Initiating a Website Consent Compliance Scan
Initiating a Website Consent Compliance Scan
Privado's Consent Compliance allows organizations to test their Consent Management Platform (CMP) and Global Privacy Control (GPC) set ups
Navigate to "Consent Compliance" > Select "Add New Website".
From "Add New Website" you can input the website URL, nickname, and regional locations you'd like to be simulated a consent compliance check.
Once all information is entered. Select "Scan"
A scan will be initiated on the chosen website to check against the regional requirements for each regional location selected
Default Settings and Rescan Cadence
Default Settings and Rescan Cadence
Navigate to "Consent Compliance" > "Settings" in the upper-right hand corner of the UI.
Once selected you will be able to select default regions to scan when initiating a Consent Compliance scan. You can also set rescan cadence to rescan the websites:
Manually (Default Setting)
Weekly
Monthly
The scan cadence is based on the last date the scan took place for each website. So scan cadence can differ depending on the last time you scanned the website domain/URL.
I.E. If you set the schedule to weekly and scanned one website on Tuesday and the other on Wednesday, each would rescan respectively on that day of the week, the following week.
Bulk Rescan
Bulk Rescan
You are able to rescan websites in bulk by selecting the unmarked check-box next to the websites you wish to re-scan.
You can also select all by clicking the top most check-box next to "URL" in the column header. If you've scanned more that 15 URLs, when selecting all, Privado will prompt you if you'd like to select only the 15 visible or all URLs. You can then select to rescan or deleted your selection.
Reviewing Scan Results
Reviewing Scan Results
Once your website scan has completed you can now review the various issues (if any) called out by regional jurisdiction.
Privado tests the CMP by acting as if it's a data subject browsing the website based on the regions you selected to be simulated.
Work with your web-development and marketing teams to take action: to either remedy cookies, update your privacy policy in accordance to what your website is truly tracking and its purpose, or both.
Opt-In Consent Compliance - GDPR (EU), PIPL (China) Tests - CMP Cookie Blocking/Banner Present:
Ensures that the Consent Management Platform (CMP) banner on websites functions correctly by simulating various user interactions and verifying the expected behavior, with a focus on third-party cookie handling.
CMP Banner - Evaluates if CMP Banner is present
Verifies if the CMP banner appears prominently upon loading the website.
No Consent - Checks if the banner remains visible if no action is taken and if third-party cookies are dropped.
If no action is taken on the banner, it should persist until dismissed by the user or until the user interacts with it, ensuring users have sufficient time to review the options. Importantly, third-party cookies should not be dropped during this time, maintaining user privacy.
Reject All - No third-party cookies should be dropped.
Validates the disappearance of the banner upon selecting "Accept All Cookies."
Selecting "Reject All Cookies" should result in the banner disappearing, and the website should not load cookies rejected. Again, third-party cookies should not be dropped, aligning with the user's preference for enhanced privacy.
No third-party cookies should be dropped. Review and remove the third-party cookies flagged by the issue.
Essentials Only - No third-party cookies should be dropped.
Validates the disappearance of the banner upon selecting "Essentials Only"
Selecting "Essentials Only" should also result in the banner disappearing, and the website should not load cookies rejected. Again, third-party cookies should not be dropped, aligning with the user's preference for enhanced privacy.
No third-party cookies should be dropped. Review and remove the third-party cookies flagged by the issue.
Opt-out Consent Compliance - CPRA (California), CPA (Colorado) Test - GPC & Cookies:
Ensures that websites honor the Global Privacy Control (GPC) signal set by users in their browsers, indicating their preference to opt-out of data collection and tracking by third-party services. The policy evaluates both cookie compliance and network request compliance regarding the GPC signal.
