How Adobe Real-Time CDP and OneTrust Consent & Preferences Connect

[Music] [Neil Tolbert] All right. Good morning, everyone. Thanks for showing up early. My name is Neil Tolbert from OneTrust. Sorry. Global Vice President responsible for our Consent & Preferences offering. I've been with OneTrust, almost eight years, marketer by education and then fellow of information privacy through the IAPP, and excited to spend this morning talking about Consent & Preference Management and how we see that playing into, how you think about your strategy around CDP.

Probably won't take the full hour, so this will hopefully be about 30 minutes. Should have plenty of time for questions. Actually, very willing to answer questions throughout the presentation, so if you have a burning one or you want me to double-click on a specific topic, please feel free to raise your hand, and ask those questions. And hopefully, it's engaging and interactive. So obviously, you guys are at Adobe Summit, so I'm not telling you anything you don't know that data is driving everything modern organizations are trying to do, from a monetization standpoint, from a customer engagement perspective, everything around how they're trying to drive revenue, increase their market share, out compete their competitors. Data is at the core of what businesses are trying to accomplish, and there's a couple of things that are in direct conflict with that. So this is actually a bit of an outdated stack 'cause we are in 2025, but we are seeing not just expanding but accelerating regulation from a privacy standpoint. So safe to say everyone in this room has customers that are protected in some capacity by privacy law. And we're also seeing a massive shift in the sources and quality of data that you can use to drive personalization, most of which is driven by this modern privacy movement. Now all that to be said, consumers are not reacting any differently to personalization. So I always talk about when we had this modern era of privacy law-- Okay, thought I was messing something up. Thank you. That it wasn't that all of a sudden the world became private. We just consumers started to get a better understanding around how their data was collected and used. And we saw these laws put in place as a mechanism for consumer protection. And when we think about regulation, I usually break it up into a couple of different categories, all of which are going to impact how you collect and use data, and most of them have requirements around some level of permission. So obviously, there's a massive wave of privacy regulation that is both, country specific, state or providence specific. You've got consumer protection laws like the TCPA here in the US, like CASL in Canada, laws that are typically older than the privacy laws and much more grounded in reality of application. So you think about the concept of do not call, way more simple than trying to figure out how to comply with some of these privacy regulations. And then you've got sectorial laws that are still consumer protection in nature but are designed very specifically for industries or types of businesses that might have particularly sensitive data or laws that were put in place to react to market demands like the financial services sector.

All of that to be said and what that means is that every time you interact with a customer, especially every time you're collecting or using data, that represents both a risk and an opportunity to everyone in this room. It represents a risk in the sense that you have obligations to comply with any types of regulations I just went through. But it also starts to give you an opportunity to create a better relationship with those customers through transparency and through choice that actually allows you to collect more additional data and start to build a proprietary data asset within your business, that again leads you to a point where you can out compete your peers, and drive better personalization. So when we talk about permission, this covers a pretty wide swath of your customer journey. And so raise your hand if you've been on the internet recently.

All right. You guys are here. Thank you.

There's the unknown side, which typically we would refer to as the cookie banners, right? This is an unauthenticated visitor on a digital property, whether that's a website, mobile app, connected TV, and you're starting to collect choices and preferences around how they're tracked, what type of data you're allowed to transmit to third parties. And these are usually again anonymous permissions to where you haven't necessarily authenticated that person or you don't really know who they are. You know they're a person, and you're starting to build profiles and drive engagement to try to create outcomes, but you still haven't identified them. What we're seeing a massive shift in the market, especially as it relates to permission, is trying to drive that authentication faster and really get to the known side of permission or consent and preferences. This is where the opportunity lies. So this is where you're getting more granular marketing preferences, better subscription preferences. This is also when you think about some of the complexities of privacy law. When we think about the concept of do not sell, do not share, especially here in the US, a lot of companies are interpreting that requirement that if you can link an unknown visit to a persistent profile downstream, you should be honoring that choice downstream. And obviously, I think the broader world doesn't understand the fact that most organizations can actually triangulate who someone is even if they haven't logged in yet. There's still a lot of digital technology out there that can do that. And so we feel very strongly that this should be a problem tackled across that spectrum, when we talk about Consent & Preference Management. I'll get into it in just a second how we do that, and then I'll wrap up with how we push that into systems like CDP. So when you think about what a consent record needs to be, most regulations all have relatively similar core tenants on what makes consent valid. And I'm going to use consent and preference interchangeably. Consent has a definition from a regulatory standpoint, but these are all consumer choices. And so for it to be valid, it has to be informed. It has to be revocable, and what informed means is they have to understand what they are opting into, and it has to be specific. So we have departed the world where you could have a single checkbox and a really broad, lengthy policy that allowed you to basically opt someone into everything. And we are starting to see a much clear definition in test around that informed choice. So I was going to do my best to not say AI in this session and be the only session here that didn't.

