Please note that this information on consent management is current as of Q1 2023. We will do our best to continue to update as we get more and more information.
Also friendly reminder that this article's perspective is simply that, our opinion. It's based on decades of experience in web publishing. It is not legal advice.
(It's also fairly technical, so if you need a plain language translation please connect).
What is Consent Management for Content Creator Platforms?
As laws protecting privacy have been launched at various places around the world, the need to keep up with them has become a required part of digital media publishing.
The two critical geographies that affect digital publishers are:
- California, USA (under the CCPA regulations)
- The European Union (the GDPR regulations).
- The UK has its own set of laws, but they are designed to closely replicate GDPR, so for compliance purposes it makes sense to approach them as the same set of rules.
What Happens Due to Lack of Consent Management Compliance
Lack of compliance opens publishers up to lawsuits, fines, or other enforcement punishments. It also opens the door for Alphabet to restrict or refuse access to Google's ad network and advertising tools, which would have a negative monetary impact on ad serving across the individual site, the publisher’s network, or even the entire network of vendors serving ads.
CCPA Regulations For Content Creator Platforms
However, California residents have the right to opt-out through a standard process. This process must be made available by the publisher and has two requirements:
- A link at the bottom of every page that says “Do Not Sell My Personal Information” that, when clicked, gives the user the ability to opt out of targeting and tracking.
Both of these links must be present and functional for California residents, and any UX that makes them difficult to find or use is also prohibited. Whether this applies to them when they are physically located outside of California is up for debate, and the technical means for identifying whether they are within the state of California (e.g., by GeoIP technology that looks up their IP address, by location sharing from their mobile device, etc) is outside of the scope of the written regulations and is likely to be decided by the courts instead through various attempts to enforce the regulation.
The conservative approach for a publisher, outside of simply never tracking the users at all and enforcing their advertisers not tracking them, is to display these links to all users of the publishers websites, which avoids the need to detect which users count as California residents. A more standard approach we have seen is for publishers to use a GeoIP based detection to either offer the functionality to consumers within the United States or even more restrictively within whatever the GeoIP detection tool detects as California.
The GDPR regulations apply to anyone operating within the European Union and takes a more conservative approach to tracking where the consumers cannot be tracked unless they knowingly and explicitly grant permission to be tracked and targeted. The rules around wording of the links and mechanisms of detection are not as explicitly laid out, which leads to a lot more opportunity (and ambiguity) on what is acceptable.
The main complexity in handling GDPR is the order of operations problem of how to handle analytics and advertising before a user has granted or rejected permission. When a page loads, it is possible to load ads on it with targeting disabled and make some money, but then you may need to wait another 30 seconds before loading targetable ads.
Additionally, Google Analytics (and most other analytics platforms) default to leaving a cookie to be able to stitch Pageviews together into Sessions and Sessions together into Users. If you fire Google Analytics before Consent is granted, then you need to do it without tracking cookies, which artificially inflates Users and Sessions. If you fire it after Consent is granted only, then you may deflate Pageviews, Users and Sessions, but the numbers are more relevant to who actually agreed to engage with your content, so this is the Organic standard structure.
User Interface Requirements For Content Creator Platforms
GDPR provides a few requirements for how the user interface has to appear when collecting consent:
- There has to be a categorization of what types of cookies are used by the site, based off of a preset list of purposes:
- Strictly Necessary (cannot be rejected)
- It has to be just as easy to Reject the cookies as it is to Accept them. If this requirement is not met then the consent dialog is considered a “Cookie Wall” which is against the rules.
- After consent has been granted, there has to be an easy to use mechanism to revoke consent.
- If the user has rejected cookies, then the system must not ask them again to accept cookies unless:
- The cookie list has changed materially (there are new cookies)
- Or at least six months have passed
The consent manager is allowed to drop a cookie to indicate that the user has made their decision and this cookie falls within the “Strictly Necessary” category. This is to support the “six month” requirement above.
Beyond that, the publisher is required to keep a record of when the consent dialog was shown, which version of it was shown, what messaging was included, and what the user’s decision was in a centralized database that can be made available for audits.
Best Practices For Setup
One partner for consent management is OneTrust, and it is offered as an easy out-of-the-box integration within publishing platforms like Organic Ads. Alternatively, if a customer has a consent manager of their own that is compliant with all of the above requirements, then Organic Ads can be rolled out alongside that consent manager with no extra effort.
Organize OneTrust into three different regions:
- United States - we default to include the entirety of the United States as a CCPA region so that we can safely offer the opt-out process to California residents even in the event that GeoIP technology misplaces them outside of California.
- Europe (including Great Britain) - we treat all consumer requests that are geo-fenced into Europe as if they fall under GDPR compliance requirements and offer them the opt-in approach
- Global - this covers all other geographic locations and in these regions we configure OneTrust to provide a Cookie Information dialog that explains to the users which cookies are being used and what for, but does not provide any controls for the user to adjust their experience.