The first two posts in our series were really warm up acts for the main attraction.
Post one covered the tracking audit that iMedia undertook to understand the companies it would need to disclose and the types of practices that they exhibit. My
second post covered the strategic side of determining a strategy to obtain users' consent to be tracked.
Implied consent is a much stricter standard than the market was accustomed to before the ePrivacy Directive. Providing a link at the bottom of a page or a tab in the corner of the page linking to a cookie policy are good first steps, but no one has successfully argued that these methods alone achieve consent in the eyes of the law. Companies deploying implied consent methods must demonstrate that they are providing enough information up front so that a typical user understands that tracking that is taking place, and that their decision to continue using the site is an active indication of their consent. A more prominent link to further information clearly does not reach this bar.
Consent
Deploying a privacy notice with a consent mechanism, which will include two critical elements.
- An unavoidable overlay on the bottom of the screen, initially viewable to all visitors, explaining in full that the site uses cookies and other technologies with a brief explanation of how the user can take control, if desired.
- A persistent hover icon with the phrase 'cookie consent', which will be available on all pages on the lower right hand side and disclose the individual companies responsible for the tracking, including first and third parties, with integrated tools for withdrawing consent where applicable.
The first five times a user visits the site, they will see both of these elements.
First phase of consent experience:
After the user sees the combined experience five times, the orange overlay will disappear, leaving only the cookie consent icon on the lower right hand side.
After initial experience:
If a user clicks on the cookie consent hover icon, they will see a complete inventory of trackers, with the ability to withdraw consent.
Cookie consent tool:
See other examples of this implementation live on the Nectar and Reuters sites.
Restricting tracking activity
Many sites struggle to properly connect consent mechanisms to the back-end systems that process user requests to withdraw consent. You can easily imagine how embarrassing it would be for a site to offer up a chance to opt-out, and then find itself unable to deliver on the promise. Sites have three options:
1. Integrate with third party opt-outs: This option requires the site to integrate with the opt-out mechanisms of the companies engaging in non-essential tracking on its site. When a user opts out, the site communicates this to each of the companies which then set an opt-out cookie on the user's browser. Tags from the tracking companies will still load, but they will first check for the presence of their opt-out cookie and will cease further tracking activity if the consumer has opted-out. This implementation requires no server-side implementation and can be managed by a solution provider.
2. Restrict tags with server side logic: Here the site inserts simple server-side logic along with each tracking tag that will enable the site to restrict the firing of tags if the user opts out.
3. Use a tag management system: A tag management solution allows the site to manage the server side logic for tags in a simple, unified interface. This option is more scalable for sites that wish to use server-side logic, where the number of companies tracking the user is over a dozen or so.
Ongoing management options
If only consent requirements allowed for a static implementation. For sites with no third party ad activity, very limited tracking activity overall, and a narrowly defined audience in only one European country, perhaps a static implementation will suffice. But alas, tracking is extremely dynamic, especially for an ad-supported site like iMedia. One-time reports of tracking activity rapidly grow stale over time, and since consent under the directive must be specific to the parties involved, your consent tool must be refreshed over time with any new trackers. iMedia will monitor changes to tracking activity over time with Evidon Encompass, ensuring that the details behind consent continue to reflect activity on the site.
Fortunately, the iMedia UK site is clearly built for only one geographic audience. Sites with a broader audience should expect to use dynamic technologies that allow for custom consent experiences catering to specific cultural and regulatory requirements. Good consent solutions will handle these variations automatically, with easy management tools for the compliance officers.
Colin O'Malley is the chief strategy officer at Evidon
