Skip to main content
All CollectionsConsent Compliance
Consent Compliance Overview
Consent Compliance Overview

A user-guide that walks through how to utilize Privado's Consent Compliance solution

P
Written by Patrick Murthey
Updated over 2 months ago

Initiating a Website Consent Compliance Scan

Privado's Consent Compliance allows organizations to test their Consent Management Platform (CMP) and Global Privacy Control (GPC) set ups

Navigate to "Consent Compliance" > Select "Add New Website".

From "Add New Website" you can input the website URL, nickname, and regional locations you'd like to be simulated a consent compliance check.

Once all information is entered. Select "Scan"

  • A scan will be initiated on the chosen website to check against the regional requirements for each regional location selected

Default Settings and Rescan Cadence

Navigate to "Consent Compliance" > "Settings" in the upper-right hand corner of the UI.

Once selected you will be able to select default regions to scan when initiating a Consent Compliance scan. You can also set rescan cadence to rescan the websites:

  1. Manually (Default Setting)

  2. Weekly

  3. Monthly

The scan cadence is based on the last date the scan took place for each website. So scan cadence can differ depending on the last time you scanned the website domain/URL.

I.E. If you set the schedule to weekly and scanned one website on Tuesday and the other on Wednesday, each would rescan respectively on that day of the week, the following week.

Bulk Rescan

You are able to rescan websites in bulk by selecting the unmarked check-box next to the websites you wish to re-scan.

You can also select all by clicking the top most check-box next to "URL" in the column header. If you've scanned more that 15 URLs, when selecting all, Privado will prompt you if you'd like to select only the 15 visible or all URLs. You can then select to rescan or deleted your selection.

Reviewing Scan Results

Once your website scan has completed you can now review the various issues (if any) called out by regional jurisdiction.

Privado tests the CMP by acting as if it's a data subject browsing the website based on the regions you selected to be simulated.

Work with your web-development and marketing teams to take action: to either remedy cookies, update your privacy policy in accordance to what your website is truly tracking and its purpose, or both.

Opt-In Consent Compliance - GDPR (EU), PIPL (China) Tests - CMP Cookie Blocking/Banner Present:

Ensures that the Consent Management Platform (CMP) banner on websites functions correctly by simulating various user interactions and verifying the expected behavior, with a focus on third-party cookie handling.

  • CMP Banner - Evaluates if CMP Banner is present

    • Verifies if the CMP banner appears prominently upon loading the website.

  • No Consent - Checks if the banner remains visible if no action is taken and if third-party cookies are dropped.

    • If no action is taken on the banner, it should persist until dismissed by the user or until the user interacts with it, ensuring users have sufficient time to review the options. Importantly, third-party cookies should not be dropped during this time, maintaining user privacy.

  • Reject All - No third-party cookies should be dropped.

    • Validates the disappearance of the banner upon selecting "Accept All Cookies."

      • Selecting "Reject All Cookies" should result in the banner disappearing, and the website should not load cookies rejected. Again, third-party cookies should not be dropped, aligning with the user's preference for enhanced privacy.

        • No third-party cookies should be dropped. Review and remove the third-party cookies flagged by the issue.

  • Essentials Only - No third-party cookies should be dropped.

    • Validates the disappearance of the banner upon selecting "Essentials Only"

      • Selecting "Essentials Only" should also result in the banner disappearing, and the website should not load cookies rejected. Again, third-party cookies should not be dropped, aligning with the user's preference for enhanced privacy.

        • No third-party cookies should be dropped. Review and remove the third-party cookies flagged by the issue.

Opt-out Consent Compliance - CPRA (California), CPA (Colorado) Test - GPC & Cookies:

Ensures that websites honor the Global Privacy Control (GPC) signal set by users in their browsers, indicating their preference to opt-out of data collection and tracking by third-party services. The policy evaluates both cookie compliance and network request compliance regarding the GPC signal.

  • Cookie Compliance (GPC Opt-Out) - Evaluates third-party cookies when the GPC opt-out signal is set by the user

    • Ensure third-party cookies are not dropped in alignment with user's privacy preference

  • Cookie Compliance (Cookie Opt-Out) - Evaluates third-party cookies when a traditional cookie-based opt-out signal is set by the user

    • Ensure third-party cookies are not dropped in alignment with user's privacy preference

  • Network Requests Compliance (GPC Opt-Out) - Evaluates third-party network requests when the GPC opt-out signal is set by the user

    • Third-party network requests should be blocked. This will prevents data collection and tracking by third-party services, respecting the user's choice to opt-out of such practices.

