for profiling purposes
  • Obtain full data access
  • Require their data be rectified if inaccurate
  • Demand that you erase their data
  • Obtain a copy of their data in a form they can take to your competitor (known as data portability)

The key to enabling customers to meaningfully engage with businesses is to first gain specific consent as to the way that the data pertaining to them is managed and processed. There needs to be a transparent and trustworthy mechanism for getting and maintaining these consent agreements. So, let’s start with the basics: what is consent management?

A Definition of Consent Management

We’ll start with the definition for consent in Article 7 of the GDPR, according to which consent is understood as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance the reputation of the company or organization seeking a mandate for the use of a person’s data.

The GDPR, in particular, sets a high standard for consent, but it’s not always actively required particularly if there is already a lawful basis for having access to someone’s PII.

Consent requires a positive opt-in which means not using pre-ticked boxes or any other method of default consent: explicit consent requires a very clear and specific statement of consent. Likewise, it’s important to be specific and granular to avoid vague or blanket consent for separate things that may have different consequences.

Regulations and Directives

The first comprehensive national data privacy law was enacted in 1973 in Sweden and at the time of writing, there are well over 100 laws worldwide that vary considerably. The following table describes the main characteristics that are typically included in data protection legislation:

Domain Description
Scope Whilst most laws apply across the board, the United States has several laws limited by vertical sector
Geographical coverage It is no longer accurate to refer to ‘countries’, but more accurately ‘separate legal jurisdictions’, which could mean several legal systems under one country or a single jurisdiction applicable across multiple countries or domains
Enforcement The degree to which data privacy laws are enforced varies considerably, as do the fines associated with data breaches. Until recently data protection in each Member State of the European Union was only covered by directives, that made policing very difficult for national data protection agencies.
Severity Whilst most laws apply across the board, in the United States has several laws limited by vertical sector
Sectors Applicability to either public or private sectors or, as in most cases, both

Table 1: Data protection legislation characteristics

In our study of the regulations, we noticed a pattern common to the legislation. We have defined that pattern as a set of ten principles that underpin most of the legal instruments relating to data protection. They are:

  1. Data quality – relevant, accurate and up-to-date
  2. Collection – limited, lawful and fair; with consent or knowledge
  3. Purpose specification at time of collection
  4. Notice of purpose and rights at time of collection (implied)
  5. Uses and disclosures limited to purposes specified or compatible
  6. Security through reasonable safeguards
  7. Openness re personal data practices
  8. Access – individual right of access
  9. Correction – individual right of correction
  10. Accountable – data controller with task of compliance

As you build or modify your consent management and compliance programs, these principles should be at the core of the operational programs and reporting capabilities.

Featured Regulations

As mentioned earlier, we have identified over 100 laws worldwide related to consent and data privacy. In this section we are highlighting the main or at least the most influential pieces of legislation related to data privacy and consent are as follows:

General Data Protection Regulation (GDPR)

Domain: European Union, Effective: May 25, 2018

Under the GDPR customers have the right to:

  • Object to their data being used for any marketing
  • Full disclosure of how their data will be processed
  • Object to their data being automatically processed for profiling purposes
  • Full data access
  • Require their data to be rectified if inaccurate
  • Demand that you erase their data
  • Obtain a copy of their data in a form they can take to your competitor (known as ‘data portability’)

The GDPR requires affirmative, and in some cases, explicit, consent with dramatic impact for many organizations. Both PSD2 and PIPEDA significantly extend consent collection requirements.

In the GDPR, the processing of personal data is generally prohibited, unless it is expressly allowed by law, or the data subject has consented to the processing. In order to obtain freely given consent, it must be given on a voluntary basis. The GDPR is clearer that an indication of consent must be unambiguous and involve a clear affirmative action (an opt-in). It specifically bans pre-ticked opt-in boxes. It also requires distinct (granular) consent options for distinct processing operations. In summary, for consent to be valid under the GDPR, it must be freely-given, specific, informed and revocable. The rules emphasize the need for individuals who could be visitors to your website, customers, potential customers or former customers to have real choice and control over their personal data and how it is used.

Another aspect is that an enterprise can only process data for the purposes that have been identified to the user – and to which he/she has consented. So, if you have identified all the purposes for which you are processing data, then you need to ensure that all uses are listed, and consent has been obtained for each of the different types of processing.

Individuals have increased rights under the new rules and must be able to withdraw their consent at any time. What this means in practice is that not only do you need to tell individuals that they have this right and how to do it – which can be simply providing an email address – but you also need to be able to act on their instruction and implement any such requests.

The same set of rules apply (more or less) to employers who might consider the context of employment as the legal basis for processing personal data. However, there is some ambiguity as there are categories within the GDPR which suggest that consent cannot be freely given in an employer/employee context, whereas there are grounds for justification based on whether it is:

  • required for the fulfilment of an employee’s contract of employment which would include, for example, details of an employee’s bank account needed by the employer to make salary payments
  • demanded by law, covering, for example, processing of data relating to absence due to sickness which may be required to ensure the payment of statutory sick pay
  • in the employer’s legitimate interests which outweigh the general privacy rights of employees and has greater prominence under the GDPR than previously

As a result of the far-reaching consequences of collecting, storing, managing and using any personal data, it is only to be expected that companies will increasingly seek ways in which to ensure that they remain on the right side of the law.

ePrivacy[2]

Domain: European Union, Effective: Late 2019

With the implementation of ePrivacy, GPDR defined privacy rules will also apply to new players providing electronic communications services such as WhatsApp, Facebook Messenger, and Skype. This will ensure that the popular services guarantee the same level of confidentiality of communications as traditional telecoms operators. These rules include:

  • Stronger rules – All people and businesses in the EU will enjoy the same level of protection of their electronic communications through this directly applicable regulation. Businesses will also benefit from one single set of rules across the EU.
  • Communications content and metadata – Privacy is guaranteed for communications like the time and the location of a call. Metadata has a high privacy component and must be anonymised or deleted if users did not give their consent unless the data is needed for billing.
  • New business opportunities – Once consent is given for communications data (content and/or metadata) to be processed, traditional telecoms operators will have more opportunities to provide additional services and to develop their businesses. For example, they could produce heat maps indicating the presence of individuals, which could help public authorities and transport companies when developing new infrastructure projects.
  • Simpler rules on cookies – The cookie provision, which has resulted in an overload of consent requests for internet users, will be streamlined. The new rule will be more user-friendly, as browser settings will provide an easy way to accept or refuse tracking cookies and other identifiers. The proposal also clarifies that no consent is needed for non-privacy-intrusive cookies improving internet experience (like to remember shopping cart history) or cookies used by a website to count the number of visitors.
  • Protection against spam – The proposal bans unsolicited electronic communications by emails, SMS, and automated calling machines. Depending on national law, people will either be protected by default or be able to use a do-not-call list to avoid receiving marketing phone calls. Marketing callers will need to display their phone number or use a special prefix that indicates a marketing call.
  • More effective enforcement – The enforcement of the confidentiality rules in the regulation will be the responsibility of data protection authorities, already in charge of the rules under the GDPR.

Payment Services Directive 2 (PSD2)

Domain: European Union, Effective: January 12, 2018

Often referred to as Open Banking, the objective of PSD2 is to open up the financial sector, primarily the banks, to third party providers (TPPs) to boost competition and innovation. With clear user consent, TPPs are allowed to access certain services that used to be the exclusive right of banks, based on Open APIs provided by the banks.

