Why do you have to give your consent over and over again on some websites?

The GDPR pop-in sometimes seems to glitch. Unfortunately, this isn’t caused by a bug, but actually the result of an approach to collecting consent that is too global and focused on the short term.

Do you often get a feeling of déjà-vu when browsing the web? You’re not alone. The likely culprit is all those websites that consistently ask for your consent, even though you have already given it, sometimes just a few days before. And although this is a genuine annoyance for users, the websites can’t blame it on a bug. Read on to found out why.

Website publishers have the choice of a range of Consent Management Platforms. Some are free and generic, while others cost and offer more customisation. Some align themselves exclusively to the IAB framework, whereas others — such as Commanders Act’s CMP — don’t limit themselves in such a way. This difference is crucial, and to understand why we need to take a closer look at the concept behind the IAB framework.

The IAB framework, a vendor-orientated interpretation of the GDPR

Rather unsurprisingly, this framework is takes a vendor-orientated intepreation of the GDPR (General Data Protection Regulation). A vendor is anyone whose services or solutions process personal data. The IAB framework involves, once consent has been given or refused, communicating the choice to these companies. Consent can be given globally (for the entire list of vendors), by purpose or by company. Either way, the principle remains the same: the framework trusts the vendor to respect the consent choice.

What does this mean ‘on the ground’? Following the IAB model, the tags of services used by a website are loaded at the same time as the pages, whether consent is given or not. It is then the vendors’ responsibility to take into account the consent choice and process the data accordingly. This approach is radically different to that of Commanders Act’s CMP, which simply loads no tags as long as the user has not given their consent. This way, no data is sent at all. And no evil sorcery involved: just a simple link between the CMP and a TMS (Tag Management System) is all it takes to enable tags to be fired only once consent is given.

Endless requests for consent

There is also another limit to the method used by IAB-inspired CMPs, and this is the cause of the endless requests for consent. The list of vendors is constantly changing. At the time of writing, the last update numbered 135 was on 21 February 2019. Since most of these ‘IAB-centric’ CMPs collect consent for the whole list in one go, as soon as a new vendor is added to the list, consent must be given again. Hence why users see the infamous pop-in several times in a single month.

This issue could be somewhat mitigated consent was requested for each separate purpose, rather than all at once. In this case, consent would only have to be renewed when the updated list of vendors affected one of the purposes accepted by the user e.g. personalisation or advertising.

A short-termist approach

In practice, gathering consent by purpose is shunned in favour of a more global request in order to maximise acceptance rates. An approach that could be considered rather short-termist: after being asked several times in the same month for their consent, it wouldn’t be surprising to see users get so bored that they choose to visit the website less and less.

So, the question for website publishers is: how can I manage consent for IAB vendors without annoying users with incessant requests for their consent? There is a solution: download a specific list of IAB vendors (one that is only for the tags active on the site) to avoid having to update every time a new one is added to IAB’s global list.

That’s that route chosen by Commanders Act, whose CMP also works on the basis of purposes. The result is that consent is obtained for explicit purposes, linked to a specific list of vendors. Such a method complies with the GDPR while ensuring the best user experience (much fewer consent requests). Last but not least, such a method is open to non-IAB vendors. Because let’s not forget that while not all Martech companies are on the IAB list, they do all fall under the GDPR’s remit.