Unawareness, a blurry strategy, and flawed cookie consent management can easily lead to a gap in your analytics. The risk is an often-irretrievable loss of valuable: actionable insights. In this blog post, I’ll discuss ways of preventing this data loss.
If you’d like to find out more about the current status of privacy directives and cookie policies in regard to the GDPR and the ePrivacy directive, you can find my previous blog post “Are Cookies Really Dead?” here.
The Solution: Business Insights, Great Care, and Accuracy
I’d now like to introduce you to the best approach for implementing Cookie Consent Management. The principle of “data protection through technology” (Art. 25 of the General Data Protection Regulation – GDPR) stipulates for technical solutions to ensure full transparency. This means that the burden of implementation is, unfortunately, passed on to the web business owners and their visitors. However, we see ongoing discussions about a more general technical approach through Personal Information Management Systems to make web browsing more enjoyable.
Understanding the Existing Setup
A 2020 study revealed an alarming truth: Many companies completely underestimate the effort to understand which cookies and code elements are set for which purpose!
Different departments make use of different tools and services from third-party providers. One hand doesn’t know what the other is doing. Furthermore, it is quite common for websites and apps to be handled by service providers. They do not necessarily belong to the company responsible for obtaining user consent.
The following steps require careful coordination of all stakeholders:
- GAIN OVERVIEW Go through all the cookies that are set in the cookie storage of frequently used web clients. The domain values can be quite helpful to distinguish between first- and third-party cookies, although they do not necessarily cover all cases – sometimes third-party cookies are set within a first-party domain. Your cookies will probably derive from different tools like browser developer tools (browser add-ons or built-in features in web browsers) or commonly used browser add-ons.
- CLARIFY MEANING AND TECHNICAL IMPACT Please align with the respective contact persons, both internally and externally. Show them the list of cookies and ask for meaning and impact on technical processes within your web application(s) and, if needed, for third-party vendor services. It is very important to understand and document all scripts and processes that set and use your cookies! This information will be useful when it comes to consent implementation.
- CREATE A COMPREHENSIVE OVERVIEW DOCUMENT Summarize all information in a meaningful and well-structured overview. Use this document as a basis for the next steps.
Categorizing cookies is an important help – not only for legal evaluation with your data protection officer, but also when it comes to the implementation and the presentation of Cookie Consent Management on a website or mobile app.
In 2012, the International Chamber of Commerce of the United Kingdom (ICC UK) proposed to make use of four main cookie categories as guidance for website operators, now adopted as best practice:
- CATEGORY 1: STRICTLY NECESSARY COOKIES They are essential to enable users to move around the website and use its features, such as accessing secure areas of the website. Without them, simple services like filling shopping baskets or e-billing are unable to function. Cookies set by consent management scripts also belong in this category. Without these cookies, the visitor’s choice cannot be stored in a GDPR-compliant way.
CONSENT REQUIRED? NO
- CATEGORY 2: PERFORMANCE COOKIES These cookies collect information about the way visitors navigate through a website, for instance, which pages are the ones with the most traffic. These cookies do not collect information that identify visitors. All collected information is aggregated and therefore anonymous. It is only used to improve website performance.
CONSENT REQUIRED? NOT NECESSARILY REQUIRED
- CATEGORY 3: FUNCTIONALITY COOKIES They allow the website to remember visitors’ choices (such as username, selected language or region) and to provide enhanced, more personal features. A website may be able to provide local weather reports or traffic news by storing the visitor’s location in a cookie. They can also be used to remember customization (text size, font, etc.). They are also commonly used to provide services such as watching a video or commenting on a blog. The collected information may be anonymized. They are unable to track browsing activity on other websites.CONSENT REQUIRED? MOST LIKELY REQUIRED BECAUSE OF USER IDENTIFICATION
- CATEGORY 4: TARGETING OR ADVERTISING COOKIES These cookies are used to deliver personalized ads. They can also limit the number of times visitors see a certain ad and help measure campaign effectiveness. They are usually set by advertising networks with the website operator’s permission. They store the information that someone has visited a website and share it with other organizations such as advertisers. Quite often, targeting or advertising cookies will be linked to site functionality provided by the other organization.CONSENT REQUIRED? REQUIRED – THIRD PARTY – BASED ON USER IDENTIFIER
Match and categorize your cookies
Have you already captured all your cookies, including purpose and functionality in one document? Great! Now you only need to assign them to the individual categories.
- Identify redundancies and doublecheck with corresponding stakeholders
Note: Please involve your data protection officer in the classification process and explain each categorization. A common issue is a data protection officer misunderstanding technical details on the nature and purpose of the data collected!
What about anonymous or “cookieless” tracking?
