How to be GDPR Compliant: Checklist and Consent Mode Tools
Since its arrival, GDPR has shaken things up a lot for everyone who has a website. If you’re running a business online, you have to be much more conscious of how you handle data collection and storage, regardless of where you live and do business. Recently, Google arrived with an addition to Google Tag Manager to help mitigate some of the GTM GDPR issues. It’s called Consent Mode.
You might be rolling your eyes at the mention of Consent Mode. It’s fair to say that its usefulness has been limited in the past. But now, that all seems to have changed. Google has rolled out new features for Google Analytics 4 (GA4), and it’s probably a good time to look at Consent Mode again.
Let’s look at how consent mode’s tools can help you with GTM GDPR compliance. Go through this checklist and you’ll immediately know what to fix and how.
We created a webinar on this if you’d prefer to watch something. You can find our upcoming webinars on our LinkedIn and Meetup pages. Here is the recording:
The answer is almost certainly yes. This is one of the most basic steps on the GDPR compliance checklist.
Even if you aren’t quite sure what a consent management platform is, you’ve almost certainly encountered one. When a website asks you for your cookie preferences, it’s using a consent management platform. The tool alters the behaviour of cookies on a website based on the preferences of a user – so it’s not just a cookie banner.
Wondering how this all works? Consent management platforms scan websites, before creating a dynamic list of all the cookies that you use.
If this setup does not work for you, you can create your own consent form using custom scripts. However, it’s generally considered easier to stick with a consent management platform.
There are lots of options for consent management platforms. You’ve probably run into some of the following:
- CookieBot
- OneTrust
- TrustArc
- Cookie Control
Of course, each of these options is different and has its own features. The one that you choose will depend on your website and your requirements.
If you’re using CookieBot or OneTrust, you’ve got two options for classifying cookies, auto, and manual.
Auto-block
With this feature, cookies are classified on the fly. There is no human involvement, and the system is completely automated. The system scans Cookiepedia to identify cookies before adding them to their respective buckets.
To put this into perspective, if the system picked up a Google Ads Remarketing tag, it would be added to the targeting bucket. Or, if the system picked up a Google Analytics tag, this would be added to the analytics bucket.
An important point!
If you’re using auto-block, make sure that you set your Google Tag Manager as ‘strictly necessary’. If you don’t do this, you’ll miss out on information about a chunk of traffic – roughly 2%.
Manual-block
With manual block, you categorize all your cookies yourself. It might sound like hard work and you may wonder why you would do it yourself when a system can do it for you. However, there are good reasons for going with Manual-block.
In our experience, autoblock can negatively impact site speed. Also, categorisation isn’t always perfect. For example, the Google Ads conversion cookie might be added to the remarketing bucket, but in reality, it’s a better fit for the performance bucket.
GTM is favoured by many businesses for deploying their ad banners. But if you’re using auto-block, you’ll be unable to use GTM. The reason is that auto-block is synchronous, which means that it has run before anything else. GTM is asynchronous and can’t be injected with a synchronous script.
If you do opt for the manual option and choose GTM for deployment, be warned that there is no prebuilt cookie banner. However, if you choose one of the consent management platforms in our earlier list, you’ll get a cookie banner as part of the software.
You first need to understand how GDPR fines work. In theory, an infringement can lead you to receive an eye-watering fine of up to €20,000,000. In reality, most fines won’t reach anything like this number. Instead, you’ll receive a fine of up to 4% of your annual global turnover.
Basically, the bigger your website, the more trouble you could find yourself in. If you have a larger userbase, there is greater potential for compliance issues and therefore larger fines. Let’s imagine that you receive a €5 fine for every user complaint. This can quickly add up, and if you’re not careful, you can receive a huge fine.
That’s why it’s important that you know how to be GTM GDPR compliant. You’ll need to make sure that your cookie banners and consent forms are working as they should be.
GDPR is all about permission
The legislation focuses on consent. If a user gives you consent for collecting their data, you’re free to do so. But if a user isn’t happy with you collecting their data, then you can’t (unless you want a hefty fine). However, consent isn’t all about cookies.
For example, a user might be creating an account on your site. Once you have their details, you’ll probably want to contact them through various means. But before you do so, you need to get their permission if you want to be strictly GDPR compliant.
This usually takes the form of a tick box (i.e., a user needs to tick permission for each form of contact, email, phone, etc). For a tick box to be compliant, it should be unticked by default.
You also need to make sure that agree and reject buttons are given the same treatment. You might want a user to accept all your cookies, but you can’t rig the system to get the result you want. This means that you can’t, for instance, have an agree button that is easy to see and click, and a reject button that is small and difficult to find.
This banner typically slides up from the bottom of the screen and often includes one or two clickable options. You’ll generally see floating footers on sites that focus less on the consumer, such as B2B websites.
This banner typically slides up from the bottom of the screen and often includes one or two clickable options. You’ll generally see floating footers on sites that focus less on the consumer, such as B2B websites.
