Companies risk incurring GDPR fines over CMP confusion – report

Confusion over Consent Management Platforms (CMPs) is leaving businesses at risk of receiving hefty fines from the Information Commissioners’ Office for breaching GDPR requirements, running to tens of thousands of pounds, according to new research commissioned by data company Fifty-five

The survey of over 500 marketers, conducted between 28 October and 1 November 2022, revealed that the majority (54 per cent) haven’t set up a Consent Management Platform (CMP), which is critical for managing consent in line with legal requirements. 47 per cent say they do not need one, potentially putting their business at risk if they are not otherwise meeting the complex needs. 

CMPs ensure consumers give consent for brands to store and use their data for tracking and marketing purposes. Brands cannot store data or market to customers if they haven’t provided a correctly administered pop up (or privacy notice), which requires active consent.  

However, the study highlights widespread confusion about this mainstay of the increasingly privacy-first internet. Of those surveyed who have a CMP in place, 37 per cent agreed that the complexity of regulations and policies is confusing. 

More than a quarter of all marketing managers surveyed (27 per cent) admit they are not sure who is responsible for its implementation. 31 per cent think senior leadership are responsible and only 16 per cent thought it fell to the marketing department, despite marketers having most use for the information collected. Six per cent said the legal team is responsible, focusing on the compliance elements of a CMP. 

For those who hadn’t implemented a consent management platform (CMP) there seemed to be a degree of potentially misplaced confidence about their reasons for not doing so. Nearly half (47 per cent) said their business didn’t think it was necessary and 29 per cent were confident their business was compliant as it was. 

“We are in a new era for digital marketing and it is imperative that marketers act to fully ensure compliance with the law,” said Richard Wheaton, Managing Director at Fifty-five. “Our study shows a majority of businesses have failed to implement one and this is concerning. A large part of the confusion stems from not understanding who has primary responsibility. However, confusion about complexity is not an excuse. Marketers as the brand communication owners must ensure they comply.” 

Alongside widespread confusion, marketers are concerned about the impact implementing a CMP could have on their results and reporting. Of those who have implemented a CMP, nearly three in 10 (28 per cent) said it had impacted marketings ability to win customers, increasing to 35 per cent of large businesses. Meanwhile, 17 per cent admitted they were confused about what to do in respect to data collection for website visitors. 

43 per cent of respondents said that their customers were happy they had implemented a CMP, compared to only 15 per cent who said they were unhappy with the inconvenience of pop-ups and privacy notices.

On the back of these findings Fifty-five is warning brands that they must adapt to the new era to remain relevant for privacy-concerned consumers. Those that don’t risk going out of business in a tougher economic climate.