Mapp Intelligence only tracks first-party data for customers without ownership and does not share any data with third-party providers. We offer specific solutions for anonymous and cookieless tracking, which help to improve your analytics and are able to collect up to 100% behavioral data.
Please note that this doesn’t qualify as tracking without consent. We’d also like to point out that not every type is equally suitable for each business context.
Data experts consider Mapp’s tracking approach not to require consent since:
- The data is used for statistical purposes
- The data is used for dysfunctionality-detection
- Mapp does not carry out any profiling and only acts as an order processor
- Mapp is not a third party in the sense of data protection law
- The data is not used for other purposes
Communication and Design
How to avoid common UX mistakes
- Strictly necessary cookies are not pre-set. You aren’t allowed to pre-check any types of cookies that need clear user consent. However, not pre-setting the checkmark for essential cookies makes your services unusable.
- Cookie banner layer is not in focus. Some web applications allow their usage without having to interact with a cookie banner. This is a real traffic killer! No interaction means no cookies are set and, therefore, no data according to GDPR. Do yourself a favor and use a legal consent wall for all users entering the web application. This approach is legal when the user can access all services of your web application independently of the selected policy! However, you do not have to provide a CTA button to reject consent for all cookies at this point.
- Settings are too granular. Do not overwhelm your users with too many options while entering your site. They will most likely either bounce or find the fastest way to reject all cookies!
- Settings are hard to find. It is your duty to easily enable users to adjust their preference at any time! Make the preference center easily accessible.
- Keep usage explanation short and easy. Don’t over-engineer the individual explanations. Keep it short and sweet.
The Technical Implementation
You will need specific software for your cookie consent management. Here are a few options:
Note: Tag management systems let you adjust the injected code at any time. This is particularly useful for such a dynamic topic. Keep in mind that all cookies and processes related to this system are “Strictly necessary cookies”!
Internal solution vs. Cookie consent management platforms
To successfully implicate internal software solutions, you will need dedicated resources. This implicates a responsible and powerful Product Owner, at least one Frontend Developer or UX designer and at least one Backend Developer. Your team will also regularly interact with your Data Security Manager.
You will also need some Q/A resources for the first launch and continuous testing. They need time for planning, code execution time, and regular maintenance. Cookie consent is a very dynamic topic and well-trained resources are important for ongoing success.
Consent management platforms
Alternatives to in-house solutions are Consent Management Platforms. A CMP enables a website or app to comply with the GDPR, CCPA, and other privacy regulations. CMPs allow websites to inform visitors about the types of data they want to collect.
In addition, many providers also offer audits for existing cookies. They are able to provide you with “ready to go” user interfaces.
They help you with:
- Technical analysis of existing environment
- Collecting and handling user consent
- Display banners and pop-ups to users
- Prevent tags from running before obtaining legal consent
- Manage data subject requests
- Fire tags used in ad networks based on a user’s decision
Our CMP partner Usercentrics will always make sure that you are on the safe side data-protection wise while keeping your marketing goals in focus. Usercentrics allows for A/B testing, is quickly adaptable to new policies and easy to implement with Mapp Cloud.
Common implementation mistakes and how to avoid them
- Page reloading. Some implementations block all relevant processes until consent is given and then reload the page to execute processes that set the cookies. This approach is problematic: in the moment of page reload, the browser referrer and in some cases, the information on advertising media cannot be measured even for users who have just given their consent. The traffic is then reported as “direct” and the data is not correct. Please execute all processes consented by the users directly the moment when it happens!
- All scripts are blocked as type “text” until consent. The consent activates cookie-related scripted processes without reloading but does not implicate the possibility that some processes need special triggers to work as expected. Assure yourself and your team how all processes work before you decide to implement a general approach for all processes! There might always be some special solution, where this causes issues!
- Lost consent information storage Depending on the implementation, consent logs may be stored in a cookie that gets deleted quickly because of Apple’s ITP 2.4 for webkit. This could lead to Apple and Safari users seeing your cookie banner every two days when opening your application. You can be sure that the users will not blame Apple or iOS for this annoying behavior! Find a way to provide robust and preferably permanent storage for consent information!
The effects of the GDPR or the CCPA on cookie consent may have a large impact on your user data sources, as well as on the evaluation of your online advertising efforts.
But I hope that I was able to show you a new approach to this important issue and how, with due effort and detailed understanding, a worst-case scenario can be averted. Cookies are not dead technology. It is possible to comply with GDPR and data privacy without losing important insights on user interests and behavior!
Author: Arno Schmittel, Digital Sr. Strategic Data Consultant at Mapp
If you’d like to learn more about how Mapp can help your business with cookie consent management, get in touch!