GDPR & Cookie Consent

Category : Knowledge Share

General Overview

General Data Protection Regulation (GDPR) is legislation that was put into effect May 28, 2018 and aims to protect the personal data of EU consumers on the internet. Most people are familiar with GDPR based on their constant interaction with “consent banners” which ask for you to approve or deny the use of cookies on the website you’re currently visiting.

These “consent banners” are a small part of a piece of software called a Cookie Consent Management Platform (CCMP). CCMPs scan your site, report on all the cookies they found, and attempt to categorize and define them within the software. Any cookies that the CCMP can’t categorize or define must be manually defined by the web admin.

Cookies typically fall into one of four categories:

  1. Necessary – needed in order for your site to be fully functional
  2. Preferences – improve UX on website (e.g. remembering language settings)
  3. Statistics – collect information about how visitors use a website (e.g. Google Analytics)
  4. Marketing – used to deliver more relevant ads to site visitors and their interests (e.g. Google Ads)

Ideally, only “Necessary” cookies deploy in a browser session until a response is given to the banner. If a user allows cookies, then cookies deploy. If not, then only “Necessary” cookies stay active during a user’s session.

CCMP Deployment

Implementing a CCMP has a lot of variance in terms of difficulty as it’s dependent on your website platform, its surrounding technology (e.g. HubSpot), and where scripts/cookies fire from on a site. CCMPs will give you a script to place on your site in order to display the banner. The moment you add this script, the banner appears, but you still need to configure scripts/tools to work with users’ responses to the banner (i.e. adding the banner doesn’t do anything to change the way cookies behave).

Configuration Techniques:

  1. Manual JS Mark-ups – Each CCMP has instructions on how to manually mark-up scripts on your site. This mark-up uses JavaScript to map cookies to banner responses.
  2. Google Tag Manager – Most scripts that use cookies are now controlled by GTM. There are specific instructions for each CCMP on mapping tags/triggers in GTM to banner responses.
  3. Auto-blocking Script – This is a separate script provided by CCMPs that blocks all cookies except for “Necessary” cookies until a response is given to the banner. Using this method is oftentimes needed to achieve 100% compliance, but it can also break certain elements of a site as well as negatively impact speed.

Additional Notes:

  • The majority of SMBs that have this implemented are not 100% compliant with GDPR or CCPA.
  • Getting to 100% compliance usually forces you to use a combination of the configuration techniques above which often requires development help.
  • Most websites can achieve 70%+ compliance without an enormous number of hours (i.e. “reasonable compliance”).
  • Software is still evolving for cookie compliance with countless companies creating their own solutions

Current Issues:

  • Lots of troubleshooting is required and can turn into a “needle in a haystack” project to achieve 100% compliance.
  • Certain pieces of software or elements of a site do not respond to banner responses which require development help (e.g. HubSpot forms on a WP site).
  • Implementing a cookie consent policy and banner is complicated by the size of a client’s tech stack, their CMS, and the number of domains and subdomains they have.
  • This is a legal checkmark. It poses no tangible traffic, revenue, or lead benefits to a client

Current State

Hubspot currently has a cookie banner that is very easy to set up in their CMS. It’s deployed on our site and the Fort Robotics site and has both companies at ~90% compliance with minimal work. However, it is currently limited to controlling only Hubspot cookies and those added to default backend integrations (e.g. Google Tag Manager, Facebook Pixel).

We just got access to a beta where Hubspot is launching their own scanner similar to other tools on the market such as Cookiebot (cheaper solution) and OneTrust (enterprise solution).

Where does that currently leave us?

  • We haven’t done a true implementation of this on a “PIC-friendly” client environment. At the moment, PIC is starting some testing with a more standard implementation of Cookiebot on a WP+HS site, and we are enrolled in the new Hubspot CCMP toolset that is in beta.
  • Clients on the Hubspot CMS can easily get a basic cookie banner deployed in a couple of hours similar to PIC and Fort (banners only show to EU users).
  • Clients that are not on a site built/managed by PIC don’t make for easy projects here (e.g. Lions Pride would be our responsibility; the responsibility for FCL should fall to Celerant).
  • These projects will get easier as we work more with them and as the toolsets continue to evolve.

https://gdpr.eu/what-is-gdpr/
https://gdpr.eu/gdpr-consent-requirements/
https://support.cookiebot.com/hc/en-us/community/posts/360020838653-How-does-the-cookiebot-report-categorize-cookies-
https://www.cookiebot.com/en/manual-implementation/
https://support.cookiebot.com/hc/en-us/articles/360003793854-Google-Tag-Manager-deployment
https://support.cookiebot.com/hc/en-us/articles/360009063100-Automatic-Cookie-Blocking-How-does-it-work-