Overview
It is important to make sure that your CMP (Consent Management Platform) is implemented correctly. If your CMP is not correctly implemented, you will not have a good overview of your compliance with domestic and international data privacy laws.
Implementation
Identify (conceptually) every single consent scenario that you may wish to test for - this box may provide an idea of how to go about this:
Scenarios to consider | Opt-In | Opt-Out | GPC (opt-out) | Default Consent Status (if not already covered) |
USA Site Visitor (CPRA) | ✅ | ✅ | ✅ | ✅ |
Europe Site Visitor (GDPR) | ✅ | ✅ | ✅ | ✅ |
Create Audits for each scenario
Configure each Audit with the necessary settings and configurations in order to emulate each scenario
Region
Set the appropriate location
Opt-In vs. Opt Out
GPC Signal
Default state of implied consent (no configuration needed for this scenario)
Domain
Choose the correct Starting URLs and apply inclusion/exclusion settings if needed
Example:
Audit Settings for each scenario | Opt-In | Opt-Out | GPC (opt-out) | Default Consent Status (if not already covered) |
USA Site Visitor (CPRA) | No additional settings required | Pre Audit actions that interact with the consent banner to opt-out | Toggle on GPC signal setting | No additional settings required |
Europe Site Visitor (GDPR) | Pre Audit actions that interact with the consent banner to opt-out | No additional settings required | Toggle on GPC signal setting | No additional settings required |
Create Consent Categories
Define as many Consent Categories as is needed to cover all scenarios -you may wish to view the linked help doc on Consent Categories if you are unfamiliar with them
You can define these Consent Categories in whatever way makes the most sense to you and your testing purposes - here are a few examples that you could follow:
Mirror your Consent Manager Platform categorization (e.g. OneTrust, Trustarc)
Strictly Necessary
First Party Analytics
Performance
Functional
Create a Consent Category for Each Scenario
Opt in (USA)
Opt out (USA)
Opt in (Europe)
Opt out (Europe)
Apply the appropriate consent categories to the appropriate Audits
example:
Consent Categories applied to Audits | Opt-In | Opt-Out | GPC (opt-out) | Default Consent Status (if not already covered) |
USA Site Visitor (CPRA) | Strictly Necessary/First Party Analytics/Performance Functional | Strictly Necessary | Strictly Necessary | Strictly Necessary/First-Party Analytics |
Europe Site Visitor (GDPR) | Strictly Necessary/First Party Analytics/Performance Functional | Strictly Necessary | Strictly Necessary | Strictly Necessary/First-Party Analytics |
Data Privacy Law Information
Here are some useful links for information on GDPR, CCPA, and CPRA regulations:
GDPR (General Data Protection Regulation):
Official website: https://eur-lex.europa.eu/eli/reg/2016/679/oj
Information and guidance for businesses: https://ec.europa.eu/info/law/law-topic/data-protection_en
Overview and resources: https://gdpr-info.eu/
CCPA (California Consumer Privacy Act):
Official website: https://oag.ca.gov/privacy/ccpa
Summary and explanation: https://iapp.org/resources/article/what-the-ccpa-means-for-consumer-privacy/
Guidelines for businesses: https://oag.ca.gov/privacy/ccpa-businesses
CPRA (California Privacy Rights Act):
Official website: https://oag.ca.gov/privacy/cpra
Summary and explanation: https://iapp.org/resources/article/what-is-the-california-privacy-rights-act-cpra/
Guidelines for businesses: https://oag.ca.gov/privacy/cpra-businesses