Children’s Online Privacy Protection Rule (COPPA)

Domain: United States, Effective: April 21, 2000

COPPA protects the privacy of children by imposing requirements on operators of websites or online services directed at children under 13 who are required to:

  • Post an online privacy notice describing how they collect personal information online from children
  • Provide direct notice to parents and obtain verifiable parental consent
  • Give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting them from disclosing that information to third parties
  • Provide parents access to their child’s personal information to review and/or have it deleted
  • Give parents the opportunity to prevent further use or online collection of a child’s personal information
  • Maintain the confidentiality, security, and integrity of that information, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security and
  • Retain a child’s personal information only as long as is necessary to fulfil the purpose for which it was collected and delete it thereafter

California Consumer Privacy Act (CCPA)

Domain: California, Effective: Jan. 1, 2020

(Approved June 28, 2018)

Under the CCPA, data subjects have similar rights to access and deletion of their personal data as they do under the GDPR. Additionally, individuals under the CCPA have the right to require a business that sells personal data to a third party not sell that consumer’s personal information. The current draft of the CCPA is narrower in certain provisions than the GDPR, including matters of consent. However, the CCPA states, “A consumer shall have the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected.” Due to the consumer’s rights, companies will still be required to manage and track consent requirements and personal data storage in case of a subject access request.

Canada’s Anti-Spam Legislation (CASL)

Domain: Canada, Effective: Dec. 15, 2010

CASL is the federal law dealing with spam and other electronic threats intended to protect Canadians while ensuring that businesses can continue to compete in the global marketplace. Responsibility for enforcing CASL lies with the Office of the Privacy Commissioner of Canada (OPC), the Canadian Radio-television and Telecommunications Commission (CRTC) and the federal Competition Bureau.

Personal Information Protection & Electronic Documents Act (PIPEDA)

Domain: Canada, Effective: April 13, 2000

PIPEDA governs how private sector organizations collect, use and disclose personal information in the course of commercial business and also contains provisions to facilitate the use of electronic documents. With some exceptions, such as for reasons of national security, international affairs, and emergencies, it incorporates the Canadian Standards Association’s Model Code for the Protection of Personal Information (1995). There are also exceptions to the general rule that an individual shall be given access to his or her personal information when it reveals information about a third party that cannot be disclosed.

Lei Geral de Proteção de Dados (LGPD)

Domain: Brazil, Effective: August 14, 2020

(Ratified: August 14, 2018)

Strongly inspired by the GDPR, the legislation how citizen data can be collected and treated and provides for punishment for transgressions. Under the LGPD the owners of personal data may at any time request:

  • Confirmation of the existence of how their data is handled
  • Access to their data
  • Correction of incomplete, inaccurate or outdated data
  • Anonymization, blocking or deletion of data treated in disagreement with LGPD
  • Portability of data to another service or product provider
  • Deletion of processed personal data
  • Information about the public and private entities with which the controller shared the use of the data
  • Information about the possibility of not giving consent and the consequences of refusal
  • Revocation of consent
  • Natural person review of automated decisions

It’s anticipated that a National Data Protection Authority will monitor compliance with the LGPD

Personal Data Protection Bill

Domain: India, Effective: June 2019

(Submitted: July 27, 2018)

The proposed PDP Bill which is aimed at securing the rights of data subjects replaces the present Indian data privacy and protection regime, largely based on the GDPR. It applies to both government and private entities, extending to data controllers/fiduciaries or data processors outside India, if they carry out processing of personal data relating to businesses, offering of goods and services or data subjects in India.

The PDP Bill focusses largely on compliance and once this law is enacted, in its current form, it may prove to be cumbersome for data fiduciaries. Obligations such as giving notice or obtaining consent may pose practical and logistical issues. Providing consent in multiple languages may prove to be a major practical challenge for social media platforms, e-commerce companies, etc., which have a wide base of users across locations. In addition, the PDP Bill exempts having to obtain consent of the data principal for processing their data for certain employment-related matters.

A data protection authority for India, DPAI, will be established under the draft bill. The DPAI may award fines of up to 2% of a company’s total worldwide turnover or INR 50 million, whichever is higher, for data fiduciaries and up to 4% of total worldwide turnover or INR 150 million, whichever is higher, for significant data fiduciaries.

These examples demonstrate that consent management and data privacy legislation is a global phenomenon that is likely to continue to grow in the coming years. In places like the United States where there is currently no nation-wide standard of regulation, expect to see individual states enact forms of legislation mandating compliance in their domain.

Establishing Trustworthiness

Despite the GDPR now being enshrined in law in the EU, and with the introduction of the CCPA in California which may trigger other states to follow, it is perhaps surprising that many organizations continue to ignore these regulations. It’s been standard practice for years for companies to offer consumers free service and personalized advertising in return for access to personal data and it can reasonably be assumed that consumers are aware of this implicit agreement.

However, with the current regulatory emphasis on the consumer’s right to have accountability, control and transparency, this level of general “meeting of the minds” is no longer acceptable. It is mandating a refined or even new data architecture whereby consumers have more control over the data pertaining to them and are empowered to choose what happens to it.

As businesses gradually wake up to the significance of this shift, the impact on the management of data and customer relations will quickly become apparent. With consumers potentially making consent choices that challenge the status quo, enterprises will be forced to re-think how to earn the trust necessary to maintain a volume of consent – and consequently data – to effectively manage their existing marketing operations and programs.

Benefits and Drivers for Business

The key to companies managing the plethora of new data protection and privacy regulations is to manage their data better, knowing those data they have and creating a relationship of transparency and trust with everyone whose data they have access to. Taking responsibility for the adequate and appropriate collection, management and sharing of personal data is the direction enterprises should be moving towards.

But it isn’t just the regulatory controls; complying with the GDPR consent requirement is an opportunity for brands to build more enduring relationships with customers as much as it is an obligation. By providing transparency to users about who has access to their data, what it’s being used for, and providing direct avenues to change their preferences or make requests, companies have the ability to redefine and add an element of trust to the customer relationship.

Consumer/Customer Experience

As an extension of the above, enterprises can cement customer loyalty by taking the opportunity to streamline and personalize users’ online experience on a retail site. This can extend to the physical world, through a combination of secure, specialized big data analysis, similar to the above, with location-based smartphone triggers, recognizing and welcoming customers when they enter a store either to remember their buying preferences or to steer them towards profile-relevant deals or promotions. The challenge in all three cases is to balance the availability of the opportunity with regulations concerning security, privacy and data protection.

A core objective of the principles underlying the GDPR is to build trust and to afford consumers the confidence to transact online knowing that the data they provide will not be compromised. Achieving that desired level of mutual respect and trust takes time and experience to accomplish and reaches back before the GDPR. Having a good consent mechanism is not the whole story but it will play a significant role moving forward as a continuous process of mutual reassessment that is fair and transparent.

It is well-known that, superficially at least, consumers are far more likely to trust and so give consent to established brands, particularly ones they are familiar with, than others. To some, it may appear counter-intuitive that Facebook and Google consistently achieve higher levels of consent than less well-known vendors — despite the highly publicized and damaging issues associated with their business practices in the recent distant past.

