What is a CMP? How does it affect publisher revenues?
The last few years have been punctuated with an increased focus on how internet-based businesses collect, store, and process user information.
Starting with the enforcement of the General Data Protection Regulation (GDPR) on 25th May, 2018, it became critical for publishers to follow the prescribed data regulations concerning EU residents or risk paying heavy fines. According to the Enforcement Tracker, the EU has already imposed a total of €254 million in fines since the regulation came into effect.
Similar regulations have since popped up elsewhere, including the California Consumer Privacy Act (CCPA), Brazil’s LGPD (Lei Geral de Proteção de Dados Pessoais), and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) to name a few.
The complexity of consent in ad tech
The fundamental promise that all online privacy regulations make is more user control over how personal information is collected and used; but beyond that, the specific mechanisms can vary a lot between regulations. For instance, GDPR requires opt-in consent from all users, whereas CCPA only requires that businesses give users the option to easily opt out if they want.
There is also a divide between what the regulations explicitly require and what many publishers implement “in the spirit of the law”. For example, GDPR requires businesses to obtain individual consent for every cookie used on a particular website, but since that number can run into hundreds, most instead offer the option to “accept all” or “block all” cookies.
At the end of the day, it is in the interest of most publishers to comply with the prevailing regulations, but the level of complexity involved in building an in-house consent management system and keeping it up-to-date with the latest regulations makes it a huge undertaking.
That’s where third-party consent management platforms (CMP) come in.
What is a CMP?
Consent management platforms are a category of software that allow businesses to define their cookie policies, set geolocation rules, record user consent, and maintain an audit trail, with the aim to comply with specific privacy regulations such as GDPR, CCPA, and others.
IAB Europe defines CMP as,
A company that captures and stores a Publisher’s preferred vendors and purposes and will also retrieve or set the vendor consent status of a user through a third-party cookie available to all CMPs.
Here are the key functions most CMPs provide:
- Cookie scanning: A CMP will scan a website for all first-party and third-party cookies being used and categorize them according to their use case, such as Functional Cookies, Targeting Cookies, Performance Cookies, and Strictly Necessary Cookies.
- Privacy notification: A CMP will notify website users about its policies regarding the collection, storage, and processing of user data (PII and non-PII).
- Providing user choice: Using a popup or slide-in, CMPs allow users to set their privacy settings and cookie preferences when they first land on a website. These settings are then ideally saved in an IAB-compliant cookie.
- Data access requests: Multiple privacy regulations require businesses to respond to user requests for accessing and deleting their personal data. CMPs allow users to create such data access requests and provide workflows for businesses to respond to and resolve them within the stipulated time frame.
- Proof of compliance: Any business can be asked to submit proof of compliance, CMPs keep a record of user consent that can be accessed using log data or reporting, enabling businesses to prove their compliance. Audit trails can include information like:
- Who gave the consent?
- When was consent given?
- What did the user consent to?
- Whether, and when, consent was changed or withdrawn
Legal thresholds for privacy compliance
Privacy regulations do not lay down rules specifically for publishers, it is assumed that if the publisher operates as a registered business, it will need to comply like any other business. Privacy regulations do have different eligibility thresholds, however, as seen below.
GDPR compliance thresholds
To fall within the scope of GDPR, a business must either have a presence in an EU country or be located outside the EU but engaged in processing the personal data of EU residents. In addition, GDPR is binding for organizations with:
- More than 250 employees
- Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data
CCPA compliance thresholds
To fall within the scope of the CCPA, a business must collect or sell personal information of California residents, in addition, the business must also meet one of the additional three criteria:
- Have $25 million or more in annual revenue; or
- Possess the personal data of more than 50,000 “consumers, households, or devices” or
- Earn more than half of its annual revenue selling consumers’ personal data.
Do publishers need a CMP?
Most publishers working on the ad-supported model typically process user data in ways that puts them under the purview of privacy regulations. Using GDPR as an example, websites need a consent management platform when they perform any of the following activities:
- Processing personal data, including use of data for things like behavioral advertising, retargeting, analytics, content personalization, and email marketing
- Overseas transfer of data, when companies collect data relating to EU residents and move them to a server or share it with data partners outside the EU
- Automated decision making, such as behavioral profiling, customer segmentation, and marketing automation
In short: Considering both the legal thresholds and specific publisher use cases of data, unless you run a personal blog or a small, unregistered business, you need a consent management platform. This includes most publishers, irrespective of whether they are mid-size or large.
Should you build your own CMP?
While some large companies choose to build their own consent management platform, it is not recommended for most publishers. In order to have a fully-functioning CMP, you will have to allocate dedicated engineering and legal teams to build, maintain, and keep it up-to-date.
In 2017, a French ad tech company Vectaury was sued by Commission Nationale de l’informatique et des libertés (the CNIL), the French data protection authority, due to legal inconsistencies in its in-house CMP implementation, including:
- Language: The terminology used was complex and unclear
- False opt-in: While the tool offered the ability to accept/reject vendors, it was pre-checked during the initial load, and therefore the consent was not affirmative
- Binary choices: The tool failed to offer granular control for consent and instead offered blanket accept/reject options.
This example goes to show that even small deviations in language and functionality can be considered regulatory violations and expose publishers to needless risk.
Given that there are many free and paid third-party consent management platforms available in the market, publishers should build a list of their requirements and screen CMPs based on available features, customizability, ability to white label, peer reviews, and the degree to which a particular solution adheres to legal compliance requirements.
Adoption rate of CMPs
Most publishers have been quick to make consent management a standard part of their data management process, given the risk that not doing so exposes them to.