Cookie Compliance (GPC Opt-Out) - Evaluates third-party cookies when the GPC opt-out signal is set by the user
Ensure third-party cookies are not dropped in alignment with user's privacy preference
Cookie Compliance (Cookie Opt-Out) - Evaluates third-party cookies when a traditional cookie-based opt-out signal is set by the user
Ensure third-party cookies are not dropped in alignment with user's privacy preference
Network Requests Compliance (GPC Opt-Out) - Evaluates third-party network requests when the GPC opt-out signal is set by the user
Third-party network requests should be blocked. This will prevents data collection and tracking by third-party services, respecting the user's choice to opt-out of such practices.
Network Requests Compliance (Cookie Opt-Out) - Evaluates third-party network requests when a traditional cookie-based opt-out signal is set by the user
Third-party network requests should be blocked. This will prevents data collection and tracking by third-party services, respecting the user's choice to opt-out of such practices.
PIPEDA (Canada) Test - Banner Present & Opt-out Essential Cookies Only
CMP Banner - Evaluates if CMP Banner is present
Verifies if the CMP banner appears prominently upon loading the website.
Opt-out - Evaluates cookies when the user has consented opt'd out of all cookie but Essential Cookies
No third-party cookies should be dropped.
Validates the disappearance of the banner upon selecting "Essentials Only"
When a data subject "Opts-out" should also result in the banner disappearing, and the website should not load cookies rejected. Third-party cookies should not be dropped, aligning with the user's preference for enhanced privacy.
No third-party cookies should be dropped. Review and remove the third-party cookies flagged by the issue.
Advertising Consent Compliance:
Ensures that advertising activities on the website comply with user consent preferences as specified by regulations such as GDPR and CCPA. It covers various aspects of advertising, including network requests, Transparency and Consent Framework (TCF) compliance, user identification storage, Prebid configuration, and timeout management.
Network Requests Compliance:
Network Requests Compliance (No Consent Action) - Evaluates if pixels and bid calls reflect the absence of user consent action.
Advertising pixels and bid calls should not be triggered if the user has not taken any consent action. This ensures that no data is collected or shared without the user's explicit consent
Network Requests Compliance (Rejected Consent) - Evaluates if pixels and bid calls reflect user consent rejection.
If the user rejects consent, advertising pixels and bid calls should be blocked, preventing any data collection or tracking activities. This respects the user's decision to opt-out of targeted advertising
Network Requests Compliance (Granted Consent) - Evaluates if pixels and bid calls reflect user consent being granted.
Upon granting consent, advertising pixels and bid calls should be allowed to execute, enabling targeted advertising based on the user's preferences
The IAB Transparency & Consent Framework (TCF):
TCF Purposes (No Consent Action) - Validates consented purposes in the Transparency and Consent String obtained from CMP when no consent action is taken.
When no consent action is taken, the Transparency and Consent String should reflect that no specific purposes have been consented to, ensuring transparency and compliance with regulations
TCF Vendors (No Consent Action) - Validates consented vendors in the Transparency and Consent String obtained from CMP when no consent action is taken.
When no consent action is taken, the Transparency and Consent String should reflect that no specific vendors have been consented to, ensuring transparency and compliance with regulations
TCF Purposes (Rejected Consent) - Validates consented purposes in the Transparency and Consent String obtained from CMP when consent is rejected.
If consent is rejected, the Transparency and Consent String should indicate that no purposes have been consented to, aligning with the user's choice to opt-out of data processing for advertising purposes.
TCF Vendors (Rejected Consent) - Validates consented vendors in the Transparency and Consent String obtained from CMP when consent is rejected.
If consent is rejected, the Transparency and Consent String should indicate that no vendors have been consented to, aligning with the user's choice to opt-out of data processing for advertising purposes.
User ID Storage:
User ID Storage (No Consent Action) - Evaluates cookies and local storage for set User IDs when no consent action is taken.
When no consent action is taken, user identifiers should not be stored in cookies or local storage, preserving user privacy until explicit consent is obtained
User ID Storage (Rejected Consent) - Evaluates cookies and local storage for set User IDs when consent is rejected.
