What you need to know:

• An analysis of the ASX 100 by Mi3 and DataTrue reveals that only 15 of Australia’s largest companies have established any formal consent management platforms (CMPs).
• Notably, none of the Big Four banks or major retailers have invested in CMPs, with only BHP identified among the 10 publicly listed companies as having such systems.
• OneTrust is the leading CMP provider, used by seven companies within the ASX 100.
• Many companies without a CMP still consent but they likely do so in a fragmented manner, relying on individual applications rather than a unified system.
• Service providers warn that lack of standardised consent management can lead to significant problems, but implementing a CMP does not absolve companies from privacy obligations under the “fair and reasonable” test at the heart of Australia’s new privacy regime. That test is tipped to be included in the second tranche of Australian privacy reforms sometime in 2025.
• Per advisors, consent is often misapplied.
• The burgeoning complexity of corporate data ecosystems is part of the reason why regulators chose to move away from a strict reliance on consent, and instead now urge companies to focus on transparency and legitimacy in data usage, says Nicole Stephensen.

An analysis of the ASX 100 by Mi3 and DataTrue reveals that only 15 per cent of Australia’s biggest listed businesses have a formal consent management platform (CMP) in place. None of the Big Four banks or any of the major retailers have made investments in the platforms.

Among the top 10, only BHP has a CMP, while Resmed was the only other top 15 company identified.

OneTrust is the clear market leader among CMP players, with its customer set including ALS Limited, Ansell, Brambles, CSL, Resmed, The Perth Mint, and ASX.

For marketers, CMPs enable them to collect, track, and manage customer permissions – ideally in a transparent and user-friendly way.

The absence of a CMP does not mean the rest of the companies on the list are not doing consent management. Rather they are likely relying on a piecemeal approach at an individual application level.

But there are consequences to that strategy says Gagan Batra, founder and director at martech consultancy Insighten.

One common, practical problem brands run into is that they have no way of limiting an unsubscribe request from removing a customer from every service, whether the customer wants that or not.

“If the organisations are only giving one option to unsubscribe from consent, then when the end user unsubscribes, they do so from every single piece of content because they’re not given an option they just opt out from everything. So that’s a risk to marketing, which is obviously spending dollars to retain these customers.”

Consent management platforms typically manage this problem through preference centres, he said.

“Every one of those companies will be doing consent because collecting consent before communicating with the user is a privacy requirement.”

The issue he says, is whether firms are taking a joined up approach.

“Are they unifying the consent from different platforms into one preference centre. On top of that, are they connecting cookie compliance with email marketing compliance? I don’t think anyone in the country is doing that at this time. I think that’s where the future is leading.”

When Mi3 examined the ASX100 we found only a small minority of companies have invested in a CMP. We were able to determine this through an analysis of tags on the website, undertaken by DataTrue based on data collected using its automated tag discovery technology, which detects the presence of cookie consent banners or the use of third-party Consent Management Platforms.

It is important to understand the distinction between cookie consent banners and CMPs on the issue of cookies.

According to DataTrue’s Adam Hobson, “Cookie consent banners notify users that a website uses cookies to track their interactions. In contrast, Consent Management Platforms (CMPs) allow users to specify their consent level for cookie tracking (among other things).”

“There was only limited adoption of cookie consent technology with only 15 per cent of ASX100 companies providing any form of cookie consent prompt for user interaction.”

As to which solutions were preferred, “OneTrust was the most widely used CMP, and was adopted by 7 of the 14 companies utilising CMP solutions,” said Hobson. “Other solutions included Usercentrics and along with custom-built platforms.”

Packing the stack

The emergence of consent management platforms adds a new layer of complexity to the martech stack and may also have implications for how Customer Data platforms are deployed, according to Chris Brinkworth, managing partner at Civic Data.

“Every technical privacy audit that we do across the customer experience layer (tags that collect or use data) unearths deep-rooted problems with data being collected without consent and a myriad of tags and pixels that are not supposed to still be running, collecting data that they shouldn’t. 

He warned that over-eager agencies and marketers are keen to ‘hack the CAQ’ using new identity plays, audience matching, ML-based segmentation and ‘deterministic identity tags'”

“We envisage that the need to protect consumers and avoid privacy penalties will become the first line of defence and will require consent and governance capabilities to sit hierarchically above CDPs as the next stage in this evolution.”

