Know the data privacy principles as stated on GDPR.eu
While there will be unique factors in all other legislation, these principles, in what is considered the more mature data privacy are an excellent foundation.
They are the following:
Lawfulness, fairness and transparency — Processing must be lawful, fair, and transparent to the data subject.
Purpose limitation — You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
Data minimization — You should collect and process only as much data as absolutely necessary for the purposes specified.
Accuracy — You must keep personal data accurate and up to date.
Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose.
Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.
It’s not just about the cookies
Cookies are just a piece of the digital marketer's technology toolset. Generally, data is passed through network requests which we commonly refer to as tags.
These tags typically carry much more data than a single cookie. They are commonly overlooked because cookie awareness is much higher than tag awareness. This is likely the result of cookie banners educating and promoting users to select their preferences (they aren't call "tag banners").
Tags and cookies generally have a parent-child relationship, so they often come in pairs, but there may be instances of cookies not being set, but network requests still fire carrying unauthorized data.
Make sure to monitor tags and other types of network requests with Consent Categories.
Prioritize the most common consent preferences
Ultimately your consent management solution should include some analytics on consent preferences. You should focus on simulating the most common consent preferences first.
Generally, fully opted in and fully opted out will be the 2 most common states. They will either be the skeptic that prefers not to be tracked and declines all or the supporter who enjoys the personalized advertising.
Both scenarios are equally important to test for, here’s why:
Fully Opted in:
You might think that because users opt in to tracking that this scenario poses low risk of non-compliance. However, in your privacy policy you likely state what kinds of tracking your visitors should expect. Permitting unauthorized and undisclosed vendors to collect information about your visitors is not only a betrayal of trust, but a violation of data privacy regulations.
Fully Opted Out:
This one is clearly important. If user decline all, we need to honor their choice. Users who “decline all cookies” or opt out of additional tracking expect only strictly necessary cookies and tags to be collecting their data.
For tags, this is generally your tag management system, consent management platform and a handful of other essential technologies that are critical to the functionality of your website.
For cookies, this generally means first party cookies that are critical for customer experience and functionality e.g. keeping authenticated users logged in, remembering where they were in the application process, etc.
Other combinations of user preferences:
Since visitors to your website generally don’t shop around for their favorite cookies and 3rd party tracking, these consent preferences should be far less common. They are generally all in or all out.
These other combinations should be less important to test because fewer site visitors would be impacted in the case of unauthorized cookies or tags. However, although a lower priority, you may eventually choose to prioritize testing these, just don't make the mistake of putting these before the most common consent preferences where you have the largest exposure if something is wrong.
Know the common causes of non-compliance
Explore our blog post discussing The 3 Biggest Weakness of Consent Management Platforms and educate yourself on the solutions we prescribe. Understanding them will help you in the steps to resolving potential exposure.
Resolving unauthorized tracking
After becoming familiar with the common causes described above, it’s time to understand how to solve them.
Hard coded and piggybacking tags can be identified in the tag initiators report. Once you have confirmed the root cause, you will modify your tag management system implementation or your website content accordingly.
For cookies, the cookie domain is generally the first clue to identify the root cause. Using the cookie domain, we recommend inspecting the tag initiators report for the matching vendor.
Some cookie origins are very obvious.
For example, the if you see a 3rd party cookie with a linkedin.com domain and you see a LinkedIn Ads tag, you can safely assume the tag is the cause.
Other cookie origins are not.
For example, a 3rd party cookie with a demdex.net domain would generally be associated with an Adobe Audience Manager tag.
Note: The cookie domain can be deceptive. Often 3rd parties are disguised as 1st party cookies. Google Analytics, for example, is notorious for having a 1st party cookie domain.
Just because it is displayed as a 1st party cookie does not make it essential!
Understand Cookie Attributes
Many understand the basic cookies attributes, but many are not familiar with the ones that most relate to privacy compliance.
Learn the definitions for these different cookie attributes as described in our Cookie Inventory Report.