2021 Strategies for Data Privacy & Cookie Consent Management

May 13, 2021
Associate Director, Experience Analytics

As privacy regulations and technology mandates go viral, the importance of understanding how to be compliant has become increasingly urgent. Concern over long-term customer data loss and decreased digital marketing capabilities has reached new heights. Moreover, to retain consumer interest, businesses need to be able to meet these rapidly evolving regulatory requirements and offer a strong digital customer experience at the same time.

These two fundamental needs seem contradictory, but they don't have to be. Deriving a customer data privacy strategy and implementing cookie consent technologies can prepare your organization to become compliant and provide your visitors with confidence about your brand's attention to data privacy and personal choice. 

Privacy Management and Consent Platforms

With these industry changes, consent management tools and third-party privacy management platforms have stepped into the spotlight. Perhaps the most prominently marketed solutions are cookie consent tools, which enable digital experiences to adhere to privacy regulations such as GDPR and CCPA. 

At a high level, enabling cookie consent means that your digital experience offers users the opportunity to determine how their data is collected and processed. While consent initially seems simple, the categorization and management of cookies and data can become murky. 

Enter consent management platforms, which offer configurable solutions to meet privacy demands. But what do these platforms do, exactly? And how can your organization derive a strategy that will enable your company and your customers to benefit from an end-to-end privacy management experience? 

When evaluating and developing a consent management program, we recommend that your company follow a sequence that fits your company's viewpoint on consumer privacy. For many companies, you may arrive at the following mitigation timeline:

  1. Define your organization's stance on privacy by forming a task force.
  2. Evaluate how your digital footprint fits into the existing and future regulatory environment.
  3. Select a privacy management/cookie consent platform that will allow you to achieve compliance.
  4. Integrate the consent tool into your digital experiences.
  5. Analyze the impact of your consent management program, and iterate.

Once a privacy and cookie consent management solution is in motion, you'll be ready to develop strategies around risk mitigation. 

Defining an Organization's Stance on Data Privacy

Data Privacy encompasses a vast range of procedures, policies, and actions. For our purposes, we'll focus on data collection and analysis, which are foundational pieces of the broader data privacy puzzle. 

Before selecting a vendor and jumping into cookie consent management, we recommend forming a privacy task force to define your organization's approach to customer and data privacy. This cross-functional team should contain representation from Information Technology, Marketing, Product, and most importantly, Legal. Regardless of your industry or your organization's size, Bounteous always recommends that you initiate legal counsel when considering privacy and consent strategies. 

Evaluating Your Digital Footprint

The outcome of a privacy task force should be a way forward for how your organization defines privacy, and which regulations are applicable to your company's digital ecosystem.

To better inform these decisions, you may want to evaluate your digital footprint as it relates to common privacy regulations such as GDPR (The General Data Protection Regulation), CCPA (The California Consumer Privacy Act), and ATT (App Tracking Transparency), among others. This exercise may include understanding your traffic from the European Union, California, or other regions with specific consent laws. 

A Brief Overview of the Expanding Privacy Ecosystem

To facilitate these discussions, it's important to understand the regulations that are impacting your digital experiences. Since GDPR was announced in 2018, digital privacy announcements have been increasing in scope, impact, and consumer awareness. 

Privacy Ecosystem Timeline

 

*Note: by no means is the following summary a comprehensive view of any regulation listed above. Our intent is to provide you with high-level context so that you can begin to conduct more thorough research, and engage with your company's privacy &  legal professionals. 

GDPR (General Data Protection Regulation)

Under GDPR, businesses are required to comply with strict rules around protecting customer data for citizens in the European Union (EU). The General Data Protection Regulation sets strict standards for consumer rights, including protecting an individual's location (IP address) and digital data (cookies).

The mandate also requires companies to enable the consent of visitors for data processing, or "opt-in" capabilities. GDPR compliance is usually achieved in the form of cookie consent policies and opt-in banner functionality, among other steps. 

ITP (Intelligent Tracking Prevention)

ITP (Intelligent Tracking Prevention) is Apple's (Safari) and Firefox's way of limiting the ability to track users across websites using cookies. ITP was initiated with the goal of preventing domains classified as having tracking capabilities from monitoring users across different sites using third-party cookies. The browser privacy powerhouse has expanded over time, and now caps the length of all client-side cookies.

