Does my CMP effectively block/allow specific cookies and tags for all possible user-specified consent preferences?
Overview
It is important to make sure that your CMP (Consent Management Platform) is implemented correctly. If your CMP is not correctly implemented, you will not have a good overview of your compliance with domestic and international data privacy laws.
Implementation
- Identify (conceptually) every single consent scenario that you may wish to test for - this box may provide an idea of how to go about this:
| Scenarios to consider | Opt-In | Opt-Out | GPC (opt-out) | Default Consent Status (if not already covered) |
| USA Site Visitor (CPRA) | ✅ | ✅ | ✅ | ✅ |
| Europe Site Visitor (GDPR) | ✅ | ✅ | ✅ | ✅ |
- Create Audits for each scenario
- Configure each Audit with the necessary settings and configurations in order to emulate each scenario
- Region
- Set the appropriate Proxy Location
- Opt-In vs. Opt Out
- Pre-Audit Actions
- GPC Signal
- Default state of implied consent (no configuration needed for this scenario)
- Domain
- Choose the correct Starting URLs and apply inclusion/exclusion settings if needed
- Example:
- Region
- Configure each Audit with the necessary settings and configurations in order to emulate each scenario
| Audit Settings for each scenario | Opt-In | Opt-Out | GPC (opt-out) | Default Consent Status (if not already covered) |
| USA Site Visitor (CPRA) | No additional settings required | Pre Audit actions that interact with the consent banner to opt-out | Toggle on GPC signal setting | No additional settings required |
| Europe Site Visitor (GDPR) | Pre Audit actions that interact with the consent banner to opt-out | No additional settings required | Toggle on GPC signal setting | No additional settings required |
- Create Consent Categories
- Define as many Consent Categories as is needed to cover all scenarios -you may wish to view the linked help doc on Consent Categories if you are unfamiliar with them
- You can define these Consent Categories in whatever way makes the most sense to you and your testing purposes - here are a few examples that you could follow:
- Mirror your Consent Manager Platform categorization (e.g. OneTrust, Trustarc)
- Strictly Necessary
- First Party Analytics
- Performance
- Functional
- Create a Consent Category for Each Scenario
- Opt in (USA)
- Opt out (USA)
- Opt in (Europe)
- Opt out (Europe)
- Mirror your Consent Manager Platform categorization (e.g. OneTrust, Trustarc)
- Apply the appropriate consent categories to the appropriate Audits
- example:
| Consent Categories applied to Audits | Opt-In | Opt-Out | GPC (opt-out) | Default Consent Status (if not already covered) |
| USA Site Visitor (CPRA) | Strictly NecessaryFirst Party AnalyticsPerformance Functional |
Strictly Necessary | Strictly Necessary | Strictly Necessary/First-Party Analytics |
| Europe Site Visitor (GDPR) | Strictly NecessaryFirst Party AnalyticsPerformance Functional |
Strictly Necessary | Strictly Necessary | Strictly Necessary/First-Party Analytics |
Data Privacy Law Information
Here are some useful links for information on GDPR, CCPA, and CPRA regulations:
- GDPR (General Data Protection Regulation):
- Official website: https://eur-lex.europa.eu/eli/reg/2016/679/oj
- Information and guidance for businesses: https://ec.europa.eu/info/law/law-topic/data-protection_en
- Overview and resources: https://gdpr-info.eu/
- CCPA (California Consumer Privacy Act):
- Official website: https://oag.ca.gov/privacy/ccpa
- Summary and explanation: https://iapp.org/resources/article/what-the-ccpa-means-for-consumer-privacy/
- Guidelines for businesses: https://oag.ca.gov/privacy/ccpa-businesses
- CPRA (California Privacy Rights Act):
- Official website: https://oag.ca.gov/privacy/cpra
- Summary and explanation: https://iapp.org/resources/article/what-is-the-california-privacy-rights-act-cpra/
- Guidelines for businesses: https://oag.ca.gov/privacy/cpra-businesses