Pre-GDPR loyalty preferences will linger, but they should not linger indefinitely. One approach to making the desired level of customer loyalty/commitment tangible is to demonstrate the ways in which an enterprise enhances its privacy and data security strategies. For example, privacy-enhancing technologies which allow data to be used without identifying the individual can replace persistent identifiers with temporary, single-use tokens, making information, such as age, externally available without having to access the actual data source.

The GDPR has created a significant change to the balance of control between organizations and consumers in the usage of personal information. Consent has become a legally-supported and binding key to unlocking the use of data by publishers, advertisers and data sharers who are now obliged to provide well-designed consent experiences and privacy dashboards. But, for these investments to translate into sustainable competitive advantage, they need to look beyond mechanics and the value exchange, ensuring users get perceived fairness and respect alongside the provision of on/off toggles.

Working with consumers to opt in rather than to opt out becomes the difference between having the raw data to carry out marketing campaigns and direct value-added services – which makes providing user-friendly and worthwhile consent process all the more important. At stake is not just marketing; it’s the foundation of a long-term exercise in demonstrating trustworthiness and maintaining customer loyalty that has far-reaching consequences.

Standards & Best Practices

There is a flurry of activity around consent management and related standards to better choreograph how individuals establish consent and control over their data while allowing organizations to act on this information. We’ll look at some of these early efforts starting with the Kantara initiative.

Kantara: User-Managed Access (UMA)

According to Kantara (an industry consortium and professional trade association focused on trust framework operations related to digital identity management and data privacy), UMA is an

“OAuth-based protocol designed to give an individual a unified control point for authorizing who and what can get access to their digital data, content, and services, no matter where all those things live”.

As a result, vendors have developed tools and solutions based on UMA when building trusted digital relationships (with an early emphasis on healthcare use cases) from the perspective of both addressing externally imposed consent requirements and demonstrating trustworthiness. Simply put, UMA helps to manage consent and provide structure for user control of their data.

Aspects of an UMA2 specification have been submitted to the IETF, notably federated authorization (draft-maler-oauth-umafedauthz) and grants (draft-maler-oauth-umagrant). UMA2 specs have been submitted to the OAuth Working Group for adoption as work items.

Kantara: Consent Management Solutions Working Group

The overall plan within the consent management working group is to develop a document that captures Consent Management common practices, develop an interview protocol and survey to help to gather data from as many organizations as possible. Then, the results of these surveys will be analyzed for common practices and areas where standardization could help. Despite the early enthusiasm, progress has been relatively slow on the primary deliverables of this working group.

During late 2018, digi.me, OpenConsent, Consentua, Ubisecure and Trunomi designed and built functions into their systems to create or consume Kantara Consent Receipts. The concept was intended to demonstrate interoperable Consent Receipts. In the first round, it showed that an individual can ask for a receipt as part of a service interaction; the receipt is given to that person and then viewed in a viewer of the person’s choosing, which fits into how an individual’s data rights should be exercised as set out in the GDPR and other privacy regulations.

The stated intention is that “standardized consent receipts are issued to a data subject whenever they consent to personal data processing and they will help enable a product ecosystem that assists the data subject to exercise their data rights.” This will result in data subjects having their own “privacy dashboard” to manage their data rights and act when they choose. This early work has led to the conclusion that an open ecosystem of privacy dashboards and tools will require standard data formats in order to be viable.

The consent receipt is specified as follows:

A Consent Receipt is a record of authority granted by a Personally Identifiable Information (PII) Principal to a PII Controller for processing of the Principal’s PII. The record of consent is human-readable and can be represented as standard JSON. This specification defines the requirements for the creation of a consent record and the provision of a human-readable receipt. The standard includes requirements for links to existing privacy notices & policies as well as a description of what information has been or will be collected, the purposes for that collection as well as relevant information about how that information will be used or disclosed. This specification is based on current privacy and data protection principles as set out in various data protection laws, regulations and international standards.

IAB (Interactive Advertising Bureau) Europe

One of the challenges with obtaining and managing consent (and data protection in general) is that enterprises enjoy major benefits from collecting data to influence prospective customers. Advertising is much more effective with additional contextual data but collecting that data could fly in the face of the GDPR. Organizations such as the IAB represent the interests of the advertisers. One of IAB Europe’s missions is to help member companies and the digital advertising industry interpret and comply with EU rules on data protection and privacy.

IAB Europe’s GDPR Implementation Group (GIG) is a group of parties from both the supply and demand side of the online advertising ecosystem brought together to work collectively on guidance and solutions to GDPR. This group of leading legal and technical experts from across the online advertising industry is working collectively to share best practices, agree on common interpretations and positioning on key issues, and to socialize with external stakeholders, including European and national regulators.

On April 24, 2018 IAB Europe and a cross-section of the publishing and advertising industry, launched the GDPR Transparency & Consent Framework (Framework) to help publishers, advertisers and technology companies comply with key elements of the GDPR. The Framework gives the publishing and advertising industries a common language with which to communicate consumer consent for the delivery of relevant online advertising and content.

Market Movement

For consumers and enterprises, obtaining granular, attribute-level consent is going to be a challenging process over the coming two-three years, testing the commitment of both to the concept of a transparent, mutually advantageous relationship based on trustworthiness. A lot will also depend on the efficacy and commitment of the various supervisory authorities associated with each jurisdiction.

Looking at the nascent marketplace particularly in Europe, as described above, the investments suggest that there are promising business opportunities and that these opportunities will only grow as new regulations accelerate over the coming two-three years. Specific factors driving this growth and approaches to addressing this nascent space include:

  • Regulatory convergence: already we can see that the proposed legislations in Brazil, California and India are largely based on the EU’s GDPR but with regional variations, suggesting that from a company compliance point of view, the objective should be to seek GDPR compliance and assess how far the local differences impact on a particular set of data.
  • Circles of Trust: one of the advantages for both consumer and corporate of establishing a set of consent agreements is the opportunity to create circles of trust, which essentially allows the consumer’s data to be federated amongst a set of trusted third parties, reducing considerably the volume of consent agreements required. This has benefits for the consumer who is able to cherry pick data from several different sources to share with other organizations and for companies able to share and exchange data more freely with business partners. Vendors able to provide such solutions will easily differentiate themselves from the rest of the pack.
  • Self-Sovereignty: A more radical and long-term vision of how to ensure that organizations only keep and use data for which they’ve had the prior agreement of the person it relates to is to effectively turn the situation on its head. Rather than providing data freely and on terms associated with an immediate transaction at the behest of the provider of a service, it becomes a lot easier to manage if a consumer were only to share their data at the outset based on their terms and conditions. With the advent of self-sovereign identity schemes as well as employees able to bring their own identity (BYOI) to work, this could bypass the need for retroactive consent agreements altogether. TechVision has written several reports that touch on this topic also known as decentralized identity.

Marketplace Realities

Although the requirement for managing user consent agreements is not new, the recently-enacted and pending legislation has accelerated this identifiable market for products, solutions and services that address the expected demand for explicitly managed and auditable consent.

As with any emerging market, today’s marketplace comprises a mix of start-ups focused on the user-enterprise dynamic together with traditional Customer IAM (CIAM) and Enterprise IAM (EIAM) vendors for whom consent management is an extension of what they already offer. Needless to say, as with any new market opportunity, it is reasonable to expect mergers and acquisitions to consolidate offerings once the market is grounded in two-three years’ time.

