The GDPR pop-in sometimes seems to glitch. Unfortunately, this isn’t caused by a bug, but actually the result of an approach to collecting consent that is too global and focused on the short term.

Do you often get a feeling of déjà-vu when browsing the web? You’re not alone. The likely culprit is all those websites that consistently ask for your consent, even though you have already given it, sometimes just a few days before. And although this is a genuine annoyance for users, the websites can’t blame it on a bug. Read on to found out why.

Website publishers have the choice of a range of Consent Management Platforms. Some are free and generic, while others cost and offer more customisation. Some align themselves exclusively to the IAB framework, whereas others — such as Commanders Act’s CMP — don’t limit themselves in such a way. This difference is crucial, and to understand why we need to take a closer look at the concept behind the IAB framework.

The IAB framework, a vendor-orientated interpretation of the GDPR

Rather unsurprisingly, this framework is takes a vendor-orientated intepreation of the GDPR (General Data Protection Regulation). A vendor is anyone whose services or solutions process personal data. The IAB framework involves, once consent has been given or refused, communicating the choice to these companies. Consent can be given globally (for the entire list of vendors), by purpose or by company. Either way, the principle remains the same: the framework trusts the vendor to respect the consent choice.

What does this mean ‘on the ground’? Following the IAB model, the tags of services used by a website are loaded at the same time as the pages, whether consent is given or not. It is then the vendors’ responsibility to take into account the consent choice and process the data accordingly. This approach is radically different to that of Commanders Act’s CMP, which simply loads no tags as long as the user has not given their consent. This way, no data is sent at all. And no evil sorcery involved: just a simple link between the CMP and a TMS (Tag Management System) is all it takes to enable tags to be fired only once consent is given.

Endless requests for consent

There is also another limit to the method used by IAB-inspired CMPs, and this is the cause of the endless requests for consent. The list of vendors is constantly changing. At the time of writing, the last update numbered 135 was on 21 February 2019. Since most of these ‘IAB-centric’ CMPs collect consent for the whole list in one go, as soon as a new vendor is added to the list, consent must be given again. Hence why users see the infamous pop-in several times in a single month.

This issue could be somewhat mitigated consent was requested for each separate purpose, rather than all at once. In this case, consent would only have to be renewed when the updated list of vendors affected one of the purposes accepted by the user e.g. personalisation or advertising.

A short-termist approach

In practice, gathering consent by purpose is shunned in favour of a more global request in order to maximise acceptance rates. An approach that could be considered rather short-termist: after being asked several times in the same month for their consent, it wouldn’t be surprising to see users get so bored that they choose to visit the website less and less.

So, the question for website publishers is: how can I manage consent for IAB vendors without annoying users with incessant requests for their consent? There is a solution: download a specific list of IAB vendors (one that is only for the tags active on the site) to avoid having to update every time a new one is added to IAB’s global list.

That’s that route chosen by Commanders Act, whose CMP also works on the basis of purposes. The result is that consent is obtained for explicit purposes, linked to a specific list of vendors. Such a method complies with the GDPR while ensuring the best user experience (much fewer consent requests). Last but not least, such a method is open to non-IAB vendors. Because let’s not forget that while not all Martech companies are on the IAB list, they do all fall under the GDPR’s remit.

How can you comply with the GDPR without compromising the user experience? This challenge is precisely the job of a Consent Management Platform.

While CMPs are a relatively new phenomenon, they have already caused some buzz  in the Martech industry and will go on doing so. The three letters represent a new generation of solutions for managing consent, aptly named Consent Management Platforms. These tools were developed in the wake of the GDPR (General Data Protection Regulation) to collect, record and manage consent given by users of a website or app. A key issue, since activating tags and using cookies are both directly linked to such consent being given.

Nevertheless, the CMP must not be confused with the ‘cookie notice’, still prevalent on many websites. This banner simply informs visitors that by continuing to browse the website, they accept the use of their personal data. It goes without saying that such a method is not compliant with the GDPR, which requires a clear explication of the purpose for collecting data, and more importantly, consent to be explicitly given.