According to AdZerk’s CMP tracker, adoption of CMPs has grown from 28% to 40% between Q1 2019 and Q4 2020 among the top 10K publishers in the US, with a 5.8% increase from Q3 to Q4 this year.
With many new privacy regulations still in the pipeline across multiple locations and growing options for compliance, CMP adoption is expected to accelerate in the coming years, with CMPs becoming a crucial part of every publisher’s data management strategy.
How do CMPs affect publisher revenue?
This is a big one for publishers. What happens to the users who refuse consent to being tracked or advertised to? Does setting up a CMP hurt revenue performance?
According to an AdExchanger report, Mediavine, a popular publishing network, noted that sites in its network that opted to use a CMP post-GDPR witnessed 52% higher eCPMs and 38% higher fill rates compared to sites that chose not to use a CMP. That might seem counterintuitive, but there are a couple of reasons why this happened:
- Publishers who chose not to use a CMP for EU-traffic had to fall back to serving contextually targeted ads in order to stay compliant, which historically return lower eCPMs compared to behaviorally targeted ads
- Mediavine works with bloggers, many of whom have a relatively small but loyal readership, by wording the consent popups to communicate the business need of serving behavioral ads, they were able to garner an exceptionally high opt-in rate of 98%
Some other ad tech vendors have offered similarly positive results, including analytics and CMP vendor Quantcast revealing that more than 90% of visitors to EU domains grant GDPR consent, and publishing platform Purch witnessing a user consent rate of 70% for EU-based visitors.
Given that publishers who don’t want to use an CMP have no option but to nuke behavioral ad targeting on their website, even assuming a moderate opt-in rate, the overall revenue performance for most publishers should be better when using a CMP than without.
What is an IAB-compliant CMP?
IAB Europe’s Transparency and Consent framework (TCF) is an initiative to help publishers, technology vendors, and agencies to comply with the user choice requirements stated under GDPR. On August 21, 2019, the IAB Tech Lab launched the second iteration of the framework dubbed TCF v 2.0, building on 12 months of stakeholder feedback for improvements.
The TCF consists of the following components:
- A registry of vendors called the Global Vendor List (GLV), which publishers can use to check whether or not the vendors they work with participate in the program
- Technical standards covering capturing, storing, and retrieving user’s choice about each vendor and purpose
- Policies and terms & conditions pertaining to vendors listed in the GLV
- A list of CMP vendors that can work with publishers
Since IAB is the leading trade organization of the ad tech industry, choosing a CMP vendor that is already vetted by the IAB can provide reassurance in terms of knowing that the vendor’s solution has been tested and found compliant with GDPR requirements for use cases that are relevant for publishers, including analytics, content personalization, and behavioral targeting.
Publishers can access the IAB-compliant CMP vendor list here. The list currently contains 60 CMP vendors, so it’s a good starting point for your selection process, but publishers will need to narrow down their options based on vendor reputation and what works best for their needs.
What are the most popular CMPs right now?
Here are some of the most popular consent management platforms in the market right now:
In a future post, we’ll cover these and other popular CMPs in a little more detail along with information like key features, things to consider, and cost, so that you can make the right choice.
Ad blocking and CMPs
Some CMP vendors offer adblock messaging as part of their solution, which might be tempting as an “all-in-one” solution, but there are a few things to consider when choosing such a solution.
To quickly recap, there are two main strategies that most publishers now use to successfully monetize their ad-blocked inventory:
- Ad recovery via Acceptable Ads: Vendors that operate in the Acceptable Ads ecosystem allow publishers to serve light, non-interruptive, and compliant ads to opted-in adblock users without needing to prompt users on every site they visit. This is a relatively user-friendly way to start recovering ad-blocked revenue because it does not force users to change their browsing behavior by turning off their ad blocker.
- Adblock messaging: Relies on making a case for why publishers need users to turn off their ad blockers, adblock messaging prompts can allow users to simply dismiss the prompt, provide the option to whitelist a site, or in the case of a “hard” adblock wall—force users to turn off their ad blocker, purchase an “ad-free” pass, or exit the site.
In our experience, ad recovery via Acceptable Ads and adblock messaging are effective ways to engage ad-blocked audiences, but using a hard adblock wall comes with risks.
When forced to decide, the majority of users choose to exit the website and find the information they are looking for elsewhere. This can increase the website’s bounce rates, in turn hurting search engine rankings and affecting important performance metrics that matter to publishers.
A CMP that is tightly coupled with an adblock messaging module also means that in case the latter underperforms or does not work as expected, you might either have to switch CMPs, or continue paying for a solution that is not being fully utilized.
So when choosing a CMP vendor, it makes sense to select one based on its core functionality of ensuring that your site is compliant with privacy regulations first. That way, you won’t have to experience vendor lock-in when experimenting with different adblock recovery strategies.
The increasing scrutiny on how user data is collected, stored, and processed and the new regulations linked to it come on the heels of decades of large-scale data misuse and breaches. This is an irreversible trend that will only pick up more steam with time.
Privacy is not a zero sum game, publishers don’t have to lose something in order for users to have more control over their data. When GDPR was announced, many publishers were worried what it might mean for their revenue-generation ability, some of those fears have since been assuaged by early adoption reports about high opt-in rates and positive revenue impact.
Many of the leading CMP vendors work on a freemium model, with cookie scanning, categorization, and user preference controls provided at no cost, and additional features available as add-on. Which is to say that while the potential cost of not complying with privacy regulations have never been greater, it doesn’t cost anything to achieve basic compliance.
If you haven’t used a CMP before, our recommendation is to test a few, and choose the one that gives you the controls that you need, while providing your users a frictionless experience.