Hence what we see today is a market divided into several groups, each with its own characteristics:

  • Specialists: a small group of new companies entirely focused on user-enterprise consent transactions without reference to any other aspects of CIAM or EIAM. Some but not all have a mobile/cell application in addition to a web portal for user interaction. Not surprisingly the majority of these companies in this category are only two to three years’ old and are based in Europe. Many of these companies will disappear over the next few years, but others will prosper, and some will enter into either a merger or an acquisition. We have seen the first signs of this phenomenon with the acquisition of Evidon by Crownpeak.
  • Marketing Consent: there is a growing list of vendors whose products are aimed at publishers of advertisement and/or marketing campaigns and are often based or derived from the IAB framework
  • Cookie Consent: a number of vendors specialize in ensuring that cookie consent notices are compliant, such as Cookiebot from Denmark
  • Healthcare: a well-established requirement for consent management exists in healthcare and several vendors provide specialist support for ensuring that hospitals and healthcare practitioners are fully compliant in managing patient consent. Examples are Denver-based 3PHealth and Chino.io from Italy that supports GDPR and HIPAA
  • Established CIAM/EIAM Vendors: several of the vendors in this group with the most mature CIAM solutions extended their consent functionality during the two-three-year anticipation of the new data protection legislations, notably the GDPR. Since the publication of TechVision Research’s ‘Getting to Know Your Customers – The Emergence of CIAM’ in 2017, two of the leading companies in this category have been acquired: Gigya by SAP (2017) and Janrain by Akamai (2019). The other leading companies in this sector are ForgeRock, iWelcome, OneTrust, Radiant Logic and Salesforce.
  • Large Platform Vendors: several larger vendors such as Microsoft, IBM, Oracle and Google have IAM/CIAM solutions and, by extension, are considering addressing specific consent management functionality.

The following table lists 6 early-stage vendors to watch out for in the consent management area:

Company Name HQ Employees Founded Comment
Consentua UK 4-10 2017 Owned by KnowNow Information, Consentua provides APIs and an app that captures users’ consent to the use of personal data
Crownpeak CO 51-200 2001 A digital experience management solution provider acquired Evidon’s SaaS-based ‘Universal Consent Platform’ in 2017
Dock.io CA 11-50 2017 Ethereum-powered (blockchain-based smart contract) decentralised open source data exchange protocol
Faktor.io NL 10 2017 A consent management platform for users to manage consent and preferences for advertising and marketing.
iGrant.io SE 10 2017 A cloud-based personal data and consent management and mediation platform with a customizable mobile app and an SDK
Trunomi UK 10 2013 Provider of customer consent and data rights management technology including mobile app

Table 2: Six specialist companies to watch out for in 2019!

TechVision Research Vendor Shortlist

Vendor Selection Criteria

The market for specialist consent management solutions is not yet mature and the landscape is still dominated by traditional vendors providing extensions to their EIAM and, increasingly, to their CIAM offerings. It is questionable how effectively the current general purpose IAM solutions address the requirements of the new data protection regulations. We are also evaluating how vendors are addressing user expectations including the overall user experience and how they manage customer profiles and access requests. On the other hand, from an administrative perspective, being able to manage consent agreements in EIAM or CIAM environments based on the same interface is clearly an attractive proposition.

Another approach would be to build an in-house solution or to extend an existing home-grown solution. While this may initially appear to be the most attractive way forward and one that requires the least initial capital outlay, it is TechVision Research’s opinion that it is fraught with risk and would eventually become a logistical and commercial liability. Amongst the potential pitfalls going forward with an in-house solution would be achieving the right levels of access and security, managing data protection and passwords, supporting API standards and keeping up with demands for increases in speed and scale as the system grows.

Below is the TechVision Research recommended checklist based on our consulting engagements, our prioritized requirements and general market observations from both vendors and large end-user organizations. In evaluating specialized consent management vendors, we consider how these solutions fit within the legacy IAM environment. This is where larger EIAM/CIAM providers have an advantage.

TechVision Research Consent Management Vendor Shortlist Criteria

Category Attributes
Commitment & Readiness ·      Vendor commitment in terms of investment and roadmap as well as market share in the consent management space

·      Cloud-based rather than on-premise only

·      Breadth of integration organization (or integration partner) support readiness

·      Client references, if available

Scope ·      Realtime and/or federation or virtualization of data sources within or beyond the firewall through APIs and/or programming constructs

·      Transaction-based

·      Tamper-proof/immutable data

·      Dynamic schema extensibility

·      Distributed database with high availability, load balancing, disaster recovery and backup mechanisms

·      Regional data centers in multiple privacy legislative jurisdictions

Innovation ·      Realtime data exchange

·      Seamless integration with EIAM or CIAM solutions or both

·      Bi-directional integration with CRM and other enterprise applications

·      Availability of a meta-schema

·      Granular attribute-level consent including availability period and purpose

·      Consent revocation

Security and regulatory compliance ·      Social login (federated sign on) as well as (optionally) SMS texts, biometric and userid

·      Risk-based multi-factor authentication and authorization

·      Seamless integration with existing access governance and permissions

·      Support for ‘right to be forgotten’ and other aspects of GDPR compliance

·      Automatic account deletion if identity credentials are compromised

User Experience and Engagement ·      Consumer transparency

·      Mobile application

·      Ease of use

Table 3: Vendor evaluation criteria

Vendor Shortlist

In this section, we’ll list the vendors we believe are a good starting point to consider as you address your requirements in the consent management area. As mentioned above, the list of vendors providing specialized consent management solutions and services today is considerable and growing rapidly, a trend that is likely to continue for the next 12-18 months.

While some of the most compelling solutions are ones that come with a dedicated mobile application, one of the major challenges in entering into a consent agreement with an end user is being able to confidently assert consent and manage the various uses for that individual’s information. Hence the major issue is, as is usually the case with identity-related matters, the quality of the amalgamated data. As such in considering candidates for the vendor shortlist, a preference has been shown to vendors who provide the appropriate solutions and services to prepare a consistent and consolidated picture of a user’s PII for the consent process. In assessing the vendors in this space, inevitably the ones that have been at the forefront of offering tools to ensure regulatory compliance, particularly with respect to the GDPR, are the most compelling.

While this certainly applies to the consumer/customer market in the CIAM space, it should also work for employees and those covered by EIAM solutions. In both scenarios, TechVision Research’s recommendation is for CIAM/EIAM vendors to work closely with the attractive solutions offered by the specialist vendors – and vice versa.

Bearing in mind that this is a specific area of focus within the identity management market, the list below is a starting point as to the vendors we believe have strong offerings specific to the management of the consent lifecycle. Think of this shortlist as representing the vendors TechVision Research would tell our consulting clients today if we were asked who to start with in evaluating vendors with consent management solutions.

TechVision Research Consent Management Vendor Shortlist

Our shortlist vendors include ForgeRock, iWelcome, SAP/Gigya, Akamai/Janrain and Microsoft. The following table nets out how we rated these vendors and we’ll further describe their offerings in the next section.

