GDPR, Cookies and Consent Management Platforms

Handing cookies just got more difficult. Implied consent is dead, and still no browser-level consent, but IAB Europe is working on a industry supported standardized solution.

1342 views
d

By. Jacob

Edited: 2022-02-24 00:25

The GDPR changes the way many of us are currently obtaining consent for cookies on our websites. For example, Beamtic has relied on implied consent for a while, but I am now working on making a cookie wall to replace the current implied consent notification. The cookie wall will allow me to control how people access my websites by initially blocking users in Europe until consent is obtained.

Generally, I think this is not a problem for most of my visitors. Users might get annoyed by the cookie popup, and quickly click to close it. If a user is interested enough in your content, they will also consent to cookies. It is not our problem that we are required by law to have bothersome consent dialogs, and so it might also be a good idea, to make clear that the EU is responsible for those dialogs, and thereby – hopefully – put some pressure on politicians.

IAB Europe is working on a consent framework to make things easier, that will, as far as I understand it, allow us to communicate when consent is obtained for certain cookies (global consent). This means if someone has already given consent for Adsense ads on another website, they will not be prompted on your website unless something else requires it (I.e. the consent has either expired or been withdrawn).

Technically, I do not like the solutions currently being developed. But, now it is too late to do things properly, so we will just have to deal these clumsy laws. I would have preferred cookies was handled on the browser-level – it is the most obvious solution, because it deals with the problem in one place.

Consent Management Platforms

A CMP (Consent Management Platform) will manage consent on your behalf. Some of them sadly cost money, while some might be free. I recommend you stay away from the paid ones, since IMO this should not be another opportunity for someone to get their hands on your money. I would also avoid those that come with a logo, since I do not want to advertise for the CMP. Consent dialogs should not be a space for free advertisements!

Google is also working on a consent tool, called Funding Choices. This is however not yet available to everyone, but if you have an account manager (larger websites?) then you should have access already. The rest of us can not simply sit around and wait for Google to get off their fat behinds :-D However, once available, I am sure it will be freely provided for all Adsense publishers. But, if you have social media plugins, you might still need to create your own consent mechanism :-/

The sad thing is, those hit the hardest are small website owners and bloggers. Maybe the IAB should just have created their own CMP – IMO there is no reason to have multiple CMPs. Small website owners would want to limit their expenses.

I do not plan on using a CMP myself (unless, maybe if I find one that has unlimited-sites, is free, and does not show advertisments). But, if you are interested, you can find a list of CMPs here: http://advertisingconsent.eu/cmp-list/

Handling cookies on the browser-level

Having a cookie wall in place is not ideal, and it can also be costly to implement. It is also unfair for individual websites having to develop or install consent dialog's, and since many websites have their own CMS, custom solutions are needed. But, it would be much easier to deal with the problem on the browser-level. In fact, browsers already have cookie-handling tools built-in, and improving those would be a simple matter.

A consent popup for EU users could easily have been built into browsers, and possibly exposed via API for site owners. This would allow developers to create a single standardized solution, rather than forcing us to reinvent the wheel and potentially waste millions of dollars in the process. However, the damage is already done. Those hit the hardest will be small website owners and bloggers, but I predict most issues will be solved by CMS plugins and third party solutions.

Plugins, however, do not change the fact that the solutions being developed are designed incorrectly. We need privacy by design, within the browsers and devices people are using. If there is a problem with cookies, it needs to be solved at the root. However, as you may know, cookies are very useful to website owners, and that makes it difficult to simply stop using them. Sometimes, tracking users is not only be done to show personalized advertisements, but also for security reasons.

The advantage of having on-site Cookie Walls

Website owners will often want to use cookies, and in some cases, prevent people who do not give their consent from accessing the site. In these cases, an on-site cookie wall might be useful.

It seems work is being done on a industry-wide solution by the IAB. If I understood this correctly, you will need to find a CMP (consent management platform) to manage consent on behalf of your site. It is also possible to register as a CMP yourself, which might be useful if you want to manage things on your own, and still use the IAB framework. A quote from the advertisingconsent.eu website:

Q: Can Publishers operate without a third-party Consent Management Provider?

Yes, a CMP is essentially just a mechanic for making sure that disclosures are made about a publisher’s approved vendors are made and that the consent signal is generated and transmitted in a standardized way, rather than writing and agreeing new protocols for each publisher/vendor relationship. A publisher may choose to act as a CMP or to use a commercial provider to implement the function on their behalf.

I assume this means that we can signal consent is given for certain cookies (globally), and have it automatically pass on consent to other websites using the framework. That is pretty good, but still not good enough IMO. I still prefer a browser based solution, possibly with an API allowing us to check for consent before allowing people to visit the site.

The problem with CMPs is that they might cost money or show their logo in your consent dialogs, so you may want to create your own solution instead.

Links

  1. Publishers – Advertising Consent - advertisingconsent.eu
  2. IAB Europe - iabeurope.eu

Tell us what you think:

  1. Google is now forcing AdSense publishers to use a certified CMP whether they want it or not.
  2. To reach compliance with GDPR while using Adense on out sites, we need to disclose our ad providers and obtain consent from users.
  3. How I am using MaxMinds GeoIP databases to become GDPR/CCPA compliant.
  4. Depending on your cookie-wall implementation, AdSense might stop displaying ads if ad-code can not be found.

More in: GDPR