GDPR: the right cookie governance policy involves keeping your tags under control

GDPR : la bonne gouvernance des cookies passe par la maîtrise de vos tags

Protecting the personal data stored by cookies inevitably involves setting up best practices for how those data are collected.

If there were any reason for a CDO or digital marketing manager to take another look at tag management from a more strategic angle, then the GDPR could very well be the ideal opportunity to do so. Not a day goes by without cookies hitting the headlines in the digital press. From Apple’s ITP feature to Google’s decision to delete third-party cookies in Chrome and the latest recommendations issued by France’s data protection authority (CNIL) on how to apply the GDPR, followed by a number of opinion pieces by tech players spelling out their vision of a cookieless world, cookies are a hot topic, and the uncertainty surrounding their future is causing a great deal of concern among marketing teams.

At the present time, organisations have no other choice than to take their cookie governance policy back to the drawing board. This very problem stems from the lax and opaque way in which some organisations have managed their cookies to date, and the GDPR is clearly aiming to rectify the situation. But cookies harbour an essential component that hardly gets a mention, and that component is a tag. Whoever wants to get their cookies in long-lasting order first needs to bring their tags under control.

Tags in the front line with the GDPR

A tag is a script, meaning a few lines of computer code to simplify data transfers between two systems (e.g. between a website and a third-party application). In a way, it is a “vehicle” that collects data, such as from a web store, and then transfers those data to another ecosystem, which might be one of the solutions that the marketing team uses to improve its sales performance.  Cookies are files stored in a browser that contain identifiers, i.e. information relating to the user’s profile (device, activity, etc.). When the tag is executed, it places the cookie in the browser and defines the rules for collecting the data associated with the cookie.

The reason why cookies have such a stormy reputation is that they will first link and then recognise the visitor’s device with the data collected and the marketing information that was potentially extracted. However, it is the tag that defines the conditions for collecting and sending data to third parties. In this respect, it is ultimately the combination of both components that underlies the GDPR: protecting the stored personal data associated with cookies inevitably involves setting up best data collection practices and therefore an effective tag governance policy.

So what constitutes an effective tag governance policy?

For an organisation to bring its exposure to GDPR risks back under control, it must first identify which tags are present on the website. Most compliance projects start by listing the tags. Which tags are running on the site? What is their scope of application? Which variables are involved? What is their purpose? What are their rules for deployment? This necessary process of listing the tags marks the first step in most projects aimed at ensuring compliance with the GDPR, whether those projects are led by DPOs or legal firms. However, that process may prove to be extremely complex when tags have been deployed without any governance policy, documentation or knowledge transfers (when relevant stakeholders have changed position or left the company). Ensuring that all the tags have been inventoried is an uphill struggle when ecosystems are increasingly expansive.

In case of an organisation with digital activities on a global scale, just having access to a reliable tag inventory may equate to several tens of thousands of euros in direct costs if that task is delegated to a consultancy, not to mention the expenses involved in mobilising the internal teams and procuring the tools and routines to give the process greater reliability. Once all tags have been listed, the organisation simply needs to gain back control over their execution. In other words, it must accurately configure the execution conditions and variables for each tag, so that it can define which data will be collected, when it will be executed or not and, if applicable, for how long. These are the data collection conditions that underpin the framework imposed by the GDPR.

Lastly, it is important to remember that the regulation is not set in stone, but is constantly being updated to reflect market trends and the new measures recommended by the regulatory authorities. There is every likelihood that your current implementation will need to be aligned with the new restrictions, case law, and so on.In particular, the GDPR has already inspired similar initiatives elsewhere in the world, and all the signs seem to suggest that the trend will continue gathering pace as awareness grows of the need to regulate the digital data market. Nevertheless, not all regulations have the same level of requirements, and each organisation is responsible for adjusting its arrangements and mechanisms accordingly. Therefore, an effective tag governance policy needs to be agile enough that it can be amended quickly, easily and at any time.

TMS: an indispensable ally

Enterprise Tag Management Systems (TMS) have gained traction in the digital landscape as a key strategic component, insofar as they allow organisations to take control of the tags and cookies in their digital ecosystem. TMS brings the rigour, quality and transparency required by the GDPR in terms of tag management, as well as the flexibility, simplicity and efficiency that organisations are expecting.

One of the main benefits with a TMS is that it can be used to centralise and standardise all the tags deployed by an organisation within the same interface, across the entire digital ecosystem. When tags are deployed with a TMS, they are automatically inventoried along with their respective parameter settings. Execution conditions can easily and quickly be defined, including by non-technical profiles. Therefore, a member of the marketing team can determine on which page a tag should be executed and according to which conditions, as well as which data must be collected and transferred. It is just as easy to modify the execution conditions, promptly correct any errors if necessary and quickly take centralised and automated action on large volumes of pages and tags.

As such, the TMS proves to be a considerable ally when aligning with the requirements of the GDPR and governing tags and cookies. In addition to considerably simplifying inventories, ensuring greater control over tag obsolescence risks and promoting agile governance, it guarantees effective, safe and compliant processes for marketing, technical and legal teams.