The purpose of a CMP is to ensure compliance with regulations without ruining the user experience. A delicate mix of ingredients that vary from business to business and user to user. That is why a CMP must allow for extensive customisation. But that is only one of its 7 features…

1) A CMP does not enforce its own interpretation of the law

There are several ways you can interpret the GDPR. And how it is done so varies slightly from country to country, as does the tolerance towards various practices. There is also a good chance that the text’s interpretation will change over time as the market develops new tools and matures on the subject.

Here’s a concrete example: while simply scrolling down the page as a way of accepting the use of data is currently tolerated in France, it’s not certain that it will be for much longer. In fact, it wouldn’t be surprising to see the regulation take a stricter tone. It’s therefore not the job of the CMP to interpret the text, but rather that of those managing the websites and apps to decide on their interpretation and configure the tool accordingly. A CMP must be capable of adapting to a large range of scenarios.

2) A CMP works with all vendors (IAB or not)

The IAB framework has got tongues wagging, and rightly so. It has already united over 400 vendors from the Martech industry. By following its principles, they all agree to use tools to obtain the user’s choice concerning consent, as stipulated by IAB, to know whether or not they have the right to process the collected data.

Besides the fact that this framework is based on an objective understanding (as it’s designed for vendors) of the GDPR, it doesn’t cover all the solutions available. Not all the vendors are registered with IAB. In other words, a CMP that only works with the IAB framework is not able to communicate with non-IAB vendors.

3) A CMP truly disables unauthorised tags

In the IAB model, whether a user gives their consent or not, the tags are still loaded; it is then the vendor’s responsibility to process (or not) the data based on whether consent is given. This method raises a valid question: why not just disable tags by default as long as the user has not given their consent?

Such an approach appears both more logical and safer, but not all CMPs offer it. There are two ways to block tags before receiving consent:

• By manually adding a trigger in the tags’ code so that they only fire when the user accepts the processing of their data;
• By combining the CMP with a TMS (Tag Management System) so that the first tells the second to load tag containers when consent is given.

Commanders Act’s CMP, coupled with the Tag Commander TMS, works using the second model. No tag is activated without the user’s approval. Once consent is given, the tag container is automatically loaded in the background (without waiting for the next page to load).

4) A CMP allows for customisation

Why must your website’s consent pop-in be the same as your competitor’s? Why does the privacy center, the page where all the cookies you use are listed, not match your visual identity?

When you consider that it is actually the first element that a new visitor will probably come across, it’s important that the consent pop-in (on a site) or screen (on an app) resembles you. From the language to the visuals, the CMP must give you the possibility to customise the consent interface with your own branding.

 5) A CMP covers websites and apps, and tailors the UX to the device

Consent management not only applies for the internet, but also for mobile apps. Some added complexity to deal with, especially for the user experience, since you cannot display the same consent interfaces for a website viewed on a desktop computer, on a mobile or via an app. While it is recommended to not hide the content behind a pop-in on a website, it is much more acceptable on a mobile screen. No question that the CMP must be able to tailor the UX to the device.

6) A CMP closely measures performance

Customising the consent pop-in with the brand’s identity, testing different sizes of consent screen, measuring the impact of different language…All these best practices must be implemented provided that you can measure their success.

The aim is to conduct A/B Testing of the different formulas and measure the impact on consent rates and even the user journey. Even though the CMP is primarily marketed as a tool for regulation compliance, it is also a Martech solution, and, consequently, its performance must be measured.

 7) A CMP archives consent

One of the key principles of the GDPR is accountability. Put simply, the GDPR requires companies to not only collect personal data lawfully and honestly, but also prove they did so further down the line.

That is why it is essential to accurately archive the consent choice (was consent given for a specific purpose? Or for all purposes?) and the subsequent action taken. In the event of an inspection, this archive will act as proof that personal data was handled in accordance with the GDPR’s principles. Commanders Act’s CMP performs such archiving, a key feature for many clients.