General Data Protection Regulation (GDPR) guidelines by EU law are getting stricter day by day. Recently, fines have been imposed in Finland for GDPR violation. Therefore, to be GDPR compliant, both B2B and B2C customers are required to add an active cookie consent solution to their websites, which includes a detailed cookie banner and consent management portal. Please read more about EU´s GDPR compliance requirements.
With this increasing demand, there are many third party tools/vendors available in the market offering ready to use built in solutions for Cookie Consent. Are these tools just ready to use or do they require some additional work and prior knowledge? Having implemented varied solutions to our customers, I have noticed that Cookie Consent integration requires hefty understanding about it's impact on website behavior and user experience and also the technical ability to make all the required code changes etc. Many blogs and articles focusing on GDPR guidelines and third party tools available to implement cookie consent can easily be found. However, it is not easy to find articles focusing on the technical implementation.
In this blog, I am focusing on the selection of a third party tool for Cookie Consent integration, on what you need to consider and on possible solutions for some issues or problems you may encounter. I will be referring to third party tool as just tool or vendor in the rest of the blog.
Many promising vendors are available in the market, whom provide:
- Audit/scan of website for cookie details
- Cookie categorization
- Cookie banner
- Consent Management Panel to manage cookies
Here are some of the vendors available - CookiePro powered by OneTrust, Digital Control Room, CookieBot, UserCentrics, CookieFirst, iubenda. But how to choose the best one and what could be the deciding factor? Following factors might be used to compare and decide:
- Testing and verification of demo version
- Pricing offering
- Language compatibility
- Technical compatibility
- Explore websites or web applications, where solution has already been implemented
- Support of geolocation rules – region specific legislation outside EU such as California Consumer Privacy Act, LGPD, Thailand PDPA
- Amount of manual work required for integration
Identification of unknown cookies
Vendors scan the website and generate a Cookie Audit report, which contains cookie source details and categorization of cookies as per information available in their database. However, there are still many cookies left, whose source is not clear. Why and how to categorize these unknown cookies?
It is important to identify and categorize unknown cookies; if you don't do so, it means you have not provided the user with complete cookie information and you are without his/her consent still setting some unknown cookies. It is the website owner's or developer’s responsibility to identify the source of unknown cookies, which is sometimes quite tricky. Keep in mind, cookies may be set from various sources on the website – direct injection of scripts in HTML tags, scripts injected through tools like Tealium or Google Tag Manager, custom cookies created for website functionality etc. So leave no stone unturned and check all possible sources. Sometimes you may have to visit some pages of your website just to check if a particular cookie was set or not.
How to block cookies?
With 3rd party tool integration, the focus is more on adding a cookie banner and on the consent management portal which only requires adding a script in source code. But what about additional code changes required to block cookies being set until user provides consent? Does the vendor take care of this technicality or does the developer have to fix it.
Do not assume the vendor will take care of everything; there is plenty of work required by the developer to get this integration to work end to end. Mostly, code changes are required to add an extra attribute in script tags as well as anchor and image tags responsible for cookies. If any tool like Google Tag Manager or Tealium has been used to inject scripts, then the corresponding tag also has to be modified. This technical information should be available by the vendor at the initial stage. If not, then it will come as a surprise, especially when this extra work has not been taken into account when calculating work estimates. Some vendors provide features to “Auto block cookies”, without source code changes, but there is a limitation for this feature and some exceptions too. Still wise to retrieve all possible information in advance or any technical documentation beforehand. And it is better to explore the demo version of the solution, before actually purchasing it.
Impact on website user experience?
Cookie consent integration often affects user experience and web tracking. Not knowing about this beforehand may result in unwanted surprises, such as some website features becoming invisible etc like in the screen shots below.. So how to deal with this problem?
Features like YouTube/Vimeo videos, social media icons, add-ons like chat service may stop working or become invisible, if the user does not provide consent for. It is good if you are already aware about this consequence, and plan for fallback behavior. If some features are important for website functionality, then the corresponding cookies may be moved to Strictly Necessary cookies as per GDPR guidelines. Try to gain as much information as possible from the vendor or any functional documentation to anticipate the possible effects on user experience. There is very good custom solution available at the European Union website for handling hidden YouTube videos:
Post implementation maintenance and late opt-out?
Once the cookie consent solution has been integrated, it has to be maintained by periodically monitoring the website for new and existing cookies.
Generally, vendors provide periodic website scan results, which are helpful in identifying and categorizing new cookies. In addition, there is an important feature called Late opt-out, for when the user wants to change his/her cookie preferences. A user may decide to opt-out of a certain cookie category for which he provided consent earlier and now wants the corresponding cookies to be forgotten. If the vendor’s solution does not delete the cookies from the user's device, then you need to add custom code to achieve this, or otherwise provide explicit instructions to the user to manually delete cookies from his/her device.
Some more tips
To summarize, make sure to discuss the below points with the vendors/website owners before making any decisions.
- Exact details about their ready to use solution and feature offering?
- Details about source code changes. Availability of any technical documentation?
- Scripts causing cookies have many sources - direct injection in source code, through GTM, injection by CMS editors on CMS platforms. Does the solution cover all possible scenarios to block cookies and what are the exceptions?
- How this solution will affect user experience on the website, especially regarding existing video, social media links, and GTM scripts?
- Support for Late opt-out feature?
- Language compatibility?
- Reference websites on which vendor's solution is already running.
With website owner or customer
- Make them aware about the impact on website user experience, as some features may become invisible until the user provides consent. Check for any fallback alternatives that could be used?
- Website tracking gets impacted, if GTM and analytics scripts are blocked until consent is provided.
- True GDPR compliance requires explicit consent by user. So already marked opt-in selections will not do. In 90% of the cases, users do not go into the cookie preference section and just accept the default preferences, which means only necessary cookies will be set having an impact on web tracking and other parts of the website.
- To work around the issue above, you can add a descriptive message to the cookie banner with an “Accept All” button. (Though cookies are marked as opted-out by default.)
- Look at reference websites on how others have solved the issue.
- If Late opt out -feature is not supported by the vendor then custom code will be required.