Fast GDPR compliance for your website: What is to be considered?
Due to the General Data Protection Regulation (= GDPR), which came into force on 25 May 2018, all websites must meet these criteria. If they do not, they will be subject to severe fines. For the particularly serious violations listed in the law under Art. 83 para. 5 GDPR, the fine is up to EUR 20 million or, in the case of a company, up to 4% of the total annual worldwide turnover in the previous financial year, whichever is the higher.
Due to this change in the law, commercial providers developed cookie consent software. This enables the website provider to accept cookies
How effective are these commercial solutions? What are their weaknesses and strengths? We would like to show this in this article using the OneTrust software as an example.
Due to an European Court of Justice judgement of 01.10.2019, every user must be enabled to give active consent to the setting of cookies. Previously, it was common for users to be able to deselect cookies. This is no longer permitted.
Cookies may only be set if users have previously consented.
OneTrust's cookie-content solution is software that is subject to a fee. The license can be purchased on a monthly or annual basis. It costs 45 EUR / month per domain, regardless of company size. The OneTrust cookie solution is hosted in the EU.
According to the manufacturer, OneTrust offers the following features in this software solution:
The advantages of the OneTrust content cookie solution
The legal requirements must be met. In some cases, the technical possibilities are not available to implement the development effort. A further advantage of OneTrust's cookie content-solution is the possibility to integrate the cookie layer without deployment. However, this requires tag management.
OneTrust offers not only a European solution, but also content solutions analogous to the respective countries. This is helpful for an international orientation.
Custom solution versus commercial solution.
The advantages of a custom cookie solution are generally these:
The disadvantage is primarily the high initial creation costs.
On the other hand, there are the advantages of the commercial Consent solution:
In contrast, the running costs remain constant. The license fee is charged per domain. The look and feel should be adopted and usually does not correspond to the corporate design of the website.
Principally, these points must be clarified and defined before integration:
For this purpose the legal requirements must be clarified, such as
There are three ways to integrate the solution:
We would like to share with you the integration via the tag management. Google Tag Manager was used.
In general, there is the possibility to integrate the software on a development system for testing. Unfortunately there are two disadvantages. One disadvantage is that the documentation is only available if the license has already been purchased. So you can't really embed the Cookie Content solution of OneTrust in a well-founded way, but have to trust the publicly available sources. There are a few providers, but their implementations do not conform to the recommended OneTrust integration.
In addition, you have to do all settings again after purchasing the license, because the test settings cannot be transferred to the licensed solution.
OneTrust first scans the site for the cookies used. The cookies can be viewed in the OneTrust cookie library "Cookiepedia".
There they are listed according to purpose and a definition is offered. It is also listed on which pages the respective cookie is still used.
OT offers the option of either an automatic classification of cookies (Auto Scan) or a manual classification of cookies.
The autoblock function sounds elegant at first. After scanning the cookies on the specified domain, OT assigns the cookies to pre-selected levels.
According to our experience, however, the integration of the autoblock script makes the loading of the page slow. The autoblock script is larger than 600 kb.
Another point of view is that autoblock only blocks the cookies that are found. This is important because the OT Crawler cannot access password protected test systems. Testing the cookies on test systems is limited. If the content solution goes live on production systems, it is possible that modules of the production system interact with the OT Consent Banner. The OT Autoblock Script then also blocks cookies that are necessary for an essential functionality of the website (search function). So you have to make sure that you always test all cookies of the production system when integrating the autoblock script and not only a small part of them.
It is also possible to manually assign them to the intended levels.
Usually three cookie levels are used:
The Cookie Consent can be created in several languages. By default, OT selects the language setting of the browser. If you don't want to use this, because you use several languages per country, you can switch to the language setting of the website. The translation must be delivered.
To test the setup, a test script can be included. This differs from the production script formally only by a minimal addition ("-test") after the license number in the script. The advantage of the test script is that the changes can be seen immediately. The production scripts need up to four hours until adjustments are published, because the scripts have to be changed on the production servers, which can take a little longer in the cloud.
Unfortunately the test script is error-prone. You can see the adjustments, but other effects occur, such as the missing coverage of the page with a transparent background. After a varying amount of time this error was fixed again.
The script is pushed into the page per tag and loads the OT script. The tag management system is always active, but does not load any tags before the user has given his consent. If the user selects certain cookies, the layer sets the corresponding cookie. A custom event is pushed. The Tag Management System listens to the custom event and requests the cookies here. The tags to be released for the confirmed level are activated.
Relevant here is to adjust the triggers for the general PageView tag so that it does not fire before the user confirms. Since the cookies that indicate the selected level are loaded in the loading order after the PageView, the trigger must be adjusted accordingly.
All other tags must fire either by actively setting the cookie levels or by exclusion. That means, in the first variant a tag only fires if a certain cookie level is selected. With exclusion, the tag only fires if a cookie level is not available.
If a cookie is set in an iFrame, it cannot be controlled by Tag Management. This is the case, for example, with integrated YouTube films.
We had to prevent the Youtube movies from being displayed in the iFrame immediately and the Youtube cookies from being set. We have created an HTML-Toast around the iFrame to control it. The HTML-Toast will load a still picture if the user has rejected the cookies. The freeze frame or the optical highlighting above it must be clearly recognizable as a movie placeholder. We have added a play button as optical highlighting and a link that opens the cookie layer.
The user should be given the opportunity here to go directly to the cookie level "cookies for marketing purposes". Here he can select the appropriate cookie level and watch the film immediately.
This implementation requires frontend capacities and UX to enable clear communication.
OneTrust's tool has some special features that you need to pay attention to. You should first analyze which cookies are used in which components. From this you can deduce the effort of the respective specialists. In any case, you should plan enough time for testing.
In general, you will need some tech capacities for OT implementation because of some special cases. A deployment was also necessary until now.
Are you currently facing the challenge of evaluating and implementing a suitable content solution for your company? We would be happy to support you!