OneTrust has added consent management and consent preference management in a platform for marketers that came out of Beta early March 2018. How the OneTrust consent management solution can make life easier for marketers and fits in attaining GDPR compliance.

Consent and consent (lifecycle) management are among the toughest parts of the General Data Protection Regulation (GDPR) in practice. Under the GDPR consent is one of the legal bases for lawful processing of personal data.

Establishing and documenting the validity of consent is among the most widely discussed topics for marketers ahead the impending overhaul of EU privacy laws (OneTrust CEO Kabir Barday)

On top of ‘regular’ consent, as one of those legal bases, there is also a requirement for explicit consent in specific circumstances, with a de facto narrow line between both.

Gaining consent (or regaining it as often happens in marketing where quite some companies do ask consumers to re-consent) as such is already hard for many organizations with still quite some confusion and uncertainties as we noticed when participating in a recent data protection officer roundtable (more about that below). Moreover, getting people to consent or reconsent of course is just part of the full consent management or consent lifecycle management picture.

Consent management and preference solutions - inside the OneTrust Universal Consent Management and Preference Management platform for marketers

Consent management remains a challenge

Consent management encompasses various ‘tasks’ and aspects. By way of example: when consent is the legal ground, a data subject can withdraw consent, on top of his/her several other data subject rights such as the right to data portability and right to erasure, to name a few.

Moreover, it’s up to the data controller to demonstrate that consent has been given and is valid (in practice meaning an audit trail of who consented when, how, why and via which message and information regarding the purpose which on top needs to be expressed in a clear and informed, unambiguous way).

And there are several rules to take into account that all have an impact of consent management besides those just mentioned. Consent should be specific and granular (per purpose), distinguishable from other matters, tied to the purpose (so when the processing purpose changes, the consent needs to be asked again) and limited, to name a few.

All this is extremely hard for many organizations with granularity being just one of many challenges to implement consent management mechanisms in practice and consent in the scope of marketing being a major headache, also since we interact with consumers via so many channels for so many purposes nowadays.

Moreover, it’s not just about GDPR compliance. It’s clearer and clearer that with the ePrivacy Regulation consent will be needed in several marketing conditions, especially but not solely via electronic channels.

Consent management tools: the OneTrust consent management and consent preference management solution

There are ample consent management solutions and tools, some specifically built for compliance with privacy and data protection laws, others part of master data management (MDM) solutions (of which some have consent management features), several in the sphere of identity management (with consent management features too), still others as part of broader compliance solutions, the list is long.

With consent management applications being one part of the overall stack of GDPR technologies and consent being a major concern in marketing, there isn’t a one-size-fits-all solution. Is there ever?

Yet there is definitely a growing interest for consent management applications which often fit in an integrated modular offering of personal data protection and privacy management software. Among them are companies such as Evidon (now acquired by Crownpeak) with its Evidon Universal Consent Platform, TrustArc (previously TRUSTe) and OneTrust.

Most of them have of course been around since quite some time, including OneTrust.

The OneTrust Universal Consent and Preference Management consent management workflow in a nutshell - source courtesy and more information OneTrust
The OneTrust Universal Consent and Preference Management consent management workflow in a nutshell – source, courtesy and more information OneTrust

OneTrust also provides other solutions such as a subject access request portal (enabling data subjects to exercise their rights and companies to deal with those requests) to name just one and OneTrust’s Universal Consent and Preference Management application has been available in Beta since some time, featuring in the OneTrust dashboard.

On March 6, 2018 and, as it happens while we were writing an article on consent management tools and applications, OneTrust announced that it has officially launched its Universal Consent and Preference Management solution.

OneTrust’s consent management platform particularly of course focuses on marketing departments. It integrates into existing marketing and IT technologies, enabling marketers to manage the full consent lifecycle, from collection to withdrawal as the press release on the launch of the OneTrust consent management platform states.

Kabir Barday - CEO of OneTrust on LinkedIn
Kabir Barday – CEO of OneTrust on LinkedIn

With OneTrust serving as the central consent database it can be adapted to different consent models, frameworks, sectors and jurisdictions. The platform also takes into account the various means through which consent is acquired, from in-person interactions, paper forms, via phone and mails to web forms, apps and the likes.

Moreover, as the name Universal Consent and Preference Management indicates, the OneTrust consent management platform is also a consent preference hub granting data subjects visibility and control over marketing communication settings.

As a marketer you undoubtedly know what an email preference center is. Think of a consent preference management center as an updated version of that good old concept but instead you allow contacts to set preferences on what types of communications they want to receive via which channels, at what frequency and so forth. And when they fully opt out it’s as if they unsubscribe. And as any decent marketer knows that’s not just a legal right but there is also little sense in blasting mails to people who are disengaged anyway.