Vendor Evaluation
ForgeRock ·      Commitment & Readiness 1.0

·      Scope 1.0

·      Innovation 1.0

·      Security and regulatory compliance 1.0

·      User Experience and Engagement 1.0

·      Ease of use 0.5

iWelcome ·      Commitment & Readiness 0.5

·      Scope 1.0

·      Innovation 1.0

·      Security and regulatory compliance 1.0

·      User Experience and Engagement 1.0

·      Ease of use 0.5

SAP/Gigya ·      Commitment & Readiness 0.5

·      Scope 1.0

·      Innovation 1.0

·      Security and regulatory compliance 1.0

·      User Experience and Engagement 1.0

·      Ease of use 0.5

Akamai/Janrain ·      Commitment & Readiness 1.0

·      Scope 1.0

·      Innovation 1.0

·      Security and regulatory compliance 1.0

·      User Experience and Engagement 1.0

·      Ease of use 0.5

Microsoft ·      Commitment & Readiness 1.0

·      Scope 1.0

·      Innovation 1.0

·      Security and regulatory compliance 1.0

·      User Experience and Engagement 1.0

·      Ease of use 0.5

Table 4: Vendor evaluation

In characterizing how and why vendors are on this shortlist, our primary considerations were based on the criteria outlined above, in particular deployment readiness for large organizations as well as user accessibility.

All the chosen vendors have developed and marketed advanced CIAM and EIAM offerings over several years and are acknowledged leaders in that space – Gigya and Janrain were acquired for that very reason and now as a consequence have the backing of much larger companies with considerable reach and resources.  Microsoft, whose Azure cloud service is used by most enterprises, is included because of the depth of its supporting product portfolio and its extensive customer base and support services as well as its innovative Identity Hub strategy, which has the potential to be a game changer. ForgeRock is attractive with its holistic identity relationship management strategy across an enterprise ecosystem; from employees to customers to devices make it a natural choice. In addition, it has a strong commitment to furthering industry-wide consensus on content management based around its leading role in developing UMA. Although iWelcome primarily serves the European market at present, the company has a highly-developed GDPR-observant CIAM solution that includes a consent lifecycle management strategy.

At this point, the TechVision Research shortlist comprises these five vendors. We’ll next provide a brief description of their solutions and our perspective on each vendor’s consent management program.

ForgeRock

The ForgeRock Identity Platform consists of a series of modules built from open source projects and is an identity administration and provisioning solution focused on managing relationships. The company achieves this by building dynamic, context-based relationship management systems that span consumers, partners, customers, employees, and devices, generating millions of relationships. This will eventually become billions of relationships when the identities associated with ‘things’ in the IoT create new relationships and integrate with existing ones.

The following figures describe both ForgeRock’s overall identity architectural approach as well as a view of their UI and how they handle consent via their dashboard as ForgeRock provided in a recent demo to the TechVision Research analyst team.

Figure 1: The ForgeRock Identity Platform

Figure 2: ForgeRock’s Profile & Privacy Management Dashboard

ForgeRock is one of the leaders in driving the development and uptake of UMA and IRM (identity relationship management). They use UMA and IRM to integrate additional consent-driven, privacy-based concepts into their relationship management and their overall IAM offerings. The company emphasizes the synergies between context, control, choice and respect in applying UMA to deliver privacy as well as the importance of moving from XAML and LDAP to graph databases to get fine-grained context-based dynamic access control.

As such, ForgeRock provides a holistic IAM solution for all types of objects/identities across an enterprise via a unified platform. Their approach to privacy and consent ticks the appropriate boxes regarding compliance with GDPR and other data protection regulations.  In order to address articles 5, 7, 12 and 23 of the GDPR, the platform provides a unified self-service interface across many applications, and user-directed consent management with the following goals:

  • Managing personal data transparency and modification
  • Monitoring and managing consent settings, including social sign-in and marketing automation API connections
  • UMA sharing transparency and control
  • Right to erasure control
  • Right to data portability control

The ForgeRock Profile & Privacy Management Dashboard offers customers the ability to manage their account settings including personal info, sign-in and security, preferences, trusted devices, authorized apps, privacy and consent, sharing, activity and account controls (see Figure 8). Although it provides access to a wide-range of enterprise resources, ForgeRock does not currently provide attribute-level consent or allow a user to specify how long consent has been granted.

SAP/Gigya

Since the acquisition by SAP in 2017, Gigya’s offering is now called the SAP Customer Data Cloud and has developed a sophisticated and granular set of consent management services.

SAP Customer Consent manages user privacy, preferences and consent with the intent to make it relatively transparent to the user, while helping to achieve regulatory compliance. It provides a secure profile, preference selection and consent management with a focus on the entire customer lifecycle.

They have a Consent Management dashboard that allows administrators to create and manage versions of different categories of user consent as follows:

  • Terms of service
  • Privacy policy
  • Other consent statements

For the first two categories, it is mandatory for users agree to these terms in order to enjoy an organization’s site or services, whereas other types of consent statements can be configured depending on whether or not they are mandatory. Consent statements can be displayed in a local language and may include the purpose for which personal data is being collected and a link to the document to which they are agreeing. User consent is captured and saved in a consent vault, including consent for mandatory terms, non-mandatory terms, and communication preferences. The following figure shows the overall consent management process according to SAP.

Figure 3: SAP/Gigya’s Customer Consent Process

The benefits of SAP’s Consent Management solution are as follows:

  • Support for and compliance with data privacy laws – requires consent to terms of service and privacy policies as a prerequisite for using desired services
  • Additional optional consent statements provide flexibility
  • Communication preference flexibility – allows users to subscribe to various communication channels, with the option of requiring double opt-in as proof of a user’s intention to subscribe
  • Displays clearly to users the specific data that was saved to their account, and provides the option to withdraw consent and manage communication preferences
  • Consent Vault contains an audit of a customer’s agreement to an organization’s site policies and the version to which they consented
  • Unified user database enables presenting a holistic view of a customer, including data gathered from various platforms
  • Consent-based user data to third-party platforms can be synchronized using IdentitySync (Gigya’s ETL solution) or GConnectors (a CMS and e-Commerce integration tool)
  • Out-of-the-box lite registration screens for transparent interaction with guest users

Identities of fully registered users are stored in an accounts database, while identities of “lite” registrations, and subscription information, are stored in an email accounts database.  The Consent Vault contains a log of interactions between an organization’s sites and site users regarding their consent to the processing of their personal data.

As a consequence, the Consent Vault can be used to view and search the history of all consent objects across a site by searching for a specific period of time, filtering by actions (such as consent granted, withdrawn, renewed) or by viewing the timestamp and version of a signed consent.

The Preference Center is a unified user database which presents a holistic view of a customer, including data gathered from various platforms. Dedicated Gigya widgets display to users the policies to which they consented, and the time they did so, as well as their communication preference. It contains capabilities for displaying data conditionally so as to prevent confusion and maintain accuracy.

The Privacy screen should reflect to users the terms of service and privacy policy to which they consented when registering to an organization’s site displayed via consent widgets.

Figure 4: A snapshot of the Privacy Screen

iWelcome

iWelcome is unusual in that, having started as an IDaaS CIAM provider, it later extended the functionality to deal with the requirements of EIAM. Hence, customers are able to benefit from a single platform that supports a range of internal and external IAM requirements.

iWelcome committed to incorporating GDPR-compliance features early on. It has since incorporated consent management functionality and developed a set of solutions based around both the GDPR, the ePrivacy regulation and notably PSD2 for the financial community.  iWelcome, as a European-centric vendor has had a privacy-centric approach as part of their DNA.

iWelcome has developed the concept of what they characterize as Consent Lifecycle Management (CLM), a proposition that can be delivered as a separate module on top of an existing CIAM solution – they refer to this as CLM-as-a-Service which is API-based with the intent to minimize the integration burden.