But when you think about like you're trying to build data assets that you can eventually put into AI, how do you properly communicate to someone that you might use their data for that? And when you think about all of the other things you're doing with data, how you're sharing it with their parties, how you want to find new and creative ways to use it, that transparency test is something that is should be very intentional. And the more granular you get with permission, the easier that transparency becomes. Also, what we've seen within our clients is that, "Hey, that's how you drive higher opt-in rates." I'm not saying be overly verbose in how you describe what you're going to do with the data, and you don't need to give them every option under the sun. But with the right amount of transparency, the right amount of granularity and choice, that's where we see the highest opt-in rates, both on the unknown and known side. So when you think about how you're going to make an enforceable signal in your CDP, from a consent or preference standpoint, there's a handful of things that you need to consider. You need to know who opted in, so how are we identifying them, and that we can have identifiers for unknown visitors. It just doesn't translate to a known profile downstream. We want to start to define the choice they're making off of a purpose structure. So purpose is a concept that was started in GDPR, but it's basically the intent with which you plan to use the data. Having good purpose structure makes enforcing the data governance that you want to have based off of your intended use of that data downstream way easier. So when you just manage consent as a checkbox in a system, you don't have any of the context around what that means, and it doesn't even necessarily define the subset of data in that profile that you can or can't do things with. You need to understand the status of that choice. So the other hard part about consent is that it is not a static data point, so it's constantly evolving. I mentioned earlier every interaction your customers have with you is an opportunity and a risk, and one of the risks is that their status as it relates to willingness to be marketed to in a particular channel, interest in specific types of content that evolves over time. And so being able to think about consent as in more of a linear fashion and understanding what the current status is but what it was previously, especially for a lot of the consumer protection laws, is really important, from a regulatory defense standpoint. You want to know where it came from so that you can be confident in what the language and disclosure they saw when they provided it. So when you think about if you were contacted by a regulator, hopefully, none of you ever are, they're not going to ask like, "Did you have consent for this person?" They're going to ask for you to prove that you had it. And then they're going to start to ask you to prove that it passed all of the tests that I talked about. So being able to say it happened on this date, on this website, this was the version of our privacy policy at the time, this was the language they saw when they took that affirmative action. Having that that record trail, not only allows you to have a really strong regulatory defense, but it also means that as regulations change, being able to surgically identify which of your consent records you have to go and get re-consent for versus invalidating an entire dataset becomes really important and drives a ton of value. And then obviously all of the time and date stamps, that give you that record along that linear transactional log.

So the way this works in OneTrust, you have the, what we call collection points, which is anywhere those interactions happen. And as your customer starts to go through that journey, they're going to start making choices. So maybe the first choice is that they enter an email to sign up for a specific newsletter type of content. And so you start to get that first level of authentication or identifier, we store those in a data subject profile, which is basically our holding place for all of the answers to all of the questions that are defined by all of the purposes that you would want to configure. And as someone continues through that journey, we're starting to be able to combine those identifiers together. We don't do identity resolution, but one of the hard parts about an enforcing consent is you're trying to push it into systems that are ID dependent. So when you think about-- Okay, do you have a question? Agreeing. Awesome.

Put that on the survey, please. So you're starting to-- You're trying to take a signal and push it into a system that requires it to be communicated in a very specific way for that system because all of these MarTech technologies were not designed to look outward. They're all designed to think inward. And so one of the things we were very intentional about early on is being able to link identifiers together, both for the purpose of consent collection because a customer doesn't know the five IDs that you house on them but also, and maybe more importantly, for the downstream enforcement of that signal. So someone continues to go through this customer journey, and every time it could be the same identifier, it could be a different one. They're making all of these choices. They're updating choices that they made. And you're starting to progressively profile them from a choice standpoint. This is also a really great time to think about first-party data collection because it's contextually relevant to the consumer. So we had a client that actually one of the initial returns on investment that they got as a part of standing up a preference center, they were validating contact elements for the specific channel someone was opting into. So if I'm opting in for email, what a great time to make sure you have the right email for me, or that it's the email address I prefer if you have multiple emails. And so thinking about how first-party data inherently becomes a part of what you're doing from a consent preferences standpoint not only makes the channel engagement that much more expected and relevant for the consumer. But it also gives you the ability to start building more of that proprietary data asset that you can then use to outcompete your peers and drive better engagement.

So I talked through how we collect and how we think about storing consent and preference and what that is.