  • Network Requests Compliance (Cookie Opt-Out) - Evaluates third-party network requests when a traditional cookie-based opt-out signal is set by the user

    • Third-party network requests should be blocked. This will prevents data collection and tracking by third-party services, respecting the user's choice to opt-out of such practices.

PIPEDA (Canada) Test - Banner Present & Opt-out Essential Cookies Only

  • CMP Banner - Evaluates if CMP Banner is present

    • Verifies if the CMP banner appears prominently upon loading the website.

  • Opt-out - Evaluates cookies when the user has consented opt'd out of all cookie but Essential Cookies

    • No third-party cookies should be dropped.

      • Validates the disappearance of the banner upon selecting "Essentials Only"

        • When a data subject "Opts-out" should also result in the banner disappearing, and the website should not load cookies rejected. Third-party cookies should not be dropped, aligning with the user's preference for enhanced privacy.

          • No third-party cookies should be dropped. Review and remove the third-party cookies flagged by the issue.

Advertising Consent Compliance:

Ensures that advertising activities on the website comply with user consent preferences as specified by regulations such as GDPR and CCPA. It covers various aspects of advertising, including network requests, Transparency and Consent Framework (TCF) compliance, user identification storage, Prebid configuration, and timeout management.

Network Requests Compliance:

  • Network Requests Compliance (No Consent Action) - Evaluates if pixels and bid calls reflect the absence of user consent action.

    • Advertising pixels and bid calls should not be triggered if the user has not taken any consent action. This ensures that no data is collected or shared without the user's explicit consent

  • Network Requests Compliance (Rejected Consent) - Evaluates if pixels and bid calls reflect user consent rejection.

    • If the user rejects consent, advertising pixels and bid calls should be blocked, preventing any data collection or tracking activities. This respects the user's decision to opt-out of targeted advertising

  • Network Requests Compliance (Granted Consent) - Evaluates if pixels and bid calls reflect user consent being granted.

    • Upon granting consent, advertising pixels and bid calls should be allowed to execute, enabling targeted advertising based on the user's preferences

The IAB Transparency & Consent Framework (TCF):

  • TCF Purposes (No Consent Action) - Validates consented purposes in the Transparency and Consent String obtained from CMP when no consent action is taken.

    • When no consent action is taken, the Transparency and Consent String should reflect that no specific purposes have been consented to, ensuring transparency and compliance with regulations

  • TCF Vendors (No Consent Action) - Validates consented vendors in the Transparency and Consent String obtained from CMP when no consent action is taken.

    • When no consent action is taken, the Transparency and Consent String should reflect that no specific vendors have been consented to, ensuring transparency and compliance with regulations

  • TCF Purposes (Rejected Consent) - Validates consented purposes in the Transparency and Consent String obtained from CMP when consent is rejected.

    • If consent is rejected, the Transparency and Consent String should indicate that no purposes have been consented to, aligning with the user's choice to opt-out of data processing for advertising purposes.

  • TCF Vendors (Rejected Consent) - Validates consented vendors in the Transparency and Consent String obtained from CMP when consent is rejected.

  • If consent is rejected, the Transparency and Consent String should indicate that no vendors have been consented to, aligning with the user's choice to opt-out of data processing for advertising purposes.

User ID Storage:

  • User ID Storage (No Consent Action) - Evaluates cookies and local storage for set User IDs when no consent action is taken.

    • When no consent action is taken, user identifiers should not be stored in cookies or local storage, preserving user privacy until explicit consent is obtained

  • User ID Storage (Rejected Consent) - Evaluates cookies and local storage for set User IDs when consent is rejected.

    • Upon rejection of consent, any previously stored user identifiers should be cleared from cookies and local storage, respecting the user's decision to opt-out of data collection and tracking

Prebid Configuration:

  • Prebid Configuration (No Consent Action) - Validates GDPR and consent settings in Prebid configurations (if any) when no consent action is taken.

    • Prebid configurations should be set to comply with GDPR and consent requirements, ensuring that no bidding occurs until the user provides explicit consent

  • Prebid Configuration (Rejected Consent) - Validates GDPR and consent settings in Prebid configurations (if any) when consent is rejected.

