TrustArc Marketing Consent Manager

Take control of universal consent for GDPR and other privacy regulations with TrustArc.

TrustArc Marketing Consent Manager

TrustArc Marketing Consent Manager is designed to help organizations to comply with GDPR consent requirements for activities such as promoting products and services, surveys, newsletter subscriptions and other marketing activities directed at data subjects. These GDPR consent requirements include the following: (1) personal data must be “processed lawfully, fairly and in a transparent manner” (Article 5(1)), (2) consent must be a “freely given, specific, informed and unambiguous” indication of a data subject’s agreement to processing (Recital 32), (3) an audit trail and detailed consent management record must be maintained (Article 7(1)), and (4) the data subject must be able to withdraw consent as easily as it was given (Article 7(3)).

Key Features of Marketing Consent Manager

Integrated with User Touchpoints

The solution can be embedded across corporate digital properties, such as websites, SMS and email databases (and other databases), using connectors that are specifically designed for GDPR consent processes.

Integrated with User Touchpoints


The solution is designed for marketing of products and services to meet CCPA and GDPR requirements, but can be customized to meet your specific needs and goals.


Comprehensive Audit Trail

Data that are collected include anonymized ID, form of consent notice, scope of consent or non-consent, consent version, date of consent and end date of consent, withdrawal of consent, business unit obtaining consent and other configurable metadata.

Comprehensive Audit Trail

Centralized Database

You and your approved vendors can query the TrustArc-hosted consent database in order to honor the latest consent status, to manage regulatory and user inquiries, and demonstrate GDPR consent compliance on demand. The database is searchable by marketing activity involved, by date, by business unit and by geography, among other search criteria.

Centralized Database

Compliance Reports

The solution facilitates the production of reports detailing and confirming that all required consents have been captured, that they were freely given, specific, informed and unambiguous, should a regulator or user inquire or if they are needed in connection with litigation.

Compliance Reports

Cookie Consent Manager

TrustArc also offers a solution to support cookie consent management to meet GDPR requirements and other applicable privacy mandates,such as CCPA. For more information, click here.

Cookie Consent Manager

End to End Privacy Management

Part of the TrustArc Platform which manages all phases of privacy compliance – assessments, data inventory & mapping, vendor risk, cookie consent, DSARs and much more.

TrustArc Platform

Marketing Consent Manager: Frequently Asked Questions

Below are answers to some of the most popular marketing consent questions that we’ve received.

What is marketing consent?

An aggregation of user consent from various consumer touch points that is stored in a consolidated consent database that can be used to enforce, among other things, GDPR requirements.

What is the GDPR?

The General Data Protection Regulation (EU) 2016/679 ("GDPR") is a European Union (EU) law that deals with data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU.

How does the GDPR define personal data?

General Data Protection Regulation (GDPR) is designed to protect “natural persons” visiting websites “with regard to the processing of personal data and on the free movement of such data.” The GDPR has significantly broadened the concept of “personal data” for privacy purposes, including technical identifiers, location data, IP address, photos and other information that directly or indirectly can identify a distinct person, regardless of context.

What does the GDPR say about cookies and online tracking?

Per GDPR, the setting of tracking cookies can only occur once the user has provided their consent.

What does the GDPR say about cookies opt in and opt out?

GDPR Article 4(11) is clear about for opt-in consent. Specifically, it states:“any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed; …Silence, pre-ticked boxes or inactivity should therefore not constitute consent.”

Opt-out is implied in the regulation. If the user does not explicitly opt in, they are opting out.

What is a GDPR compliant cookie policy?

In order to be compliant with GDPR, a website should:

  • Inform the user how their personal data is being used prior to storing it on the device.
  • Enable consent to use cookies via an explicit affirmative action.
  • Be able to prove that consent has occurred
  • Provide a means for the withdrawal of consent and guarantee via prior blocking that no tracking is performed before consent is obtained.
  • State the category and purpose of each cookie on the website.

What is the ePrivacy regulation?

“Regulation on Privacy and Electronic Communications” (“ePrivacy Regulation”) has been proposed by the European Commission to replace the current ePrivacy Directive. The new ePrivacy Regulation would be effective in all EU Member States upon finalization and will not require separate implementing legislation by each EU member state. It is anticipated that the ePrivacy Regulation may come into effect in 2019.

What is the difference between the ePrivacy Regulation and the GDPR?

ePrivacy Regulation will apply to any entity that processes electronic communications data and any provider of electronic communications services ("ECS"). "Electronic communications data" includes information concerning the end-user processed for the purpose of transmitting, distributing, or enabling the exchange of content, as well as information regarding content transmitted or exchanged. ECS would include email, internet access services, SMS, VoIP, Internet of Things devices and public and semi-private Wi-Fi “hotspots”, among other things.

ePrivacy differs from GDPR in the following ways:

Specifically focused on electronic communications

While the GDPR is the general regulation for personal data stored or used by a company, ePrivacy is a law specifically governing electronic communications. So, when a data privacy issue is raised regarding communications, ePrivacy will be used by regulators for enforcement. The two laws are meant to complement one another.

Includes non-personal data

GDPR is entirely-focused on the protection of personal data. The ePrivacy regulation is more expansive in its definition of data protection as it is focused more broadly on the confidentiality of communications, "which may also contain non-personal data and data related to a legal person," the proposal states.

Derived from different areas of EU law

The GDPR is based on Article 8 of the European Charter of Human Rights which says: "Everyone has the right to respect for his private and family life, his home and his correspondence" - i.e., a data subject has rights and is informed about what processing is being carried out on his or her personal data.

ePrivacy reflects Article 7 of the Charter of Fundamental Rights, which states: "Everyone has the right to respect for his or her private and family life, home and communications." - i.e., the data subject is aware of and can make choices in the context of communications that impact him or her. Also, the user may be either an individual or legal entity (vs. an individual-only with GDPR).

What is the ePrivacy directive?

The ePrivacy Directive (aka the EU Cookie Law) was issued in 2002, and concerned the processing of personal data and the protection of privacy in the electronic communications sector.

What is the difference between the ePrivacy regulation and the ePrivacy directive?

“Regulation on Privacy and Electronic Communications” (“ePrivacy Regulation”) has been proposed by the European Commission to replace the current ePrivacy Directive. The new ePrivacy Regulation would be effective in all EU Member States upon finalization and will not require separate implementing legislation by each EU member state, as was the case with the ePrivacy Directive. Put another way, regulations are legally binding across the EU and directives are designed to be incorporated into individual country’s laws, leaving open the possibility for different interpretations of the directive.

It is anticipated that the ePrivacy Regulation may come into effect in 2019.

What is the EU cookie law?

The “EU Cookie Law” is another name for EU Directive 2009/136/EC. In it, the European Parliament mandated that all countries within the EU need to establish laws requiring websites to obtain informed consent before they can store or retrieve information on a visitor's device.

Looking for help with GDPR Marketing Consent Compliance?