Upon rejection of consent, any previously stored user identifiers should be cleared from cookies and local storage, respecting the user's decision to opt-out of data collection and tracking
Prebid Configuration:
Prebid Configuration (No Consent Action) - Validates GDPR and consent settings in Prebid configurations (if any) when no consent action is taken.
Prebid configurations should be set to comply with GDPR and consent requirements, ensuring that no bidding occurs until the user provides explicit consent
Prebid Configuration (Rejected Consent) - Validates GDPR and consent settings in Prebid configurations (if any) when consent is rejected.
In the event of consent rejection, Prebid configurations should prevent bidding activities, safeguarding user privacy and honoring their decision to opt-out of targeted advertising
Prebid Timeout - Evaluates the set prebid timeout for proper consent management. (Criteria: 5s, Default: 10s, Average: 7.7s)
The set prebid timeout should adhere to the specified criteria (e.g., 5 seconds) to allow sufficient time for user interaction and consent management. This ensures that users have an appropriate window to provide or reject consent before advertising activities are initiated.
Remediation of Issues
Remediation of Issues
Opt-out Consent Compliance and Opt-in Consent Compliance Policies are added to your Privado Instance by default. When CMPs set ups violate a regional Consent Policy, "Issues" will be created for your team to review and remediate.
There are two ways you can view Consent Compliance Issues, via the "Consent Compliance" and "Issues" sections:
Issues View - Review All Consent Compliance Issues at once + filters:
You can review all the Consent Compliance Issues via the "Issues" section.
Utilize the "Filters" to "Website Scan" to view only websites
Utilize "Group by 👁️ "
to filter by "Policy ID" to view Issues by Opt-in vs. Opt-out
to filter by "Website" to view Issues by Website
You can review the detail of an Issue by:
Selecting the "ID" in the first column or clicking the ">" in the last column - Full Screen Display
Selecting the Issue text in the second column - Half-screen display
Once you review the details of the Issue you can then work to remediate the Issue with your Consent Management Platform and/or updating the code on your website.
Utilize the "Open" Status button in the upper-right corner to update this Issue's status based on your remediation:
Open
Move to In-progress
Mark Ignored:
False Positive removes incorrect finding
Utilize when Privado is surfacing an issue/cookie that your org has designated as "Essential" or sanctioned and want to remove the issue alert
Mark as Fixed:
Verify and Close - Closes the issues and queues for a scan to verify
Close Anyway "Ignored" - Closes issues without a scan
If you've integrated with Jira you can also send the Issue to Jira for your teams to review prior to selecting one of the remediation choices.
Consent Compliance View - Review Consent Compliance Issue by website:
You can review website/domain specific Issues via the "Consent Compliance" section.
Select the Website you are wanting to review via the first column in the Consent Compliance table.
Select an "Alert", shown in red, to see a snapshot of the violations that are occurring for that compliance check.
These "Alerts" are each tied to an "Issue" for you to review and remediate
To start to remediate, Select the "Issues" tab at the top of the page
You can review the detail of an Issue by:
Selecting the "ID" in the first column or clicking the ">" in the last column - Full-screen display
Selecting the Issue text in the second column - Half-screen display
Once you review the details of the Issue you can then work to remediate the Issue with your Consent Management Platform and/or updating the code on your website.
Utilize the "Open" Status button in the upper-right corner to update this Issue's status based on your remediation:
Open
Move to In-progress
Mark Ignored:
False Positive removes incorrect finding
Mark as Fixed:
Verify and Close - Closes the issues and queues for a scan to verify
Close Anyway "Ignored" - Closes issues without a scan
If you've integrated with Jira you can also send the Issue to Jira for your teams to review prior to selecting one of the remediation choices.
Consent Compliance Scan Status
Consent Compliance Scan Status
Scanning websites can take a few minutes or sometime longer. This depends on how elaborate and complex the website is that you're scanning.
