The first two posts in our series were really warm up acts for the main attraction. Post one
covered the tracking audit that iMedia undertook to understand the companies it would need to disclose and the types of practices that they exhibit. My second post
covered the strategic side of determining a strategy to obtain users' consent to be tracked.
Deploying a privacy notice with a consent mechanism, which will include two critical elements.
- A persistent hover icon with the phrase 'cookie consent', which will be available on all pages on the lower right hand side and disclose the individual companies responsible for the tracking, including first and third parties, with integrated tools for withdrawing consent where applicable.
The first five times a user visits the site, they will see both of these elements.
First phase of consent experience:
After the user sees the combined experience five times, the orange overlay will disappear, leaving only the cookie consent icon on the lower right hand side.
After initial experience:
If a user clicks on the cookie consent hover icon, they will see a complete inventory of trackers, with the ability to withdraw consent.
Cookie consent tool:
See other examples of this implementation live on the Nectar and Reuters sites.
Restricting tracking activity
Many sites struggle to properly connect consent mechanisms to the back-end systems that process user requests to withdraw consent. You can easily imagine how embarrassing it would be for a site to offer up a chance to opt-out, and then find itself unable to deliver on the promise. Sites have three options:
1. Integrate with third party opt-outs: This option requires the site to integrate with the opt-out mechanisms of the companies engaging in non-essential tracking on its site. When a user opts out, the site communicates this to each of the companies which then set an opt-out cookie on the user's browser. Tags from the tracking companies will still load, but they will first check for the presence of their opt-out cookie and will cease further tracking activity if the consumer has opted-out. This implementation requires no server-side implementation and can be managed by a solution provider.
2. Restrict tags with server side logic: Here the site inserts simple server-side logic along with each tracking tag that will enable the site to restrict the firing of tags if the user opts out.
3. Use a tag management system: A tag management solution allows the site to manage the server side logic for tags in a simple, unified interface. This option is more scalable for sites that wish to use server-side logic, where the number of companies tracking the user is over a dozen or so.
Ongoing management options
If only consent requirements allowed for a static implementation. For sites with no third party ad activity, very limited tracking activity overall, and a narrowly defined audience in only one European country, perhaps a static implementation will suffice. But alas, tracking is extremely dynamic, especially for an ad-supported site like iMedia. One-time reports of tracking activity rapidly grow stale over time, and since consent under the directive must be specific to the parties involved, your consent tool must be refreshed over time with any new trackers. iMedia will monitor changes to tracking activity over time with Evidon Encompass, ensuring that the details behind consent continue to reflect activity on the site.
Fortunately, the iMedia UK site is clearly built for only one geographic audience. Sites with a broader audience should expect to use dynamic technologies that allow for custom consent experiences catering to specific cultural and regulatory requirements. Good consent solutions will handle these variations automatically, with easy management tools for the compliance officers.
Colin O'Malley is the chief strategy officer at Evidon