CCPA (California Consumer Privacy Act)

The California Consumer Privacy Act (CCPA) empowers California residents to take control over the personal information that businesses collect about them. CCPA mandates that companies inform visitors about the personal information that they collect, and how the information is used. The regulation also gives California residents the right to opt-out of future tracking, and to delete personal information previously collected by a business.

Note that CCPA is expanding under CPRA, creating new obligations for companies and organizations processing sensitive personal information (such as financial information, race, gender, etc.) among other considerations. 

Chrome 80 and the Deprecation of Third-party Cookies

In August 2019, the engineering teams at Google Chrome announced their intention to phase out all third-party cookies within two years via a program called the "Privacy Sandbox." Check out our post on Chrome 80 to dive deeper into the update. 

ATT (App Tracking Transparency)

With the iOS 14 update and App Tracking Transparency (ATT), users are now asked if they want to be tracked after installing an app. If the user selects "do not track" when prompted, the advertising identifiers (a mobile app's version of the GAID for Google's parallel advertising) will no longer be accessible to any measurement partners (Branch, Kochava, etc.) for the vast majority of impressions, clicks, or app events. This update hits Ad Networks (such as Google, Facebook, Snapchat, and Twitter) particularly hard as they use IDFA for partner integrations.

Note that today, this update only significantly impacts iOS users, but the privacy trend will most likely continue to expand to additional platforms, such as Android, in the future. 

Cookies and Personally Identifiable Information

You'll notice that in many of the privacy regulations and changes discussed above, a cookie or user identifier is the primary concern due to its potential for being linked to personally identifiable information. 

Cookies store information about activity as you navigate from page-to-page and action-to-action, and are descriptive pieces of information that are passed between your browser and the website's server. Common use-cases for cookies include multi-session logins (keeping a user logged in even when they close the browser tab), remembering a user's preferences, and storing a user's information over time. 

How Google Analytics Uses Cookies To Identify Users
By Abby Matchett,
Associate Director, Experience Analytics
· December 23, 2019

In today's digital landscape, much of our digital data collection and remarketing starts with a cookie, or some way that we as marketers and digital analysts are able to identify our consumers and then subsequently try to engage them. While the information stored within a cookie may not be enough on its own to identify an individual, cookies can be combined with additional information. 

For this reason (among others), cookies are at the forefront of many of our privacy regulations discussed earlier. Therefore, it is imperative that your organization take action when considering cookie consent and cookie compliance. 

Cookie Compliance and Consent Vendor Selection

If your website is accessible to and marketed towards European Union residents, you will want to ensure that GDPR is on your radar. Moreover, if you have consistent traffic to your website from California (and therefore California residents), you'll want to ensure that you have a CCPA plan in place. One way to observe your EU and California activity is to analyze your digital data from a tool such as Google or Adobe Analytics. This will help you identify the scope of impact (% of users) that will be exposed to cookie consent capabilities. 

Most websites will require banner consent and opt-in or opt-out consent forms to be GDPR & CCPA compliant. GDPR generally requires opt-in notifications (usually in the form of a pop-up banner), whereas CCPA requires opt-out notifications (usually in the form of footer navigation calls-to-action and a subsequent landing page that contains an opt-out and data request form). 

A reminder that when considering cookie compliance, it is important that your legal team(s) determine what compliance means to your company. 

Enabling Consent Through Technology

One of the most efficient and foolproof methods of obtaining compliance is to evaluate and implement a Cookie Consent Management solution. Bounteous has worked with several cookie consent managers, including OneTrust and TrustArc, however, there are additional solutions on the marketplace that may be a good fit for your organization. 

As you begin your search, reach out to representatives of these companies and ask for an evaluation. One tool may meet your needs more completely than another, based on your legal definition of compliance. 

Some of our clients have also implemented homegrown solutions instead of purchasing a third-party consent manager. We recommend considering a consent manager rather than a homegrown solution if your organization is looking for a quick way to become compliant and if you have little internal oversight or personnel capacity to manage an internally developed solution. Otherwise, you can certainly explore your options!

The Advantages of Google Marketing Platform's Tech Stack Capabilities

If your organization is using Google Analytics, Google Analytics 4, or Google Tag Manager, you'll also want to consider several privacy features available to you today within the Google Marketing Platform. 

Google's Consent Mode works alongside your consent management platform of choice. The tool enables you to adjust your advertising tags based on the consent status of your users, meaning that Google's tags will adapt to the user's choice of accepting or declining cookies. Consent mode works natively with Google Ads, Floodlight tags, and Google Analytics. 