Privado has various status that could surface while scanning:
Scanning - the scan is in process, check back later
Queued - ready to scan and will as soon as the other websites finish
In-progress - currently scanning the website
Complete - the scan has finished and you can now review the third party, cookie, and api findings
Failed:
Scan Failed - there was an issue getting through to scan the website. Rescan the website and if it fails again notify your CSM and they will begin to troubleshoot with the technical teams
FAQs
FAQs
How long does it take to scan a website?
How long does it take to scan a website?
Consent Compliance scan durations vary base on the size and complexity of the website you are scanning.
If your scan does not complete within 30minutes. Stop the scan and rescan.
If there's still latency reach out to your designated CSM.
How do I add additional regional jurisdictions after my initial scan?
How do I add additional regional jurisdictions after my initial scan?
You would need to rescan the website and add the needed regions prior to scanning.
Once you've initiated the new scan you can then remove the old scan by selecting the 3-dot ellipsis on the right side of the Consent Compliance table select "Delete" to clean up the old scan.
How do I create Policies/Issues to flag certain issues to investigate?
How do I create Policies/Issues to flag certain issues to investigate?
Policy Opt-out Consent Compliance and Opt-in Consent Compliance are added to your workspaces by default and if the CMP is set up in a manner that would violate one of those policies Privado will to generate an "Issue" for your team to review.
How do I disable Policies/Issues in Privado?
How do I disable Policies/Issues in Privado?
Navigate to "Policy" > Select the Policy that you'd like to disable > Select the toggle to disable. You will be presented with the following warning which you'll need to confirm before moving forward.
Image: Disabling the Policy:
Image: Warning when disabling a Policy:
Why am I seeing differing results for various EU regions?
Why am I seeing differing results for various EU regions?
Your organization's website's Consent Management Platform (CMP) has not been configured to block cookies/services in one country vs another.
Although the intention to protect privacy is there, somethings can potentially slip through the cracks. Consent Compliance is your safety net to make sure your hard work has the outcome you intended. This check is why Privado built Consent Compliance to simulate various regions rather than an overall GDPR check.
Privado's Consent Compliance simulates a data subject's consent interaction on the website based on the regions you selected to test against in order to make sure your CMP is working as intended.
Consent functionalities on sites are typically region based. CMPs function based on region.
"Deployments" or "Site Delivery" are typically region based
For example, different data centers could serve assets in two different locations, some can have a different delivery network or node
Historically, we have found that some services/vendors are blocked in certain regions but not others
What is the IAB Transparency & Consent Framework (TCF)?
What is the IAB Transparency & Consent Framework (TCF)?
IAB: Interactive Advertising Bureau is an American advertising business organization that develops industry standards, conducts research, and provides legal support for the online advertising industry.
TCF: An open-standard technical framework that enables websites, advertisers, and ad agencies to obtain, record, and update consumer consent for web pages.
What is Online Consent?
What is Online Consent?
Legal requirements:
Some privacy laws like GDPR (EU) require websites to only drop these cookies once the data subject has given explicit consent for them. They also require data subjects to be given an option to give consent to each purpose separately like Marketing, Analytics, and Functional amongst others.
While CPRA (California) requires data subjects to be given an option to opt-out of these cookies and other tracking technologies. They also allow for data subjects to set their online consent through their browsers Global Privacy Controls (GPC) settings, which is a signal that is sent to websites which tells the site to block or fire all sharing and selling cookies.
Solutions:
In order to honor data subject's privacy rights online, organizations have deployed Consent Management Platforms (CMPs) which are the banner experiences you're probably familiar with seeing when browsing online.
CMPs allow organizations to understand, categorize, and block various cookies and services on a website to honor data subjects online consent preferences. This is done prior to collecting or sending their personal data to any organizations outside of their own as required by regulation.
What happens when I delete a website scan?
What happens when I delete a website scan?
When you delete a website scan all Issues generated by the scan will be removed. You will need to readdress any Issue remediations you had made for that site prior.
What happens when I rescan a previously deleted website scan?
What happens when I rescan a previously deleted website scan?
When you rescan a website that was previously deleted Privado will act as if it's a net-new scan.