Floating footers are becoming much less common, as many businesses opt for a banner with more compliance options.
Cookie walls
These come with a variety of consent options and allow users to choose settings for each category of cookie.
Watch out! It’s easy to make mistakes with this sort of cookie banner. Remember, to be compliant, both reject and allow options need to be equally easy to click. If you look at the image above, you’ll notice we’ve intentionally included a mistake. We’ve neglected to include a reject option and haven’t made the buttons the same colour.
To be strictly compliant, you must do this.
Known issues implementing GTM GDPR with CookieBot
There are a few issues associated with implementing CookieBot with Google Tag Manager. Let’s go through a couple of these issues and talk about the solutions to them.
CookieBot loaded
If you’re adding CookieBot using GTM, Google recommends using a feature called Consent Initialized.
However…
It doesn’t work. Instead, you’ll need to use the event cookie consent_update. This event only triggers after an acceptance cookie has been triggered.
CookieBot catch
CookieBot works via sub-domains. This means that you need to add a complete list of all your sub-domains. If you don’t do this, your cookie banner won’t appear on these domains. This can be a big problem, as you won’t receive any tracking information from these sites.
The easiest solution to this problem is to add the CookieBot whitelist of domains to your list of exceptions. For everything else, you should push a consent-updated event. This way, there is no risk of any tracking outages.
Of course, GDPR isn’t the only piece of legislation that you need to be wary of. Users from California are covered by the California Consumer Privacy Act (CCPA). To be compliant, you’ll need a way of adjusting your cookie banner based on a user’s location.
Why? Because CCPA has different requirements than GDPR. GDPR allows a user to choose whether or not they consent to cookies, whereas with CCPA, a user has control over whether their data is sold.
So, depending on their location, a user should see:
- EU – Both an accept and reject cookies option.
- California – A ‘Do not sell my data’ option.
- Rest of the World – Standard cookie choices with no reject option.
You can alter cookie options within Google Tag Manager using the CookieBot template, although it will need a few tweaks first. As seen in the image above, you’ll need to make several changes to the standard CookieBot template.
If you’d prefer a simple way of getting around this, you can use our free template. Email us at hello@measuremindsgroup.com, and we’ll send it over to you.
An important note!
There is a feature called ‘domain groups’ in CookieBot, which allows you to set different banner configurations. If you use this, make sure that you don’t add any domains within the domain groups list. If you do, you’ll find yourself being charged twice.
Remarketing should be a focus
Lots of businesses carry out remarketing. This means that you’re sending data to a third-party platform such as Facebook or Google Ads. However, if you’re using data from European users without consent, you’re non-compliant.
It’s important to note that this is more targeted at B2C businesses, as the legislation focuses on protecting consumers.
What about Google Analytics?
You might have noticed that Google Analytics is listed as a remarketing network. You’re probably wondering why. After all, what does GA have to do with remarketing? Well, there is an option to use the GA first-party tracking pixel for remarketing. This isn’t the default setting, and you’ll need to tick a box to enable this.
It goes without saying that you need to be careful with this setting. The moment that you start sending any user data to other parties, you need consent.
One solution is to use GA only for analytics. To do so, you’ll need to go to ‘Admin’ > ‘Data Settings’ > ‘Data Collection’. From here, you can enable or disable remarketing settings.
Another solution is consent mode tools. GTM GDPR is helped as Consent Mode overrides these settings for you, so you don’t have to go to the trouble of disabling them yourself.
Watch out for privacy hunters
Worryingly, there are ‘privacy hunters’ looking for sites that are failing to be GDPR compliant. If you’re using GA3, you should make sure that you also turn on IP anonymization (which is already a default setting in GA4). An IP address is a form of identification and can result in a breach of GDPR.
The five storage types
Google hasn’t necessarily helped with making cookie classification any easier. If things weren’t complicated enough, Google has added 5 new categories for cookies. Each map to three different groups: remarketing, analytics, functional, and necessary. Below are Google’s five new categories alongside the groups that they are mapped to.
- ad_storage AKA Remarketing
- analytics_storage AKA Analytics
- functional_storage AKA Functional
- personalization_storage AKA Analytics
- security_storage AKA Necessary
If you intend to use Consent Mode, it needs to be switched on from the development container in GTM. To access this, head to GTM>Accounts>Container>Admin.
This will allow you to go into any tag and add it to its perspective bucket, e.g. analytics or remarketing.
A tag could even be in two buckets at once. This would be the case with GA remarketing (which would be placed into both analytics_storage and ad_storage). For this sort of tag to fire, you’ll need to select ‘allow’ on ad_storage.
There are a couple of things to note in this situation. The first is that if you’re using a custom javascript to invoke a HotJar push event, it will require analytics consent. For this reason, it’s better to choose ‘Not set’ in consent settings for certain scripts.
