For many, the May 25, 2018 date for GDPR was etched into their minds by the countless hours spent preparing for the new regulation to go into effect. For everyone else on the internet they probably realized something was going on due to the tsunami of emails about Privacy Policy updates and requests to re-consent to marketing communications.
What you might have also noticed are the privacy banners now ubiquitous on sites across the web. In many cases these will just be at the top or bottom of your browser window letting you know that cookie and data collection are happening with a link to learn more or opt-out. In other cases these banners will block content from being consumed until explicit agreement is given to these data collection practices.
These cookie consent and privacy management messages are powered by a relatively new and growing technology niche, Consent Management Platforms. In light of GDPR and also the impending updates to the EU’s ePrivacy Directive sites are adopting these in droves.
Let’s further examine Consent requirements in the context of each of these legislations and what this means for your website.
Consent Requirements
GDPR
The first of the Six Principles of GDPR is that Personal Data shall be “Processed lawfully, fairly, and in a transparent manner…” To further clarify what lawful processing is, the Regulation outlines six lawful basis for processing. When processing Personal Data for the purpose of marketing and advertising, two of these six are relevant and available: Consent or Legitimate Interest.
Consent is the option that is more difficult to obtain from the user but much easier to defend if questioned. For this reason, many organizations are utilizing Consent when it comes to the collection of data via digital marketing and advertising platforms (tags) on their site.
To be compliant with GDPR, Consent must be explicit and freely given by the user. The user must be transparently notified of the data collected, processing occurring, and how it affects them. With this information available, the user must give an explicit and unambiguous indication that they are okay with the processing.
Legitimate Interest is the second Legal Basis of Processing available. It is much easier to obtain from the user but much more difficult to defend if questioned. You can find more information about Legitimate Interest requirements and documentation in our GDPR eBook.
We mention Legitimate Interest here because even if using this option the user still must be notified that processing of Personal Data is happening and have the ability to easily opt-out if desired. This notification is often handled via an implicit consent banner with a link to the Privacy Notice to opt-out.
ePrivacy Directive
The ePrivacy Directive (Directive 2002/58/EC) was put in place in July of 2002. The primary focus is on privacy in the telecommunications sector, however, Article 5(3) speaks directly to the storing or accessing of information stored on a person’s device. This applies to cookies and data stored on users’ browsers by marketing and advertising platforms running on your site. As a result, the Directive is often referred to as the “EU Cookie Law”.
An important note, as a Directive, it did not create obligations for private entities. It instead provides direction that then must be implemented into national law by each Member State. This has resulted in some inconsistency across countries within the EU for notification and consent requirements.
Due to the complexities across the requirements for both GDPR and ePrivacy, organizations are increasingly using Consent Management Platforms to manage Consent requests, maintain records of consent, and properly notify users of data usage and processing.
These Consent Management Platforms come in a variety of different flavors and offer a variety of options based upon the requirements meant to be addressed by the site.
The platforms manage the user experience for consent as well as the recording of the user’s preferences. They do not, however, block the tags from executing (and data being collected nor cookies set) on the site for compliance. For this, Consent Management Platforms provide the foundation for you to configure this blocking on the site.
Consent Management Platforms – How They Work With Tags
In general, the Consent Management Platform will do the following technically to allow you to configure tags to not execute depending upon the conditions approved by the user.
- User enters the site and is shown data collection notification and consent options
- At this stage no tags processing personal data should have executed and no cookies should be set.
- User agrees to use of cookies and data processing.
- Consent Management Platform sets a cookie indicating the user preference.
- Tag firing rules (triggers) are configured to read the presence of specific values in the cookie set by the CMP. These are added as conditions to the firing rules applied to each tag.
- When the conditions are met for the different tags to fire (i.e. proper consent has been given) they fire, collecting the user’s data and setting/reading cookies
As you can see from the above process there is an element of configuration outside of the CMP that is critical to compliance. With GDPR, for example, if you are stating and using Consent as the Legal Basis for Processing yet collect and process Personal Data without explicit Consent being given and recorded, you are in violation of the regulation. As such, it is critical that tags are restricted from executing until the proper Consent has been granted.
So how do you test this for all of the marketing and advertising platforms loading on your site across all the pages of each domain? That is where a Tag Auditing tool such as Tag Inspector can help tremendously.
Tag Auditing to Test Consent Management Configuration
Introduced back in April in the run-up to GDPR, Tag Inspector now supports the ability to carry the cookies indicating consent across each of the major Consent Management Platforms. Conversely, are able to not carry these cookies to see the tags loading when consent has not been granted.
Combining this functionality with Tag Inspector’s Tag Rules feature, you can test the deployment and configuration of all the tags in conjunction with the Consent Management Platform being used. Below are the steps to the CMP Audit process:
- Configure a Tag Rule within Tag Inspector to indicate the tags requiring consent to execute on your site.
- This is accomplished with a Blacklist rule setting tags requiring consent to be “Not Allowed”.
- In parallel, create a condition in the same rule for the CMP being used to be “Required” across all pages.
- Set up a Scan across each of the site domains deselecting the option to “Enable Cookie/Tracking Consent” and applying the Tag Rule from Step 1 to the Scan.
- Run the Scan across each of the domains controlled by your organization.
Using the logic above you will be Scanning all pages of each of your sites as if you are a user that has not granted Consent to tracking. By applying the Blacklist Rule, Tag Inspector will automatically compare the results of the Scan and all tags found to be loading with those you have specified as not allowed to execute under this condition. Any tags requiring consent that are still executing even though consent has not been granted will he highlighted in the Policy Errors area of the report.
Using a solution such as the above allows you to automate the testing process for your Consent Management configuration. With one solution you are testing both the complete deployment of the consent tool and the configuration of tags to indeed only execute when the user has made the proper selections.
In some cases there may be further nuance and additional conditions to apply. For example, in some Consent Management Platforms users will have the ability to only consent to tracking by certain individual platforms/tags or classifications of platforms/tags (analytics, advertising, personalization, etc.) These more granular conditions are also able to be configured for testing with a Scan. Please Contact Us to discuss the configuration and tool being used and we can walk through the process of setting this up.
In the new regulatory environment organizations are by and large taking the steps necessary to ensure Privacy Rights are upheld. There is a lot of time and effort being put into the evaluation of the various tools on the market to help simplify the overall process. Make sure you are taking the necessary steps to ensure proper configuration and adherence to the law as well.
A well laid out plan is a necessary first step to ensuring compliance, properly implementing the solution is another requirements. Use a Tag Audit tool such as Tag Inspector to easily and automatically test the deployment on your site.
Stay safe out there in the post-GDPR and ePrivacy world, and as always Happy Scanning!