How to become GDPR compliant by using Cookie Consent

Niquee CrystalCommerce Updates, Marketing

Disclaimer: Please note that this guide is for informational purposes only, and should not be relied upon as legal advice. We encourage you to work with legal and other professional counsel to determine precisely how the GDPR might apply to your organization. We’re not affiliated either endorsing any software or tools used in this guide.

If you are not targeting people in those 28 EU countries you can skip it. Otherwise, keep reading.

Part 1 – What is a GDPR?

Do you need to comply with the GDPR?

The GDPR is a European Union (EU) privacy law that will affect businesses around the world when it becomes enforceable on May 25, 2018. It regulates how any organization that is subject to the Regulation treats or uses the personal data of people located in the EU. Personal data is any piece of data that, used alone or with other data, could identify a person. If you collect, change, transmit, erase, or otherwise use or store the personal data of EU citizens, you’ll need to comply with the GDPR. You should consult with legal and other professional counsel regarding the full scope of your compliance obligations.

What happens if you do not comply?

Non-compliance with the GDPR can result in enormous financial penalties. Sanctions for non-compliance can be as high as 20 Million Euros or 4% of global annual turnover, whichever is higher.

About Individual Rights

The GDPR also outlines the rights of individuals around their personal data. EU citizens will have the right to ask for details about the way you use their personal data and can ask you to do certain things with that data. You should be prepared to support people’s requests promptly. People have the right to request their data be corrected, provided to them, prohibited for specific uses, or removed altogether.

You should also be able to tell someone among other things, how their personal data is being used. If they ask, you’re obligated to share the personal information you hold on an individual or offer a way for them to access it.  

 

“Am I a Controller or Processor?”

A data controller handles personal data; a data processor processes personal data for other data controllers. If you store or process any information about living people, you are a controller and are responsible for acquisition of consent and storage of data. If you’re reading this, you’re probably a controller.

Cookies, Remarketing, and all good stuff.

Do you use Google Analytics, Tag Manager, AdWords Remarketing code or Facebook Pixel on your site to build custom audiences? If so, you must obtain consent.

Per Google, “Advertisers using AdWords will be required to obtain consent for the use of cookies where legally required, and for the collection, sharing, and use of personal data for personalized ads for users in the EEA. This includes the use of remarketing tags and conversion tags. Where legally required, advertisers must also clearly identify each party that may collect, receive, or uses end-users’ personal data.”

Per Facebook, “When you use the Facebook pixel, you will have to comply with the GDPR.”

That being said, since Facebook owns Instagram, Instagram will be as GDPR compliant as Facebook is at all times. You don’t need to do anything extra to use Instagram ads or acquire additional consent to leverage consumer data as a targeting method on the photo-centric platform. The same goes for Messenger and WhatsApp.

What does the GDPR mean for my website?

If your website is serving individuals from the EU and you – or embedded third-party services like mentioned above – are processing any personal data, you need to obtain prior consent from the visitor.

To obtain valid consent, you need to describe the extent and purpose of your data processing in plain language to the visitor, before processing any personal data.

This information must be available to the visitor at all times, e.g., as part of your privacy policy. You must also make available an easy way for the visitor to change or withdraw consent.

All consents must be logged as proof and all tracking of personal data, also by embedded third-party services, must be documented, hereunder to which countries data is transmitted.

About Consent

You need to have a legal basis, like consent, to process an EU citizen’s personal data. Under the GDPR, you may use another legal basis for processing personal data, but we anticipate that many e-commerce businesses will rely on consent. This consent must be specific and verifiable.

Verifiable consent requires a written record of when and how someone agreed to let you process their personal data. Consent must also be unambiguous and involve an explicit affirmative action. It means clear language and no pre-checked consent boxes.  

Collect Consent

Transparent data processing is mandatory, and it’s also an opportunity to strengthen your marketing relationships. If you’re going to rely on consent to process the personal data of EU citizens, the GDPR says you must obtain specific consent from your contacts and clearly explain how you plan to use their personal data.

You cannot assume permission with a pre-checked box or, worse, nothing at all. Instead, the user must take a clearly defined action.

Part 2 – Collect consent using GTM

Why are we using Google Tag Manager (GTM)?