Figure 5: iWelcome’s CLM solution

A harder to achieve GDPR requirement is allowing consumers full control over the data they share with an organization, not only at registration but during the entire lifecycle of the consumer-organization relationship: the iWelcome solution provides consumers with the capability of viewing, editing, downloading and deleting their own data. iWelcome offers organizations a white label self-service portal option or allows them to make use of the organization’s own portal using the iWelcome RESTful APIs.

iWelcome also has a delegated User Management module that allows organizations to delegate the creation and management (update, disable and delete) of accounts with a single user interface for employees to access their data. They also offer a service desk application.

iWelcome is collaborating with ForgeRock (reviewed earlier) to add consent management to existing ForgeRock deployments with their cloud-based Consent Ledger, enabling the migration of those deployments to the cloud.

Figure 6: ForgeRock and iWelcome CIAM and CLM collaboration

Akamai/Janrain

At the time of its acquisition by Akamai in January 2019, Janrain’s Customer Identity Management Platform based on the cloud-native Janrain Identity Cloud was a leading CIAM solution and this remains the case today.

Figure 7: Akamai Identity Cloud

In August 2018, Janrain conducted a “Consumer Attitudes Toward Data Privacy and Security Survey” canvasing the opinions of 1,000 US consumers, the results of which showed a growing trend towards wanting to take greater control of their data. With the Janrain, now Akamai, Identity Cloud, users are able to edit, export, or delete the information held about them consistent with GDPR, CCPA, HIPAA and other regulations, including being able to re-consent in a situation where a privacy policy changes. Parents also have the capability of being allowed to govern the access rights of their children. Akamai identified the impact of their identity management platform, including consent capability, as providing consumer control of their data, increasing the trust in a brand, which will positively impact revenue.

The following figure provides an overall template for their architecture, design and process flows:

Figure 8: Janrain now Akamai Identity Cloud Solution

Akamai refers to its Consent Lifecycle Management as its Profile/Preference/Consent Center as-a -Service, and it is the newest member of the Akamai Identity Cloud. It was specifically designed to provide businesses with a solution to obtain informed consent from customers in support of the GDPR or other international regulations. It provides a customizable, fine-grained consent form that can be invoked progressively and per purpose. It also allows users to understand the data and use case for the data they are providing explicit consent towards, as well as a record of where they have opted out.

These forms can be set to appear whenever the context requires it. For example, if a customer has signed up to download a white paper and has provided their email address only but is later signing up for a text message reminder service, a new form would be displayed to obtain the phone number. This progressive consent collection can be carried out on websites to mobile applications to IoT devices. The forms can also be used to ask existing customers in a non-disruptive way to reconfirm their consent, which allows organizations to update customer data that was collected prior to the GDPR and move this data into compliance.

Users are able to return at any time to review, validate, revoke, or make other changes to their consent agreements with an option to download the new transaction as a PDF document.

Akamai’s Consent Lifecycle Management supports passing data between systems via an API that helps to synchronize an organization’s marketing and other internal systems with a user’s current consent preferences.

Figure 9: Akamai’s 2020 vision for identity

In terms of Akamai’s GDPR consent management compliance:

  • The Akamai platform enables personal data to be shared on a granular basis with notice to, and the affirmative (checkbox) consent of, the customers via permission screens. Email opt-out/opt-in options are configurable as part of Identity Cloud registration flows. Akamai maintains an audit trail evidencing consent and detailing changes to customer personal data records. In addition, the company provides the ability for organizations to receive real-time notifications of customer personal data record changes and deletions.
  • Akamai provides a consent withdrawal mechanism as part of its registration and consent flows.
  • Akamai has age-gating functionality to protect against the knowing acceptance of personal data from children under a pre-determined age and to inform the child that parental consent is needed.
  • An organization can obtain a copy of a user’s personal data record via the Identity Cloud Customer Care Portal or an entity API call.
  • An edit profile page allows users to edit some of the information contained in their record which the organization can obtain a copy of via the Identity Cloud Customer Care Portal or an entity API call.
  • Once a user has requested to have their data deleted, organizations can delete the user’s personal data record via the Customer Care Portal, or an entity API call and the backup will subsequently be deleted automatically.

Microsoft

Given the breadth of solutions and services offered by Microsoft and their massive base, it’s not surprising that they have made a substantive investment in consent management. They address consent in three different sets of scenarios/environments.

  • Azure Active Directory B2C
  • Dynamics 365 for Marketing
  • Identity Hub

Azure Active Directory B2C

Microsoft’s Active Directory is the largest repository for enterprise identities in the world and they are moving customers to the cloud-based Azure Active Directory. Applications in Azure Active Directory rely on consent in order to gain access to necessary resources or APIs. Consent is the process of a user granting authorization to an application to access protected resources on their behalf. An admin or user can be asked for consent to allow access to their organization/individual data.

There are three types of consent that an application may need to know about in order to be successful, including permissions definitions as to how users will gain access to an app or API. They are:

  • Static User Consent: This occurs automatically during the OAuth 2.0 authorize flow when the resource that your app wants to interact with is specified. In this scenario, an application must have already specified all the permissions it needs in the application’s configuration in the Azure portal. If the user (or administrator, as appropriate) has not granted consent, then Azure AD will prompt the user to provide consent.
  • Dynamic User Consent: This is a feature of the latest Azure AD application model whereby an application requests a set of permissions that it needs in the OAuth 2.0 authorize flow. If consent has not already been granted, users will be prompted to consent.
  • Admin Consent: This is required when an application needs access to certain high-privilege permissions, ensuring that administrators have some additional controls before authorizing applications or users to access highly privileged data.

The actual user experience of granting consent will differ depending on policies set on the user’s tenant, the user’s scope of authority (or role), and the type of permissions being requested by the client application. This means that application developers and tenant admins have some control over the consent experience. Admins have the flexibility of setting and disabling policies on a tenant or app to control the consent experience in their tenant. Application developers can dictate what types of permissions are being requested and if they want to guide users through the user consent flow or the admin consent flow.

Dynamics 365 for Marketing

The second category for consent we mentioned earlier is marketing data. Dynamics 365 for Marketing allows companies to request, capture, and store consent and facilitates designing marketing activities to respect the consent given by customers, who must have the option to give consent freely, make an informed decision, and be able to review, update, or revoke consent at any time.

Dynamics 365 for Marketing has the following capabilities:

A default collection of hierarchical consent levels is provided out of the box, where higher levels of consent include lower levels

Figure 10. Dynamic 365 Consent Levels

Contact records include a field Consent given, that stores the level of consent each contact has granted your organization

Each customer journey can be configured to only process contacts that have given a minimum-required level of consent

Each lead-scoring model can be configured to only compute scores for leads associated with contacts that have given a minimum-required level of consent

Marketing pages can be created with marketing forms that encourage contacts to grant a level of consent while being unambiguously informed. The consent is stored in each contact’s record

Once this information is in place Dynamics 365 allows the administrator to follow the requirements of the GDPR as they pertain to personal data information and the relationship with the customer.

Identity Hub

The self-sovereign blockchain-based identity solution that Microsoft has been hinting at for several years is finally coming to fruition.  Microsoft calls this program Decentralized Identity.  Microsoft is working with the Decentralized Identity Foundation (DIF) and the W3C’s Credentials Community Group and leveraging these emerging standards and consortium work products in their early offerings.

