How cookie consent manager and tag manager work together for your GDPR compliance

, ,

Written by Karolina Lubowicka

Published May 17, 2018

The changes brought by GDPR directly impact your marketing tools, and particularly those used for online analytics. Virtually every company providing software that processes personal data (a.k.a. “data processors”) must adapt its technology to the requirements of the new European rules. The biggest player on the market – Google Analytics – is no exception. Unfortunately, as the recent update of their privacy policy shows, the Mountain View giant has decided to shift the burden onto others.

To learn more about the most important changes introduced by GDPR, we encourage you to go through our informative blog post on that very topic:
How Will GDPR Affect Your Web Analytics Tracking?

In recent weeks, Google has introduced some product updates that aim to help their clients comply with the new law – for example, data retention control and a user deletion tool. However, it’s the client (data controller) who is responsible for collecting, managing, and storing consents (via opt-in) from visitors (for both Google Analytics and Google Tag Manager).

In addition, clients have to be sure they aren’t collecting any personally identifiable information (like emails, zip codes, names) because it’s against the Google Analytics Terms of Service (you did know this, right?). Following all these rules can be a big hassle for website owners.

If you want to dig deeper into the advantages of safe personal data processing (including first-party data), be sure to check out this blog post:
Why First-Party Data is the Most Valuable to Marketers.

Collecting user consents: a tricky business

Cookies seem to cause the most trouble. They’re mentioned in Recital 30 of GDPR, which states:

Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags.
This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

This means that in order to remain compliant with the new laws, your website should now require your visitors to acknowledge and consent to the use of cookies before they start browsing your site.

If you want to deep-dive into the characteristics of proper GDPR consents and how they should be handled, we advise you to read this blog post:
How Consent Manager Can Help You Obtain GDPR-Compliant Consents From Your Users.

However, the list of your responsibilities doesn’t end there. Processing personal data (including cookies) involves many more obligations on the data controller’s side.

If you’re in this situation, here’s some of the things you must do:

  • Develop a mechanism for collecting granular consents, tying them to specific users, and ensuring that the data will be used only for agreed purposes (for example, only for analytics purposes, but not for remarketing or data personalization activities).
  • Gather all the consents (plus all the information we’ve discussed above) in one database which you can easily access and update on a regular basis.
  • Prepare a mechanism for your users to change their mind, exercise their rights, and send you data subject requests.

Sounds like quite a challenge, right? These kinds of tasks take not only a lot of time, but also loads of human resources. Obviously, automating this process would make many lives easier.

Luckily, nature (or in this particular case – the market) abhors a vacuum. Many vendors have decided to take matters into their own hands and create a tool to mediate between visitors and analytics software. Depending on the provider, it’s called Cookie Consent Manager, Cookie Widget, GDPR Consent Manager, etc.

These tools are a kind of gatekeeper that passes information about consents between individual visitors and your analytics system. That way, you make sure that the data you’re operating on has been collected in a manner compliant with the new law.

An interesting comparison of these offerings can be found here: Tools & Widgets to Manage Cookie Consent.

The State of GDPR Consent

Overview and scoring of how websites have adapted to data privacy regulations

Tag manager – a perfect partner in not-crime

As mentioned in the article by Vicky Dallas we linked above, a good idea is to use the combined forces of Consent Manager and Tag Manager to handle user consents.

Tag management systems have proved themselves an extremely useful asset in the marketer’s arsenal. Now they can serve as a tool for reducing the burden of dealing with consents. Because these tools support a range of tag types, they make it a lot easier to ensure compliance of the analytical software and marketing tools placing tags on your website.

The connection of the cookie consent manager and the manager’s tag means that all information about your visitors’ preferences are quickly transferred to your analytics tool. From there it goes to other software using the data collected by your analytics instance – like Personalization or Customer Data Platform.

At least a couple of cookie consent manager providers have integrated their products with tag management systems. One of them is Piwik PRO. The GDPR Consent Manager we’ve developed works closely with a secure tag manager, providing more robust privacy of your data. For instance, you can store all your data in an on-premises environment, encrypt all the collected information, and use a chosen SSO method to log into your system for ensuring that only authorized employees can access the data.

How it works

All this might sound a bit abstract and hard to imagine. That’s why we’ve prepared some examples to show you how Consent Manager and Tag Manager work together. For your convenience, we have divided this process into steps you have to take in order to configure our tools for GDPR compliance:

1) Turning compliance on and off for each site

GDPR Consent Manager allows you to apply settings to every website that adjust the mechanism for firing tracking tags .

If you decide that GDPR compliance should be disabled on a particular website, then new visitors will be opted-in by default. But if you turn GDPR compliance on, new visitors will be opted-out by default and will receive a consent form pop-up (served by Tag Manager).

Then you’ll have to decide which tracking tags don’t need consent and will be fired automatically for every visitor, and which of them will be fired after receiving consent.

Typically, the following categories of tags should be fired only after consent is received:

Analytics – web and mobile app analytics data tracking for basic information like IP address, device and browser information, etc.

A/B Testing and Personalization – tags for A/B tests via third-party vendors and personalized offers targeted at visitor segments.

Conversion Tracking – designed to track when and how visitors accomplish desired actions (purchases, downloads, form completions, etc.).

Marketing Automation – for audience segmentation in order to schedule and track marketing campaigns.

Remarketing – tags creating audiences for ads displayed to visitors after they leave your site.

User Feedback – information about user experience from visitor behavior and feedback.

Custom type – tags whose properties you can freely define.

However, every client can customize them based on their needs and compliance team’s suggestions. This information will tell Tag Manager which tags can be launched automatically and which require the user’s prior consent.

Now it’s time to create the message you’ll show your visitors. With a little help from a user-friendly editor, you can design messages that will be shown to people visiting your website for the first time, as well as those who have already been there but haven’t made a decision about consent.

4) Displaying the pop-ups to your visitors

Once you’ve created all the dialog forms, it’s time to approve the messages and make them visible to all. Pop-ups and widgets give both first-time visitors and returning visitors who haven’t responded to your request the chance to make a decision.

Information about their choices is then saved by Tag Manager in a single first-party cookie and in the Cookie Consent Manager database accessible from your admin panel. All consent decisions will be kept there for one year.

The State of GDPR Consent

Overview and scoring of how websites have adapted to data privacy regulations

Summary

We hope that we’ve convinced you that Consent Manager is the right tool for dealing with GDPR consents from your visitors. And it will be extremely useful if the tool works smoothly with Tag Manager.

If you would like to learn more about collecting consents in accordance with GDPR, we invite you to follow our blog. And remember – you can always contact our team, we’re happy to share our knowledge with you!