Consent management is changing - here's why

Our personal data has never been more in-demand than it is today. From social media to online applications, we’re constantly asked to share our data, while for years third-party ‘cookies’ have tracked our movements around the internet and have been used by brands to target us with marketing information.

However, the rules around acquiring personal data are changing, and it’s critical for businesses to educate themselves on the latest consent management and what they need to do to stay compliant in 2024 and beyond.

So what are the latest consent management changes, how might they affect your organisation, and how can Digital Asset Management help you stay on top of it?

READ MORE: Consent management challenges - and how to overcome them

What are internet ‘cookies’?

Cookies are used to identify you on the web. There are various use cases for cookies, including remembering usernames and passwords, products added to an online shopping basket, previous search queries and much more.

This data is stored in text files that are saved to your browser and contain a unique ID that is used to identify you. When your computer connects with a website or application this cookie is exchanged with the network server, which then reads the ID to decide which information to serve you with.

Types of internet cookie include:

  • Session cookies, also known as temporary cookies, which help website servers recognise users for the duration of that ‘session’ (time spent on the website between loading it and closing the browser). Once the session ends, these cookies are deleted.
  • Permanent cookies, for example those used to remember login information. These cookies are retained beyond the end of a web session.
  • First-party cookies, installed directly by the website domain and  used to collect analytics data and perform other functions aimed at improving the user experience.
  • Third-party cookies, installed by third parties and  collect information including behavioural, demographic and spending data. They are typically used by advertisers to serve previous website visitors with online ads.
  • Flash cookies, which, unlike session and permanent cookies, are independent of the web browser and are stored on a user’s computer. These cookies also remain even after they’ve been deleted from the browser.
  • Zombie cookies, a type of flash cookie that is automatically recreated even after a user has deleted them from their computer. Because zombie cookies are hard to detect and manage, they are often used to install malicious software onto a device.

What are the consent management changes?

The big change you need to be aware of is that support for third-party cookies is ending for all major web browsers. This means that, if your organisation uses third-party cookies for ad retargeting, you’re not going to be able to reach your target audience in the way you used to. 

Note that support for third-party cookies is being phased out gradually. Google enabled restrictions in its Chrome browser for 1% of global users as of 4th January 2024 as an initial evaluation phase, but this rollout is expected to continue for the remaining Chrome users between July and December 2024.

These changes don’t amount to a change in the law. The EU’s GDPR (and UK GDPR) has required organisations to inform users of their cookie policy and how they intend to use cookies, as well as provide users with the option to reject them for a number of years. The phasing out of third-party cookies by web browsers is in response to users’ privacy concerns, as well as making it easier to comply with various consent and privacy legislation.

What does this mean for your consent management processes?

The best way for organisations to prepare for a world without third-party cookies is to re-evaluate their first-party data strategy. First-party data refers to information collected directly from an organisation’s customers and users on channels they own, for example website or social media profiles. This data can be acquired through online interactions, website visits, transactions and other direct engagement.

In order for your organisation to continue reaching your target market with advertising messaging, you’ll have to make sure your first-party data policies are robust, but you still need to be clear and transparent with your users about how their first-party data will be used to ensure you’re compliant with the law.

Best Practices for Managing Consent

To ensure compliance with the law and to avoid upsetting your users, follow these five best practices for managing consent.

Be clear & transparent

Make it clear what you’re asking people to opt into, and don’t hide your intent within Terms and Conditions or Privacy Policies. Avoid being vague about what the user can expect. For example:

“I agree to receive communications from [Organisation Name].”

This statement doesn’t make it clear what the user should expect to receive, or how often.

Provide granular consent options

Don’t combine consents into single opt-ins. For example, a user should be able to opt into a monthly newsletter without also having to opt into communications about events, special offers or other promotional messaging. In this case, the organisation should offer three unique, clear and transparent consent options.

This is important for staying compliant with the law too, as GDPR requires consent to be specific.

Don’t make consent a prerequisite

For consent to be valid, it must be ‘freely given’. This doesn’t just mean that the user has actively ticked a box, but that it was an optional part of the payment process. For example, if someone is buying a product from an ecommerce retailer, the business can’t require that person to sign-up to a marketing newsletter to complete the purchase.

Make it easy to withdraw consent

If a user gives you consent for a specific purpose, this consent is not valid forever. Make sure it’s easy to withdraw consent, whether that’s via a Communications Preferences page or easy to find Unsubscribe links in email comms.

Note that GDPR Article 7 requires organisations to also tell users that consent can be withdrawn, and consent is not considered to be valid without this statement.

Continually review consent policies

Consent management isn’t a set-and-forget process. Instead, make sure you’re regularly reviewing your consent policies to ensure you’re staying compliant with new legislation and that your customers’ and users’ needs are being met by the current policies.

The future of consent management

How consent management changes in the future is unclear, but the pressure from users to better protect their data will only increase, and to meet this challenge organisations will have to invest time and money in robust consent policies and processes, as well as software that supports it—whether that’s a Digital Asset Management system, Consent Management platforms, or Cookie Management tools.

In the meantime, it’s essential that organisations across every sector stay on top of consent management news and ever-evolving privacy legislation.

Ready to find out more about how ResourceSpace can help support consent management? Get in touch with the team today and we’ll be happy to answer any of your questions. Alternatively, click the button below to request your free 30-minute DAM platform demo and we’ll highlight the key features helping our clients to stay compliant.