Identity Hub is the storage device that can be cloud-based or on a local device and Microsoft is working to build connectors that will let users choose which data store to use for an Identity Hub. According to Microsoft:

An Identity Hub can run in the cloud, on edge devices, or any infrastructure that can implement the Identity Hub’s replication protocol. This means that users do not have to rely on a single cloud provider, like Microsoft, to act as a single, centralized custodian for their personal data. Instead, users can maintain a replicated instance of their Identity Hub on devices they physically own. They can also set up multiple cloud Hub providers, to reduce risk that their data will become unavailable.

Decentralized Identifiers (DIDs) are user-generated, self-owned, globally unique identifiers rooted in decentralized systems. They possess unique characteristics, like greater assurance of immutability, censorship resistance, and tamper evasiveness. These are critical attributes for any ID system that is intended to provide self-ownership and user control.

Microsoft believes DID implementations should use decentralized systems strictly to anchor identifiers and non-PII DPKI metadata (as listed above) to enable routing and authentication for the DID owner, without risk of censorship. A user’s actual identity data resides encrypted “off-chain,” under the user’s sole control and Microsoft will offer a Wallet-like app that can act as a user agent for managing DIDs and associated data. The blockchain acts as a publishing service for discovery of identifiers not actual PII. User consent is required to access attestations/claims—with granular access controls.

What Microsoft are building, alongside 80 co-members of DIF, is a system whereby users will be able to control the use of their own data which has the potential to disrupt the current paradigm for consent management. Instead of granting broad consent to countless apps and services and spreading identity data across numerous providers, individuals would have a secure, encrypted digital hub where they can store their identity data and easily control access to it.

Corporate Readiness & Next Steps

It would be surprising if organizations were not excited about the possibilities of developing a sustained relationship with their customers, retaining their loyalty as well as achieving regulatory compliance. Their challenge is matching that ambition with the reality of their existing infrastructure and what is available from their preferred vendors. Whatever the limitations of such solutions, a vendor-bought solution is infinitely preferable to relying on a home-grown solution.

The other factors which play into making the decision to move ahead are scope and priority. Firstly, it’s important to establish which domain jurisdictions apply to all the data the enterprise holds. If in doubt the TechVision Research recommendation is to default to the GDPR for compliance. Then it makes sense to ‘go with what you’ve got’ in terms of EIAM and CIAM solutions and engage proactively with the vendor(s) in question. And finally, this is a nascent market, and although the rules in the lawbooks may be immutable, vendors will benefit from your feedback as to what is and what isn’t working.

Much depends on whether enhancing customer engagement is considered a higher priority than improving regulatory compliance. Only by engaging in regular dialogue with representative consumers will that become clear. We’ll now look at specific steps organizations can take in building a viable and complaint consent management program.

Next Steps

There are eight steps that can be taken now to align your business with what, we believe, should be the future state of your customer consent management program. Note that these steps and timeframes will vary based on the size and complexity of your organization, legacy systems and the overall state of your identity management and data infrastructure.

Step Action Responsible Elapsed Time (in months)
      Compliant EIAM/CIAM Other
1 Business Case Strategy Data Protection Officer (DPO) 0.5 1 2
2 Consultation LOBs/CIO/CISO/DPO 0.5 1 2
3 System Review LOBs/DPO 0.25 0.5 2
4 Design LOBs/CIO 0.5 1 2
5 Technology Choices LOBs/CIO 0.5 0.5 2
6 Education LOBs/DPO/Customers 1 2 3
7 Rollout CIO 2 3 4
8 Awareness LOBs/DPO 3 6 7

Table 5: Eight step process to managing consent

The complexity of the process and the length of time involved in reaching rollout will depend to a large extent on how already prepared your organization is in terms of:

  • Data management: organizations that already have mature EIAM/CIAM systems in place should have a much clearer idea where customer- or employee-related data can be accessed and presented during the consent transaction;
  • Compliance: an organization that is compliant with the appropriate data protection regulation will inevitably have gone through a lot if not most of the steps required to reach the ideal consent management status

In approaching the process of building a consensual relationship with your customers with respect to the personal data that either they have provided or you have collected, it is assumed here that the business will want to ensure compliance with the GDPR or one of its ‘derivatives’ as outlined above. As described at the beginning of this document, “the controller shall be able to demonstrate that the data subject has consented to the processing of his or her personal data.” Consent is required for processing and communication and the regulation explicitly stipulates that it should be in clear language and easily withdrawn.

Step 1: Business Case

The DPO should be fully aware of the case to be made for engaging the organization and its customers in a consent management initiative, not least as it is mandated by the appropriate regulation. Nonetheless, it is now incumbent on the DPO to make a business case to the organization’s internal stakeholders as to why it is not only legally mandated but that the costs involved will demonstrate not only a return but also benefits, such as improved customer loyalty and competitive advantage.

Step 2: Consultation

Once in place, the DPO has to take the business case and sell it to the rest of the organization’s executives as well as the LOBs impacted, which will be primarily, but not exclusively, sales and marketing.

The next stage is to take your findings to a wider internal group of stakeholders who include:

  • The CIO to get an understanding of the potential infrastructure implications of the CIAM strategy on increased network usage and requirements for hardware and software
  • The CISO to assess potential areas of security concerns from data breaches and

cyber-attacks.

  • The DPO to ensure that what is planned is aligned with privacy legislation, either national or international
  • Representative stakeholders should also be consulted about what is being proposed, its features and associated benefits. A collaborative approach, leveraging external perspectives and experience, has the potential for mutually beneficial outcomes rather than making partners or consumers aware after the fact that data about them is being collected, analysed and used.

It should be assumed that the various policies that have been put in place should be reviewed at least every three months.

Step 3: System Review

Upon reaching stakeholder agreement, the next step is to identify the PII that your organization is responsible for collecting and managing. If you already have a mature EIAM and/or CIAM solutions in place or if you have already undergone a through data compliance review, this task will be considerably easier than if you are at an early stage of identity management.

Next, it will be necessary to review the programs, products, services and associated processes, to assess where and when consent is required or relied upon which in turn will determine how your organization will handle the consent mechanism. There may already be environments where consent is already tracked and recorded

Step 4: Design

Having identified the processes that are reliant on consent, the next step is to determine which mechanism you are going to employ in order to track consent and be capable of showing that consent has been given for processing a user’s personal data.  However this is achieved (and a lot will be dependent on which systems are already in place), consent requests should be kept separate from terms of service and easy to understand both by any supervisory body and most importantly by users.

The nature of the records to be kept in order to maintain compliance are:

  • The user’s name or identifier
  • Timestamp and method of consent.
  • Corresponding privacy policy and consent requests copies, as per the time consent was acquired.
  • Documentary evidence of how consent was acquired.

In addition, you should be prepared to respond to user requests for the:

  • Controller’s identity
  • Purpose of processing operations
  • Identity of third parties who data has been shared with
  • Types of data to be collected
  • Right to withdraw consent

A key decision will be how the organization wishes its users – customers, partners, employees – to interface with its chosen consent management system. This could be either through a web portal or a bespoke mobile app.

