In today’s privacy-focused environment, websites are highly reliant on first-party data. According to a recent Ipsos-Google study, 91% of internet users aged 16-74 say they are more likely to shop with brands that provide offers and recommendations that are relevant to them. In order to achieve the desired level of personalization, brands need users to consent to the use of their data, which requires trust. According to the same study, 68% of internet users are skeptical of the ways companies use their data for marketing purposes. And it’s no wonder! Go to a majority of websites today and you’ll see something like the following scenario:
This website is telling me they value my privacy and are asking for my consent to place cookies on my device. Meanwhile, they have already placed 50+ cookies, many of which for advertising, while 17 different advertising and marketing technologies have loaded and collected information about my visit. Not only is this a violation of my rights under the ePrivacy Directive (I’m located in Spain), but it is also blatant disrespect of me as a user.
So how do you avoid a situation like this? And why are so many websites so bad at getting it right?
Most enterprise organizations will use a Consent Management Platform (CMP) to help manage consent for their users. While the CMP is quite useful in many stages of consent management, poor configuration and a lack of surrounding processes are consistently leading to compliance and brand equity risks.
To make sure you get it right, it helps to begin by thinking about the end-to-end process of consent management. I like to think of the process in three layers: experience layer, consent layer, and platform layer.
The experience layer is the actual user experience on the website. This is where the user is presented with a notice (ideally) giving them clear information about how their information is collected and processed. Also included will be the choice to accept or reject various tracking behaviors. The granularity of this choice is dependent upon the organization’s configuration, as well as compliance requirements based upon the user’s location. Once the user makes their privacy preference indication, we then move down to the consent layer.
The consent layer is the technical indication of the user’s preference selection. Depending upon the CMP in use, this can be done in a number of different ways. Some CMPs will place a cookie containing the preference choice; some will use a javascript object on each page; while others will store the selection in local storage on your device. Regardless of the method employed, the technical indication is what is read by the platform layer to actually respect the consent choice by the user.
These first two layers of the consent management process are what the CMP in use supports.
The final layer in the consent management process is the platform layer. It is here where the configurations happen to actually respect the privacy preference selections of users. Platforms require an additional configuration beyond the CMP that you need to manage. Tags (the javascript which is responsible for powering analytics and advertising platforms), either need to be configured to not execute when users do not consent or configured to limit their behavior in line with the privacy preferences indicated.
A lack of proper configuration within the platform layer is one of the common points of failure with organizations and their consent management configuration. These mistakes lead to significant compliance risk exposure and the improper use of user data, explicitly disrespecting their preferences.
Additional errors result from improper configuration of the CMP in the experience layer leading to a lack of transparency for the user about what data is collected and cookies are set. Further errors result from the lack of ongoing monitoring resulting in tag behavior which contradicts the user’s preference selections.
So, how to configure the full consent management architecture and ensure you have minimized your compliance risk? We recommend breaking it down to several steps.
Step 1 – Audit & Pre-work
In order to properly configure your CMP, inform the transparency disclosures on your site, and build the documentation necessary for your compliance program, it is helpful to start with auditing your current tag architecture.
In this step you will conduct both a tag audit and a cookie audit.
Tag Audit
A tag audit surfaces all of the marketing, advertising, and analytics platforms currently running on your site, including those which are piggybacking or being loaded in by other tags. Start by mapping all of the tags currently live, as well as the data being collected by each. From there, you can begin evaluating each of the datapoints for their applicability with respect to relevant privacy regulations. This evaluation will result in the documentation necessary to create a consent management strategy and inform the configuration of the CMP.
Cookie Audit
Once you have visibility to the platforms loading and data collected, it is now time to understand all of the cookies being placed on the user’s browser by each platform/tag. This information will again be included in transparency notices on the site and will inform the CMP configuration.
One of the common traits of the experience layer is the inclusion of categories of consent for the user. Before you can properly respect these category selections from the user, you must bucket each of the cookies and tags into the relevant categories. Again, a platform such as Tag Inspector can help significantly in this step as the reporting will associate each cookie placed with the platform responsible for setting it. This information is key to ensuring tags are configured properly in the platform layer to respect the consent selections of the user.
Following the audit and pre-work stage, you now have the documentation and visibility necessary to move to implementation.
InfoTrust Services to Assist in the Audit Stage:
Tag Inspector License
Tag Governance Audit for Privacy & Compliance
Contact us to learn more about how InfoTrust can help.
Implementation
The first step of the implementation phase is implementing the CMP. This entails both the addition of the CMP script on the site, as well as the design and configuration of the experience layer within the CMP. To optimize the user consent experience, we always recommend A/B testing various banner designs and consent experiences as a part of this process.
Beyond just the experience layer configuration, you will also need to classify each of the cookies and tag platforms within the CMP according to the documentation and classifications defined in the audit phase.
Once the CMP is implemented and configured, the experience and consent layers will be addressed. For many organizations, this is where their consent management implementation ends, thinking that they are fully set up for success since there is no additional action to take in the CMP—the core reason for non-compliance and user disrespect. This is a massive mistake—it is imperative to fully configure the platform layer to respect the privacy preference signals indicated by the CMP in the consent layer.
The configuration of tags to respect consent signals will likely be completed within the Tag Management System, which is responsible for maintaining tags used for marketing, advertising, and analytics. Each tag in scope needs to be either modified to not execute based upon the user’s privacy preference or modified to execute in such a way that the user’s preference is respected.
It is only after the platform layer is properly configured that you are up and running with a compliant architecture.
InfoTrust Services to Assist in the Audit Stage:
Consent Management System Configuration and Support
Tag Management Support
Consent Mode Implementation
Contact us to learn more about how InfoTrust can help in these areas.
But that’s not all! No website ever stays static—regular production releases, new tags being added, current tags being modified—the data collection architecture on any website is constantly in flux. To ensure continued compliance, it is important to institute ongoing monitoring and maintenance of the consent management process.
Monitoring and Maintenance
There are two separate components necessary to maintain sound consent management: regular technical monitoring and processes which support architectural hygiene. Technical monitoring is a process using a tag auditing platform that allows you to input your defined standards (what platforms can load under each consent category selection of the user) and flag any instance of those standards being violated. Tag Inspector has a privacy and compliance module which gives this visibility and violation identification across your entire website portfolio.
Beyond monitoring to identify consent management violations as they arise, it is also important to implement processes to lessen the chances of compliance risk. Processes such as a formal tag implementation process, governance and central management of the Tag Management System, and a new platform compliance review process are all critical.
InfoTrust Services to Assist in the Monitoring and Maintenance Stage:
Consent Management System Configuration and Support
Tag Management Support
Tag Governance Process Consulting
Tag Inspector Privacy & Compliance License
Contact us to learn more about how InfoTrust can help in these areas.
Focus on the three steps of audit, implementation, and maintenance to ensure consent on your websites is both compliant, as well as respectful of your users. Focusing on these areas will help address the experience, consent, and platform layers of the consent management process and set you up for success in the privacy-centric environment.