A good example of this would be a HTML 5 video listener. This doesn’t store cookies or set any HTML 5 local storage, but it does push data layer events. With consent mode switched on, it can prevent the custom script from working correctly.
Classification overview
Wouldn’t it be much easier if you could view all cookies together, alongside the category they’ve been assigned to? Well luckily, with GTM GDPR you can! You can do this by viewing the Consent Overview report.
This handy report becomes available as soon as you activate consent mode, and it comes filled with information about your cookies. Cookies are separated into two lists, those that have, and have not been added to buckets.
Many users find themselves confused about the ‘Built-in Consent’ field in the table. On the surface, this field doesn’t seem to tell you all that much. Essentially, this is telling that a tag is reading a value, but not preventing a value from being set.
To give some context, let’s imagine that there is a Google Ads conversion tag. This needs to be set as analytics_storage if you are treating conversions as performance cookies.
There is also some confusion surrounding the categorization of Google Ads Conversion and Remarketing tags. These affect the Google Ads conversion pixel, which is used to store a GCLID cookie on a landing page. It’s recommended that analytics_storage be assigned to the Conversion tag, and that ad_storage be assigned to the Remarketing Tag.
Want to be sure that your website is GTM GDPR compliant?
An easy way of checking if your website is fully GTM GDPR compliant is by using CookieBot’s compliance checker. This tool is free and quickly gives you the information that you need.
Filling the data gap
As we’ve touched on, more and more people are becoming aware of their data and how it’s being used. And as this awareness grows, people are becoming less willing to consent to data collection. We know this because of data. The number of people consenting to cookies has reduced.
This leaves us with a growing data gap. How do we gather information about users that don’t give consent? Well, if we want to remain GDPR compliant, we can’t. But this doesn’t mean we can’t gather any information. Once again, GTM Consent Mode comes to the rescue. Consent Mode tools can upscale this missing data, helping us to fill in data gaps.
It’s useful to have an idea of the number of people opting out of data collection. CookeBot again comes in handy, with a graph showing how users are responding to your consent banner.
Looking for another way of keeping an eye on opt-outs? One useful metric is the number of clicks through Google Ads vs the number of PPC sessions. If you’re receiving lots of clicks but not as many sessions, there is a clear problem. This is where Consent Mode comes in handy, letting you rescale to fill the void left by these missing sessions.
GTM GDPR checklist
So, we’ve established how consent mode tools and cookie banners play an important role. But how can you make sure that your business is fully GTM GDPR compliant? We’ve put together a checklist to set you on the right path.
1. Know who’s accountable
The first step should involve talking to your board. They should know exactly what GDPR means for your business. This shouldn’t just involve talking about positives. You’ll need to address the negative implications of the legislation, too.
At the end of this process, your director should have taken responsibility for GDPR, and resources should have been allocated correctly.
2. Know the scope of GDPR
Once support has been obtained from the board, you need to start looking at the whole of your organization. Which aspects of your business fall under the jurisdiction of GDPR, and what steps can you take for compliance? You may need to employ a data protection officer at this stage for additional advice.
3. Assess your data
Now is the time to look at the data collection of your organization. What data are you collecting and how is it being used? You need to establish a lawful basis for collecting data.
4. Know the risks
A major part of being GTM GDPR compliant is preparing and responding to data leaks, should they occur. Take the time to prepare for this sort of event by knowing the risks. What could go wrong? Are there any measures you can put in place to make your data more secure? Make sure you have a procedure for notifying customers should data be leaked.
5. Update your procedures
This is the time to carry out a full analysis of your entire system. Are there any areas that aren’t currently GDPR compliant? What can you do to sort these issues? You should also take the time to update procedures and ensure that they are GDPR compliant. You may need to bring in some new processes for full compliance.
6. Consider data processing
A key element of GDPR is ensuring appropriate technical and organisational measures to protect data. You’ll need to put together an information security policy to ensure that you’ve addressed risks to your system.
7. Train Your Staff
It’s all well and good to have the right procedures and systems in place, but your staff needs to be aware of GDPR, too. The legislation is extremely complex and can be difficult to wrap your head around it. It’s important that staff have an understanding of how GDPR affects their day-to-day work, and what they can do to ensure compliance.
8. Identify and remove PII from Google Analytics
Google Analytics is an incredibly useful tool. However, you could find yourself accidentally storing Personally Identifiable Information. We made a great tool and guide on how to identify and remove PII from Google Analytics.
Review your compliance
GTM GDPR compliance is an ongoing process. It’s not hard to see how a small shift in a process can mean that you are no longer compliant. It’s also important that you make sure any new procedures are compliant.
The best approach is to review your organization regularly and make sure that you are GDPR compliant. If you’re struggling to do this or don’t have the time, then we can help you. Get in touch with us and we can provide solutions at speed.
- GTAG within GTM – The what, why and how! - 17/11/2023
- Results of GTMgrader.ai Competition - 17/10/2023
- What does “Review your updated GA4 property” email from Google mean? - 04/08/2023