The reason, according to Brinkworth, is that the marketing technology landscape has rapidly evolved from hard-coded tags to tag management systems, and now to more holistic customer data platforms (CDPs).

While tag management systems brought flexibility, CDPs emerged to provide unified customer views for activation. However, fully integrated CDPs pose risks like vendor lock-in, he said.

“As regulations tighten on privacy, consent and governance are crucial. Large clouds now aim to own these capabilities to remain entrenched. However, concentrating consent and governance within clouds contradicts decentralisation trends. We are seeing the rise of composable stacks as marketers assemble tools managing consent, governance, and activation.”

Per Brinkworth, “This blend of best-of-breed point solutions delivers flexibility lacking in consolidated cloud ecosystems.”

“While integration enables efficiency, customers now demand control over their data and adaptability as regulations evolve. This requires positioning consent and governance hierarchically above CDPs, superseding them as the next stage in this evolution. Either way, protecting consumers and avoiding penalties starts with removing non-compliant tags, data collection, activation, re-identification, etcetera, before reconsidering foundational data practices.”

And that’s just the start. Other privacy experts suggested the emergence of the fair and reasonable test for privacy –  tipped to be included in the second tranche of Australian privacy reforms sometime in 2025 – raises some uncomfortable questions for CMP providers. It’s a view with which Brinkworth is sympathetic.

Fair and reasonable

The fact that brands manage consent through a consent management platform is not a get-out-of-jail-free card: The fact that someone has consented online doesn’t really confirm that any further use of that data is fair and reasonable. Indeed, and particularly in online contexts, the use of consent as the mechanism to permit whatever it- s your organisation wants to do is potentially unfair and unreasonable in itself.

According to Nicole Stephensen, managing director of Ground Up Privacy, “This is where the test really becomes important. You may think you have my consent because you purchased a mailing list from a vendor that assures you everyone on the list consented, and you might have even loaded my consent into your own consent management system. But the reality is that the list might be four times removed from my original consent, and I might have no idea that you even have my details,” she says.

“I might not remember the consent I originally gave – in fact, I may not have even realised what I was agreeing to at the time – and now you are basing your decisions around the handling of my personal information on this consent. 

“Online consent is misused all the time.”

Surveillance capitalism

“It’s an area where that power imbalance endemic to surveillance capitalism continues to get a work out. So even where an organisation has a consent management system that logs that a person has provided their consent to something, the fair and reasonable test still informs the organisation’s decision-making. Effectively, it requires organisations to do a check measure ahead of a collection, use or disclosure and consider: Is what we are about to do within the reasonable expectation of the person? Are we using an approach that an ordinary person would consider to be fair? Are we relying on consent to avoid being truly accountable?

“Responding to the test is probably going to take a culture shift for some organisations, and it will certainly upend the over-reliance on consent for activities involving personal information that may otherwise not get the green light.”

She said, “If a consent is not specific, if it’s not detailed, if it’s not for a particular purpose, if it exists in perpetuity (instead of being time limited), the consent is not worth the consent management software it’s stored on.”

Stephensen also noted that the increasing complexity of data and technology ecosystems is part of the reason why Australia’s policy makers appear to have moved on from a reliance on consent.

“There are not a lot of big companies using consent management systems because they’re cumbersome, they’re hard. They don’t necessarily give you enough granular detail about what it is the person initially consented to, making it hard to ensure that you’re using and disclosing their information only in accordance with that consent.”

“It’s challenging, and the more data you get, the volume of data points alone, makes it even more difficult for an organisation to double-check – so your accountability measures are harder.” 

Reasonable is as reasonable does

Civic Data’s Brinkworth noted that Australian companies are required to give notice that they are going to use your data in a certain way.

“The thing is, if we then bury that in all these different terms and, conditions, or in privacy where we’re saying we will use it for marketing purposes with companies like Google and LiveRamp, but it’s not really descriptive or detailed then we could filibuster anything you want in there.”

Leaning into an absurd example for effect, he said, “I could technically say we’re going to come into your house late at night, write the price of our latest special offer in lipstick on your mirror by agreeing to the terms and conditions and agreeing to this, you consent to this.”

“Now even if you had a consent management platform that kept track of everyone that said yes to that, is it really fair and reasonable?”