The essentials of cookie consent management

Ever since GDPR came into full force in May 2018, the discussion regarding browser cookies and their privacy implications has been going strong. Fearing the 4% of global revenue or 20 million EUR fines, some companies implemented cookie banners with the strictest of settings while losing precious data. Others decided not to become the proverbial sacrificial lambs in the marketing data economy and just wait until the first precedents force them.

With enforcement left to newly established and overwhelmed local supervisory authorities and different interpretations taking away attention from facts, tracking remained rampant for years. After the initial panic leading to May 25th, 2018, cookie consent banner functionality was gradually scaled back to a more of informing - rather than privacy protecting – form.

If you’ve since been participating in the marketing technology scene, you probably have been subjected to a variety of opinions on what constitutes valid consent, what Personally Identifiable Information is, and are cookies really that and cookie banners should be used.

Kind of funny since it was here on day one:

1. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

11. ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

It took a while, but enforcement has been catching up in recent years and months, with Finland’s Transport and Communications Agency issuing guidance for cookie use in 2021 and first notices being given to sites not adhering to these.

The biggest infraction is having no banner at all but having a banner and still planting cookies even if the person declines also counts as being in violation of GDPR. With consent, you’re either compliant or you’re not. There really is no middle ground.

In this blog, we will go through the most important things you need to consider when setting up a cookie consent mechanism, as well as some general instructions on different implementations.

Prior Consent

The main role of a cookie consent mechanism is to prevent any non-essential cookies from being set on the visitor’s device until consent – described in detail above – has been obtained. With almost any cookie consent system, you first inform the visitor, have them accept or decline cookies and then create the logic which fires the tags in accordance with the selection made by the visitor.

The user’s consent selection is then stored in a cookie, and subsequent pageviews and events need to adhere to this selection.

There are different implementation scenarios, and the choice will depend largely on your website and the technologies in use. The implementation could be completed in five minutes or might take hours and sometimes even days, depending on the technologies used and the complexity of the tracking setup.

Auto-blocking

Some tools provide the so-called auto-blocking feature, which is very easy to implement by placing a single piece of code in the head portion of your site. The tool scans your website for cookies, categorises them and automatically holds them from firing until consent has been obtained. You only need to check for any uncategorised cookies and move them to the correct category.

The main cookie categories are usually essential, preferences, statistics, and advertising.

Since auto-blocking is supposed to protect the visitor by default, it’s also very aggressive, especially when cookies are not allowed at all. In some cases, the blunt logic of the feature might prevent certain website elements from working and make the site unusable.

When implementing this, you should carefully test different consent scenarios. You can guide the auto-detection mechanism by adding certain attributes to the cookie-setting tags in-code. For more control over how and when the tags fire, however, you should consider other implementation options.

Tag Manager

If your website is in the unique position of having all non-essential tags (and cookies set by them) consolidated in a tag management system – say, Google Tag Manager – the logic and the order of things is quite simple:

1. Install the cookie banner’s code through the tag manager and set it to fire as the first event
2. Modify your cookie-setting tags to wait for the consent conditions and fire when these are met.

When the user grants their consent, a cookie is set to indicate this selection and a custom event (for example, “cookie_consent_marketing”) is fired for each of the different cookie categories.

You can use your existing triggers with added checks for the values set in this “consent cookie” or change the triggers to the corresponding consent events. The thing to look for in this scenario is the order or timing of events. For example, a Meta event will not fire unless the Meta Pixel has already been loaded.

Best of both worlds

The most robust way to implement a cookie consent system is to use rules to control cookies within the Tag Manager and leave hard-coded ones for the auto-blocker to handle. This involves a customised code setup within your website header in which you tell the auto-blocker to ignore the tag manager altogether while allowing it to block everything else.

Special considerations

Multiple domains

If you have a website with multiple domains and you want to handle their consent with one showing of the banner, this can be done with the so-called bulk consent feature of certain tools. These use a local storage mechanism or a third-party cookie (within the browser) to save the consent status and the domains to which this should apply. Thus the visitor sees the banner once and is never bothered again while moving across domains.

Main page and external portal

In many cases, a business might have its web presence spread across different content management platforms, for example, WordPress and HubSpot or a job portal. You might have a cookie banner on your main site, but Hubspot also has a built-in consent management system which controls how its different features behave. This might lead to a situation where a second banner pops up.

The ideal solution would be to use the same consent mechanism everywhere. In a “normal” scenario, our consent mechanism would categorise HubSpot’s tracking and cookies to the “marketing” category and block HubSpot from loading entirely if no consent has been granted.

In some instances, however, some features of Hubspot need to load even if no consent has been given for marketing cookies. In these cases, the HubSpot tracking code does need to load, but you need to pass consent preferences to HubSpot in order for it to behave accordingly. The solution here is to enable HubSpot’s own cookie banner but “trick” it into thinking the selection has already been made.

This is a more technical setup which requires some coding and extensive testing.

Conclusion

GDPR requires websites to obtain informed consent from visitors before any cookies are set on the visitor’s browser. The easiest way to fulfil the requirements is to use a third-party cookie management platform.

The implementation depends on the site’s web and tracking technologies and can be very easy to implement correctly. In some cases, however, website functionality could be affected, and timing issues might lead to incorrectly collected data.

If you need any help in making your site respect the user’s choices regarding cookies, don’t hesitate to contact our specialists!