Step 5: Technology Choices

With any large corporation, there will be many different systems and processes that could be liable or subject to data sharing consent requests. As mentioned above, a lot will depend on the particular consent strategy of the vendors whose systems are already in place and how closely they align with the chosen design – and what if anything needs to be added. The bottom line is that for consent compliance to be effective – from both regulatory and user perspectives –all processes have to be kept in alignment. Synchronized consent across systems enables each one to access data most effectively, especially if there is a need to modify or revoke the consent agreement.

Step 6: Education

Just as the new system is being rolled out, it is important to update the internal stakeholders of the progress of the project, especially the customer support team, aligned with what was discussed in Step 2. Particularly for the sales and marketing teams, it is crucial that the details of what is going to be offered to customers are made as clear as possible so that news of the initiative is communicated positively and effectively. As part of the same exercise, the LOB is responsible for ensuring that the key messages get across to customers and any other external stakeholders during the course of the rollout.

Step 7: Rollout

Once everyone is on board with the logistical developments and the decision to proceed with the approach to managing consent is made, the actual rollout will take between two to four months. Depending on the nature of the approach adopted as well as the infrastructure already in place, this estimate is contingent on the scope of the project as well as on the level and tenor of feedback obtained from external stakeholders. In the case of very large deployments, fully on-boarding all consumers could well take longer.

Step 8: Awareness

Once the new system is in place and the button to go ‘live’ has been pushed, it is vital to the long- term success of the initiative to keep your customers engaged – without overwhelming them – over an extended period after the system is up and running.

Timeline

TechVision’s Principal Consulting Analyst team has worked with hundreds of Global 2000 organizations helping to develop their strategies, architecture, vendor selection, deployment planning and lifecycle management. The following timeline and our recommendations draw on this perspective. From start to finish, it is realistic to estimate an elapsed period of at least three months to begin a production roll out and a minimum of five months to accomplish all the steps prior to the longer-term awareness activity.

Figure 11: Eight step timeline

Conclusion

It is becoming increasingly clear from the numerous market surveys carried out that individuals (consumers and citizens) expect to have more control or at least a greater say in how information about them is collected, stored, managed and shared with third parties. The reasons for this trend are many but undoubtedly the volume of high-profile cases of data loss and data manipulation, highlighted by the revelations concerning Cambridge Analytica are significant in raising awareness. The other major factor is the impact of the GDPR which enshrines in legislation many of the rights pertaining to data protection and privacy that professionals have long been calling for and are now being recognized by businesses and the people they interact with – employees, partners and customers.

Consent management is not new, and some businesses were seeking consent agreements for certain transactions, prior to the arrival of the new sets of regulations. However, since the potential impact of the GDPR became apparent, the pivotal role that the consent process plays in not only achieving regulatory compliance but in strengthening customer loyalty and securing customer data for both internal and external marketing purposes is becoming abundantly clear.

Having said that, the marketplace for consent management solutions is still at an early stage. Until relatively recently consent management would not have merited being described as a market. But with the opportunistic growth of specialist start-up vendors, particularly in Europe, providing tailored solutions and services based on variations on consent processes, it’s apparent that the business case for consent management is going to rapidly evolve over the coming two-three years. The concepts around consent will also evolve as new use cases come into play – as businesses and their customers learn how to best interact with each other – and the idea of a consent management lifecycle takes hold. Applications associated with having consent agreements, such as federated data sharing in circles of trust, are also like to emerge as are radical new approaches to identity governance, such as self-sovereign identity.

Irrespective of the immediate relevance of the GDPR or any of the other new data protection regulations are to your business, far-sighted enterprises will benefit from recognizing the direct correlation between creating a more equitable relationship with customers with respect to the handling of data pertaining to them. With careful planning and appropriate levels of support from both internal and external stakeholders, you’ll be very pleasantly surprised at the outcomes you’ll reap from the results of a consent management programme. TechVision Research is well-positioned to assistance our clients in supporting your consent management initiatives at technical, business and organizational levels, and we would be delighted to hear from you.

Glossary

AD Active Directory
API Application Programming Interface
BYOI Bring Your Own Identity
CCPA California Consumer Privacy Act
CIAM Customer Identity and Access Management
CIO Chief Information Officer
CISO Chief Information Security Officer
CLM Consent Lifecycle Management
CMS Content Management System
CRM Customer Relationship Management
DID Decentralized Identifiers
DIF Decentralized Identity Foundation
DPKI Decentralized Public Key Infrastructure
DPO Data Protection Officer
EIAM Enterprise Identity and Access Management
ETL Extract, Transform, Load
EU European Union
GDPR General Data Protection Regulation
HIPAA Health Insurance Portability and Accountability Act
IAB Interactive Advertising Bureau
IDaaS Identity as a Service
IEE Identity Execution Engine
IETF Internet Engineering Task Force
IRM Identity Relationship Management
PII Personally Identifiable Information
PIPEDA Personal Information Protection and Electronic Documents Act
PSD2 Payment Services Directive 2
REST Representational State Transfer
SaaS Software as a Service
TPP Third Party Provider
TTP Trust Third Party
UMA User-Managed Access
W3C World Wide Web Consortium

About TechVision

World-class research requires world-class consulting analysts, and our team is just that. Gaining value from research also means having access to research. All TechVision Research licenses are enterprise licenses; this means everyone that needs access to content can have access to content. We know major technology initiatives involve many different skill sets across an organization and limiting content to a few can compromise the effectiveness of the team and the success of the initiative. Our research leverages our team’s in-depth knowledge as well as their real-world consulting experience. We combine great analyst skills with real world client experiences to provide a deep and balanced perspective.

TechVision Consulting builds off our research with specific projects to help organizations better understand, architect, select, build, and deploy infrastructure technologies. Our well-rounded experience and strong analytical skills help us separate the “hype” from the reality. This provides organizations with a deeper understanding of the full scope of vendor capabilities, product life cycles, and a basis for making more informed decisions. We also support vendors in areas such as product and strategy reviews and assessments, requirement analysis, target market assessment, technology trend analysis, go-to-market plan assessment, and gap analysis.

TechVision Updates will provide regular updates on the latest developments with respect to the issues addressed in this report.

For a current perspective on the depth and breadth of our research portfolio, please visit our most current research offers.

About the Author

David has over 25 years of experience in senior identity management positions in Europe and the US. He led two prominent pioneering EU-funded projects and currently plays a leading role in the EU’s CyberSec4Europe pilot project. Having worked for IBM, firstly with Lotus and later Tivoli, he went on to lead several start-ups in the identity space and spent eight years in senior product management roles for telecom providers Apertio, Nokia Siemens Networks and Ericsson. He has worked as a technology analyst and consulted with some of the largest companies in Europe and the US. He has broad insights across the European privacy/regulatory environment, European clients and vendors. David is currently based in Scotland.

For more research on Privacy and Consent and other works by David, please visit our research services page.

[1] The acronym used throughout this report for traditional IAM is EIAM, which can be understood as enterprise or employee IAM. The same concept may also be found referred to as ‘workforce IAM’. Likewise, CIAM can represent either customer or consumer IAM. To add to the potential confusion, the Identity Management Institute uses CIAM to refer to a Certified Identity and Access Manager – http://www.identitymanagementinstitute.org/ciam/

[2] Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.

The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

We can help

If you want to find out more detail, we're happy to help. Just give us your business email so that we can start a conversation.

Thanks, we'll be in touch!

Stay in the know!

Keep informed of new speakers, topics, and activities as they are added. By registering now you are not making a firm commitment to attend.

Congrats! We'll be sending you updates on the progress of the conference.