Simply put, GTM can simplify the tag implementation and management process for marketers, analysts, and developers. You can manage all your tags from one place, insert JS and HTML snippets, seamless integration with all primary marketing tools. I can go on and on. The bottom line: GTM will make your life way more comfortable when it comes to using marketing tags.

If you’re not familiar with Google Tag Manager yet, I advise you to start with this Moz guide: An Introduction to Google Tag Manager.

Alright, let’s move on.

Cookie consent form

In this particular case, we will be using Cookiebot. Cookiebot makes your cookies and online tracking GDPR compliant with just a few lines of Javascript. Cookiebot consists of three main features: cookie consent, cookie monitoring, and cookie control. Here is their pricing page. Signing up for a Premium Small  ($10/month) you’re getting all the bells and whistles: Customize banner, Customize declaration, multiple languages, email reports, data-export, geolocation(This is a huge one), bulk consent, consent statistics, internal domain alias for development, test and staging.

Why is geolocation a huge deal for us? If your business based in the USA, for instance, you don’t want to show your cookie consent to US-based users, because you don’t need to. You definitely can, by all means, heck it could be a grand marketing strategy to build trust and rapport with your audience by being honest up front, why and what for you want to collect their data. However, in this case, your US-based users might wish to remain “invisible.” And by the end of the day, you won’t get much data on your Facebook Pixel or Google Analytics. So, target users by their geolocation is not a bad idea.

Unfortunately, in the free version, you don’t have geolocation. However, we’re writing a custom javascript function to be able to replace native Cookiebot geolocation feature(I will update the guide once it’s ready). Why? Maybe you want to use basic Free version + geolocation, or you want to use free open source cookie consent form. In any case might be of great help.

You are free to use any other cookie consent form. The logic behind the process would be the same every time:

  1. You’re using marketing tags (Facebook Pixel, GA, AdWord, etc.)
  2. Create a cookie consent script as HTML tag inside GTM
  3. You want to make sure that all tags fires only after the user gave you consent
  4. Profit

Step #1 Implementing the cookie consent banner in GTM

In your GTM container create a new tag by clicking “New” > “Custom HTML Tag”

In the “HTML” field, insert the following snippet and replace the serial number “00000000-0000-0000-0000-000000000000” with your own serial number from the “Your scripts” tab in the Cookiebot Manager:

<script id=”Cookiebot” src=”https://consent.cookiebot.com/uc.js?cbid=00000000-0000-0000-0000-000000000000″ type=”text/javascript”></script>

<script>

function CookiebotCallback_OnAccept() {

if (Cookiebot.consent.preferences)

dataLayer.push({‘event’:’cookieconsent_preferences’});

if (Cookiebot.consent.statistics)

dataLayer.push({‘event’:’cookieconsent_statistics’});

if (Cookiebot.consent.marketing)

dataLayer.push({‘event’:’cookieconsent_marketing’});

}

</script>

Please note: You can’t just copy the Cookiebot script tag from the Cookiebot Manager, you need to move the ‘cbid’-attribute inside the URL as described above, because GTM will strip the attribute ‘data-cbid’ from the default script. Without the ‘cbid’ URL-fragment, Cookiebot will not display on your site when served through GTM.

Choose “All pages” as a trigger and apply a name to your tag at the top of the configuration page, e.g., “Cookie Consent.” Click “Save” to create the tag.

This is what your tag configuration should look like (except for the value of the serial number):

Finally, click “Publish” to push your changes live to your site.

Also, make sure that you have registered and saved the domain name(s) of your website(s) in Cookiebot.  

The consent banner is now active on your website.

Step #2 Controlling cookies

To honor the visitor’s consent, you need to define the logic that controls the behavior of cookie-setting scripts on your website.

Let’s take Google Analytics(GA) as an example. We will show you how to implement and control GA with Cookiebot in GTM so that GA will only set cookies if the visitor has accepted statistic cookies.

From the GTM “Triggers” list, click “New.”

Choose “Custom Event” and enter an event name for the trigger, “cookieconsent_statistics,” in the field “Event name.”

Click “Save” to create the trigger.

This is what your trigger configuration should look like:

Repeat the above for each type of cookies, so that you have three triggers named “cookieconsent_preferences,” “cookieconsent_statistics” and “cookieconsent_marketing.”