Integration of the OneTrust consent management platform and the marketing technology stack

The centralization of consent records helps in demonstrating compliance and the synchronization of consent and preference settings with existing marketing technologies is done via the OneTrust REST API (for mobile apps), JavaScript SDK (for pages with forms), and data feeds. For consent that is acquired offline there’s a bulk import feature.

The marketing platforms with which OneTrust Universal Consent and Preference Management can integrate more or less cover the full marketing technology stack, from Web content management systems (including the more common and simple WCMS applications from Joomla and Drupal to even WordPress) and marketing automation platforms (with, among others Marketo, SilverPop, Eloqua and SalesForce’s Pardot) to customer relationship management, data warehouses and identity management applications.

OneTrust Consent Management out of the Beta stage since March 2018
OneTrust Consent Management now out of the Beta stage

There are two editions of OneTrust Universal Consent & Preference Management. The standard version supports up to 20 collection points and most features, including (obviously) the central consent and preferences databases, enterprise application integrations, reporting and more.

Creating reports regarding changes in consent is of course not just important from the regulatory perspective but also for marketers themselves who can dispose of reports to gauge their efforts and levels of engagement.

In the enterprise version the number of collection points is unlimited, you get a sandbox environment and enterprise SLA, dispose of roles-based access controls, have over 35 supported languages (standard offers English and an additional language) and get 10 OneTrust Certification exams.

Small and medium organizations can also chose for an integrated platform with several tools, including OneTrust Universal Consent & Preference Management.

While the standard version is available via the cloud (with options for cloud hosting in the EU or in the US), additional hosting options are offered in the enterprise version (private cloud and on-premises).

OneTrust Universal Consent & Preference Management is part of the marketing and web compliance tools of the company which further include the mentioned data subject access rights portal, the cookie consent and website scanning and policy and notice management.

Cookie consent and website scanning is free for one site (as previously announced in collaboration with the IAPP). The other modules have separate pricings. All OneTrust tools, including OneTrust’s privacy program management tools, are accessible via the same dashboard.

Consent receipts in the new OneTrust Universal Consent Management and Preference Management - picture source and courtesy OneTrust
Consent receipts in the new OneTrust Universal Consent Management and Preference Management – picture source and courtesy OneTrust

Consent management at a granular level

At the previously mentioned data protection officer roundtable it wasn’t just clear that consent management is still a headache but also that there definitely is an appetite for consent management platforms as OneTrust now also offers one.

It does make life much easier participants agreed, certainly given the difficulty of consent and consent management with all associated duties and tasks.

Just like one of its competitors, the mentioned Evidon GDPR, ePrivacy and PIPEDA platform, OneTrust’s solution also needs to be seen in the scope of consent in both GDPR and ePrivacy (consent lifecyle management from the consent collection points to the withdrawal). We wouldn’t be surprised to see more channels and devices being added here too.

There is no solution for data subjects to exercise their right as with Evidon but that is of course because OneTrust has a fully equiped platform for that.

From a GDPR Articles perspective OneTrust mentions GDPR Article 4(11), Article 6(1)(a), Article 7, Article 8 and Article 9(2)(a) as being relevant for its solution (on top of ePrivacy, now the Directive of course). In other words: consent as defined in Article 4, part of the legal grounds for lawful processing in Article 6, the conditions for consent of Article 7, consent and children in the scope of information society services (Article 8) and explicit consent in the context of special categories of personal data. In one word: consent.

OneTrust’s ability to deliver innovative solutions that address specific needs for marketers demonstrates our commitment to simplifying compliance throughout the entirety of an organization (OneTrust CEO Kabir Barday)

In case of doubt: there are not that many companies that offer consent preference at the type of granular level platforms like that from OneTrust enable. Some go even further but those are the real exceptions (and how many checkboxes can one bear?). The kind of granular consent settings mentioned above (type of communications, channls, frequency,…) and offered by solutions such as the new OneTrust consent management and consent preference management solution are typically mentioned as examples of excellence on websites and at conferences, also at the mentioned DPO round table…

The data protection officer roundtable took place at the occasion of the launch of the DPO conference in Brussels, Belgium, part of a series of European data protection conferences across several cities.

More about the OneTrust consent management and consent preference management platform in the press release.

Top image: Shutterstock – Copyright: garagestock – All other images are the property of their respective mentioned owners. Although the content of this article is thoroughly checked we are not liable for potential mistakes and advice you to seek assistance in preparing for EU GDPR compliance.