Additional privacy tools have also been deployed to disable data collection, advertising features, and personalization. Google also has methodologies for IP anonymization, data storage and retention procedures, and user-level access safeguards. 

Data privacy and cookie consent also extend past data collection & analysis. For some regulations, companies will need to be able to provide access to the data collected at the user level and also offer data deletion requests. Google Analytics 4 and Universal Analytics offer interface opportunities to ensure these compliance requirements are met. 

Using these native features of the Google tech stack will enable you to implement a consent management system much more quickly and efficiently, and with far less internal maintenance.  Keep these features in mind when evaluating your consent management platform for optimal performance.

Integrating a Consent Management Tool Into Your Digital Experiences

Most consent managers follow a similar implementation process regardless of which tool your legal team decides to move forward with. Generally, a tag management solution such as Google Tag Manager or Adobe Launch is utilized in conjunction with development resources to add consent banners to a website. You may also need to work with your development teams to ensure that opt-out forms and calls-to-action are available within your website's footer navigation. 

The high-level process for implementing a consent manager with a tag management solution includes the following steps, but will vary with the size and complexity of your digital infrastructure. 

Cookie Consent Solutions

 

First, you will run a few cookie scans within your consent management platform to isolate or bucket cookies into several categories, such as functional or essential cookies and marketing or advertising cookies. How your consent management solution flags cookies will determine how they are treated when users accept or decline when being served a banner. Your company can always choose to group cookies under your own defined categories as well. 

Next, your consent management platform will generate a script to manage and record user cookie settings. Your team will need to place the script within a tag management solution, such as Google Tag Manager or Adobe Launch, or directly on the site. This script will enable the pop-up consent features required for GDPR, as well as any cookie bucketing required for CCPA (if you choose to utilize these features). 

Note that most consent managers enable you to configure several settings, such as consent banner placement, design, and content/terminology prior to placing a script on-page. Collaborating with a user experience team is extremely valuable during this time to ensure that your site's functionality is not impacted by your consent management experience. We also recommend obtaining approval from your legal department when selecting the final consent banner content. 

From here, you will update your tag management and data collection practices to read the user's cookie settings. This is essential so that you avoid collecting data on your users until they have chosen to accept or decline cookies. You'll also work with your development team to ensure the proper navigation is available for CCPA, and that your cookies are operating as expected on your site. 

If the implementation process is successful, users should see one GDPR consent banner per browsing session, with consistent cookie and user settings from page-to-page and from action-to-action (e.g., cookies and consent settings persist for the user during their session). If you are also implementing CCPA opt-out functionality, then marketing and advertising cookie collection should cease after a user has filled out the appropriate form. 

Ensuring Compliance is Achieved

Because digital privacy is complex, implementing a cookie consent pop-up box for GDPR or adding a CCPA intake form to your footer navigation will most likely not be enough to ensure compliance.

  • There are several steps that your organization will want to take to ensure compliance is achieved, including (but not limited to):
  • Regularly updating your terms of service on your website, and ensuring that they match your consent management process.
  • Ensuring that your consent manager consistently removes cookies as users opt-out or opt-in (e.g., regularly testing your consent manager's effectiveness).
  • Enabling a process to serve data to those who have requested access to data that has already been collected.
  • Developing a process to delete data for customers who have requested data deletion. 

As you may expect, developing processes to serve and delete data to customers is extremely challenging for many organizations. To help with this process, you'll want to consider all internally managed and third-party databases where personally identifiable data may live. 

In Google Analytics, for example, the user explorer report can be used to handle user deletion requests in accordance with CCPA's requirement to allow users to have their data purged. You will also want to restrict access to and remove this data from Google BigQuery, Google Ads, or other advertising platforms as required by the regulation. 

Your Next Steps to Cookie Compliance

If implementing a cookie consent manager sounds daunting, you are not alone. Consider reaching out to a partner such as Bounteous who has experience with multiple solutions and technology platforms. We can help you navigate your options, put a solution in place, and test your solution for any gaps. 

We can also work with you to analyze and determine the impact that consent management will have on your digital data and digital marketing strategies. Analyzing the impact of any solution will be an important step in communicating to your executives and leadership teams. 

Lastly, implementing a cookie consent solution isn't the end of the privacy road. Iterating against your existing privacy strategy will be paramount to meeting regulatory requirements and safeguarding your consumer's data.