Use your existing GA tag or create a brand new one for testing purposes.

If creating a new GA tag, select “Universal Analytics” under the “Choose tag type” pane. Select “New Variable” in the select box under “Google Analytics settings” and enter your GA Tracking ID in the field “Tracking ID.” Click “Save.”

As a trigger, select the trigger you have just created, “cookieconsent_statistics.” Click “Save” to create or update the tag.

This is what your final GA tag configuration should look like (except for the Tracking ID):

Finally, click “Publish” to push your changes live to your site.

Google Analytics Universal is now enabled on your website and in compliance with the consents of your visitors.

Controlling cookies with multiple triggers

While the approach above is efficient when using only one trigger on a tag, you need a different approach when controlling cookies on tags with multiple triggers.

In GTM, a tag will fire if any of the triggers on a tag evaluate to true. Since we want the tag to fire only when the existing trigger and the relevant cookie consent event both evaluate to true, you must add a condition to the existing trigger instead of adding the cookie consent trigger to the tag itself. Trigger conditions must all evaluate to true for the trigger to fire.

The values of the cookie consent trigger condition to add are: Event – equals – cookieconsent_marketing  

Replace “cookieconsent_marketing” with  “cookieconsent_preferences” or “cookieconsent_statistics,” depending on the type of cookies set by the tag.

Example of adding a cookie consent condition to an existing trigger:

If your trigger is of a different type than “Custom Event”, eg. “Click – Just Links”, you will not be able to define a trigger condition based on an Event as illustrated above. In this case, you need to define a new “User-Defined Variable” of type “Custom JavaScript” for each category of cookies.

Example:

Create a user-defined variable and name it “Cookiebot.consent.marketing”. In the field “Custom Javascript”, enter the following snippet:

function()

{

return Cookiebot.consent.marketing.toString()

}

Repeat these steps to create a variable for “preferences” and “statistics”-cookies as well by replacing “marketing” in the above variable name and Javascript.

Now go back to your trigger configuration and add a new condition referring to one or more of the above variables, e.g., “Cookiebot.consent.marketing” – contains – true

Please note: If your existing trigger is of the event type “Page View,” you need to change it to event type “Window Loaded” since the visitor’s consent is not available to GTM before the window has loaded.

When should you use multiple triggers?

For instance, if you’re using Facebook Pixel Events like “addToCart” or “Purchase.” In my case, both those events are triggered by clicking on buttons Add to Cart and Purchase. Let’s take a look at Facebook Pixel Add to Cart tag:

Since the tag should be triggered only by clicking on the button “Add to Cart” we’re using event = addToCart. However, we also want to make sure that this event would be triggered only after user gave his/her consent, so we’re adding another condition: Cookiebot.consent.marketing contains true.

Quick side note: I’ve noticed that for all tags which are using “Pageview” as a trigger(e.g., Facebook Pixel base code) it’s better to use new triggers we’ve created earlier: Cookie Consent Marketing Trigger, Cookie Consent Preferences Trigger, Cookie Consent Statistics Trigger.

Step # 3. It’s time to test it out.

Once you’ve done with tags, click a “Preview mode” and go to your website. You should see a debug window with all your tags. Please, notice that only one tag was fired – Cookie Consent tag. The rest tags remain under  Tags Not Fired On This Page.

You can hide debug window by clicking on a small arrow from the right. Now you can see your cookie consent. At this point, everything is working correctly. Let me explain. I went to the website, and I can see cookie consent window in the bottom. As we can see none of the tags (besides cookie consent) were fired, which means my data has not been tracked.

Let’s see what is going to happen when I click on “Allow all cookies.”

All tags have been fired. Nice job everyone! Now you can go back to Google Tag Manager account, exit “Preview Mode” and Publish all the changes.

We’ve been testing this Cookie Consent solution on different websites: Blogs, e-commerce stores. That’s why you can see screenshots from different websites. 

I hope, that split some light on what GDPR is and how to stay compliant. This is one of the ways how you can become GDPR complaint. As I mentioned earlier, you are free to use any tools you want. If you found this guide helpful, please share it with your friends and colleagues.