The real value of this comes when we can push it into all of the downstream systems like Real-Time CDP and any of your other MarTech platforms or data platforms. And the way that we think about doing this, again, is using the identifier that is relevant for that system and sending it in a signal that is consumable by that system. So that's everything from when you think about wanting to block cookies on sites for people that have opted out of a specific behavior. We're going to take that as signal and apply it to your tag manager. When you think about on the known profile side, we're going to take that signal and apply to a data governance mechanism within something like Real-Time CDP in a language that it can interpret. And then every time those choices get updated across that entire litany of customer journey touchpoints, we're providing that delta update into those downstream systems. What that does for organizations is it means you get the maximum use out of the tools you've invested a lot of money and resources in, like Real-Time CDP. It also means that you can have a lot more agility with what you want to do from a campaign, from an engagement, from a program standpoint because you're not having to do all of these last mile checks, right? You're not trying to hit against some database to say, "Are we okay to message these people?" Your permission to engage them is inherently now part of the data which, again, should speed up innovation, creates compliance as a beneficiary byproduct of you guys maximizing your ability to have a trusted data-driven relationship with your customers.

The way this works specifically within Adobe is, we are integrating directly into the profile.

If you have the data governance mechanism set up already, we're actually communicating into the data use labeling, which, again, should speed up how you think about activating those different data groups within CDP and maximizing the output of that investment.

I have a few customer stories that I can talk through, but I'll pause here. Are there any immediate questions? We'll have plenty of time for questions at the end.

If no one's brave yet, we'll get there.

So first example, we had a fashion retailer B2C, and one of their biggest issues was they were trying to comply with not just privacy regulation, but very specific and numerous privacy laws, which the hard part there is on one hand, you want to be specific to the regulation 'cause not all of the requirements are the same, and they don't give you the same benefit. So you don't want to take a universal stance because maybe it limits you in certain jurisdictions where you don't have to be that limited. But you still have to make sure that you're compliant again against both privacy law, as well as direct marketing consumer protection law. Ultimately, what they were able to realize is a much larger marketing list. Typically when companies think about doing a consent management program, they expect their addressable market to shrink. That is not always the case. And again, what they found here was by offering more choice, they actually saw a much higher opt-in rate to both SMS and email marketing. They automated their compliance concerns, so they had a reduction in FTE for their legal team, or at least the resources they were obligating to support the marketing team. And they were able to drive a lot greater personalization in the email channel by having granular preferences like content whether that'd be like gender or specific products. They were also able to do frequency preferences, which we can talk about if someone has a question around that. Probably the hardest preference to honor but they actually built specific campaigns based off of each subset of frequency category, and drove a lot of value through there.

Other example, is a large media company that had a litany of different experiences both consistently branded and sub-brands or sub-categories of their brand, and being able to manage consent across that entire customer journey where they could think locally and act globally, as well as have the option for someone to manage their preferences across all of those experiences while minimizing the impact that privacy obligations had on UX. So one of the things we talk a lot about is doing cross-device or cross-domain consent, where if you have the ability and you give someone the choice to manage their preferences across that entire customer journey, you shouldn't be asking for their preference every time they get to a different step in that journey which massively drove up the UX there. And we were able to solve problems for how they think about complying with complex regulations around the globe.

So last slide here, and then I'll open it up for questions.

We are the largest provider of Consent & Preference Management around the globe. What this scale means for our clients is both, this is a hard thing to do. It's still hard for us to do. It's a complex concept and instilling it in your organization requires a cultural change in how you think about using data. But because of the scale and size that we're doing this around the world, all of those challenges we've been able to overcome, and we've been able to develop a really powerful product alongside our customers, especially as all of these regulations and requirements change.

The other data point I'll call out is I talked about that data subject profile. I can say with total certainty that everyone in this room has a data subject profile in OneTrust. We're managing six billion of them today, and I like talking about that six billion number because when you think about the value and the return on investment in a consent tool, it is not about regulatory compliance.

Yes, that is a value of doing it, but this should be an opportunity oriented thing that you pursue within your businesses because that is a data subject profile that's unlocking personalization. That's a data subject profile that's driving better engagement, increasing performance in specific marketing channels, and creating a ton of value for your organization. It's something we're really proud about. We're working with some of the biggest and most consumer forward brands on the planet.

A number of the experiences, if you did any of the interactive ads in the Super Bowl, we're all powered by OneTrust. If you own a smart TV, everything you opt into when you power those smart TVs up is powered by OneTrust. If you use a lot of the very common streaming services, we are unlocking their ability to drive better engagement and a better experience for each of you.

And yeah, hope this was helpful. Happy to answer any questions that may have come up.

[Music]