3 questions you need to answer before starting a consent project
Posted: February 17, 2025
A consent project is a large undertaking. It requires effort from a variety of stakeholders, has implications that dip across the whole company, and must address each customer experience and data use in a way that both complies with applicable laws and regulations but also aligns with corporate strategy. This means that, before undertaking a consent project, it will be useful to lay the necessary foundation by answering three important questions. These answers will help guide the organization as it both identifies the right solution and implements that solution towards ultimate success.
- What does the organization wish to accomplish?
- Who are the critical stakeholders?
- What data, jurisdictions, uses are in scope?
What does the organization wish to accomplish with consent data?
Certainly, legal requirements drive consent management activities. However, organizations have a lot of latitude in how they design consent experiences within legal requirements. This means that organizations have the option of defining for themselves things like:
- Does the organization wish to make privacy a differentiator in the marketplace, or is bare-minimum legal compliance the primary objective?
- On a sliding scale of privacy sensitivity, an organization may consider superior privacy experiences to be a competitive advantage, returning a compelling Return on Investment (ROI) for every spent cost. On the other end of the scale, an organization may simply wish to comply with laws. Both can be valid decisions. Explicitly defining where on that sliding scale an organization wishes to fall will help speed up detailed decisions later regarding consent rules and experiences.
- Does the organization value simplicity over flexibility, or the reverse?
- An organization has the option to manage consents in a comparable manner, thus reducing complexity, by applying the highest standards in all situations. For example, if an organization does business in two jurisdictions, one that requires opt in for marketing emails, and another that only requires opt out, that organization may chose to simplify by creating a single, opt-in experience that it applies in both jurisdictions. On the other hand, an organization may choose data flexibility over simplicity by applying requirements specific to each jurisdiction. Again, there are valid reasons to select either, or even hybrid version of these two options. Determining which of these paths will help the organization establish sound requirements and implement appropriate experiences and rules quickly. Regardless of the outcome, a thoughtful internal discussion about the pros and cons of each is usually helpful in advance of a consent project.
- Does the organization plan to conduct activities, like hyper-personalization, which require a very granular level of consent and preference management?
- A consent project should support and advance company objectives and tactics. It will be important to understand in advance any current company goals and future activities that will have an impact on the type and granularity of consents. Examples of organizational activities that will affect the type and granularity of consent needed include digital marketing plans (including hyper-personalization), cross channel personalization, the introduction of new types of interactions or channels with customers (such as social media) and plans for new product research. A deep understanding of current and future plans related to channels, customer outreach needs, marketing and business strategies will help the organization establish the right level of granularity the consent project needs to address, as well as requirements for integration and needed customer interface(s).
Who are the critical stakeholders?
A consent project requires collaboration across a wide range of stakeholders to ensure that it meets company needs and implements smoothly. Bringing in the right stakeholders early in the process will help ensure user acceptance and support as well as effective and efficient implementation and on-going use. Depending on the organization’s structure, some stakeholder groups that may be critical to identify and include are:
- CEO – for company strategy and investment support.
- CIO/CTO – for technical strategy and investment support, as well as implementation planning and activities.
- Chief Data Officer – for data strategy, implementation planning, and as a possible user of the system.
- Security – to establish and implement security standards.
- Privacy – to establish and implement privacy standards.
- Legal – for advice on legal requirements.
- Marketing/Sales – to identify relevant channels, activities, and strategies, as well as to identify requirements for reporting, integrations, and daily use.
- Finance – to assist with budget approval in advance of selection and implementation and determining ROI afterwards.
- Purchasing – to assist with vendor reviews, selection, contracting, and payment.
- Customer Support – as possible users of the system and subject matter experts about friction points related to the customer experience.
Which data, jurisdictions, and uses are in scope?
One of the most complex parts of a consent project is that of defining the complicated matrix of data fields, jurisdictional requirements, and data uses that combine to form consent management rules. Determining which data fields, jurisdictions, and data uses should be in scope of a consent management project will help an organization identify which stakeholders to include in the process, systems to identify for integration, and rules to apply when implementing the solution.
- Data – it may be useful to determine both the in-scope source of data as well as the data fields themselves. For example, the organization may wish to define whether only consents related to data gathered from websites should be in scope, or whether consents related to data gathered through apps, social media, and other sources should also be in scope. The organization may also want to determine in advance whether only customer data is in scope, or whether other data subject relationships, like prospects, recruiting candidates, employees, contractors, and business contacts are also in scope.
- Jurisdictions – an organization may only need to address a single jurisdiction, at least as a first phase, but within a given jurisdiction there may be numerous laws that impact consent across the data and data uses the organization plans. Though a detailed, sometimes tedious process, an organization contemplating a consent project should gather the geographic jurisdictions it considers in scope, along with the laws that it believes apply.
- Uses – an organization should not only identify the uses (including sharing) to which it puts its personal data currently, but a smart move is to also consider the data uses of the future. This information will complete the complex matrix a consent project addresses.
Summary
In summary, a consent project requires detailed information about organization – its goals, data, and data uses. It also requires collaboration across stakeholders and a deep knowledge of the compliance requirements. The time spent to identify stakeholders, company goals, and what data/uses are in scope will help the organization move forward faster, resulting in a successful consent project.
