[lmkg]

To elaborate: While most of these tools can be configured to comply with GDPR, it is not their default configuration. The tools and products predate GDPR, and being enterprise software they value backwards-compatibility over other aspects of functionality. So out of the box, they engage in practices which are non-compliant.

But of course, most companies assume that the default configuration is compliant, since that's the entire point of the product, right? Companies think the product is a compliance solution itself and therefore compliance is purely an IT problem of deploying the software and legal doesn't need to be involved. But in fact the software is actually a platform for scaling and automating enforcement, and legal actually needs to be involved to figure out what compliance looks like.

There are several studies showing that a huge fraction of GDPR/ePD violations are actually a result of using consent-management software but leaving it in the default configuration.