    • In the event of consent rejection, Prebid configurations should prevent bidding activities, safeguarding user privacy and honoring their decision to opt-out of targeted advertising

  • Prebid Timeout - Evaluates the set prebid timeout for proper consent management. (Criteria: 5s, Default: 10s, Average: 7.7s)

    • The set prebid timeout should adhere to the specified criteria (e.g., 5 seconds) to allow sufficient time for user interaction and consent management. This ensures that users have an appropriate window to provide or reject consent before advertising activities are initiated.

Remediation of Issues

Opt-out Consent Compliance and Opt-in Consent Compliance Policies are added to your Privado Instance by default. When CMPs set ups violate a regional Consent Policy, "Issues" will be created for your team to review and remediate.


There are two ways you can view Consent Compliance Issues, via the "Consent Compliance" and "Issues" sections:

Issues View - Review All Consent Compliance Issues at once + filters:

You can review all the Consent Compliance Issues via the "Issues" section.

  1. Utilize the "Filters" to "Website Scan" to view only websites

  2. Utilize "Group by 👁️ "

    1. to filter by "Policy ID" to view Issues by Opt-in vs. Opt-out

    2. to filter by "Website" to view Issues by Website

  3. You can review the detail of an Issue by:

    1. Selecting the "ID" in the first column or clicking the ">" in the last column - Full Screen Display

    2. Selecting the Issue text in the second column - Half-screen display

  4. Once you review the details of the Issue you can then work to remediate the Issue with your Consent Management Platform and/or updating the code on your website.

    1. Utilize the "Open" Status button in the upper-right corner to update this Issue's status based on your remediation:

      1. Open

      2. Move to In-progress

      3. Mark Ignored:

        1. False Positive removes incorrect finding

        2. Utilize when Privado is surfacing an issue/cookie that your org has designated as "Essential" or sanctioned and want to remove the issue alert

      4. Mark as Fixed:

        1. Verify and Close - Closes the issues and queues for a scan to verify

        2. Close Anyway "Ignored" - Closes issues without a scan


      If you've integrated with Jira you can also send the Issue to Jira for your teams to review prior to selecting one of the remediation choices.

Consent Compliance View - Review Consent Compliance Issue by website:

You can review website/domain specific Issues via the "Consent Compliance" section.

  1. Select the Website you are wanting to review via the first column in the Consent Compliance table.

  2. Select an "Alert", shown in red, to see a snapshot of the violations that are occurring for that compliance check.

    1. These "Alerts" are each tied to an "Issue" for you to review and remediate

  3. To start to remediate, Select the "Issues" tab at the top of the page

  4. You can review the detail of an Issue by:

    1. Selecting the "ID" in the first column or clicking the ">" in the last column - Full-screen display

    2. Selecting the Issue text in the second column - Half-screen display

  5. Once you review the details of the Issue you can then work to remediate the Issue with your Consent Management Platform and/or updating the code on your website.

    1. Utilize the "Open" Status button in the upper-right corner to update this Issue's status based on your remediation:

      1. Open

      2. Move to In-progress

      3. Mark Ignored:

        1. False Positive removes incorrect finding

      4. Mark as Fixed:

        1. Verify and Close - Closes the issues and queues for a scan to verify

        2. Close Anyway "Ignored" - Closes issues without a scan


      If you've integrated with Jira you can also send the Issue to Jira for your teams to review prior to selecting one of the remediation choices.

Consent Compliance Scan Status

Scanning websites can take a few minutes or sometime longer. This depends on how elaborate and complex the website is that you're scanning.

Privado has various status that could surface while scanning:

  • Scanning - the scan is in process, check back later

  • Queued - ready to scan and will as soon as the other websites finish

  • In-progress - currently scanning the website

  • Complete - the scan has finished and you can now review the third party, cookie, and api findings

  • Failed:

    • Scan Failed - there was an issue getting through to scan the website. Rescan the website and if it fails again notify your CSM and they will begin to troubleshoot with the technical teams

FAQs

How long does it take to scan a website?


Consent Compliance scan durations vary base on the size and complexity of the website you are scanning.

If your scan does not complete within 30minutes. Stop the scan and rescan.

If there's still latency reach out to your designated CSM.

How do I add additional regional jurisdictions after my initial scan?


You would need to rescan the website and add the needed regions prior to scanning.


Once you've initiated the new scan you can then remove the old scan by selecting the 3-dot ellipsis on the right side of the Consent Compliance table select "Delete" to clean up the old scan.

How do I create Policies/Issues to flag certain issues to investigate?


Policy Opt-out Consent Compliance and Opt-in Consent Compliance are added to your workspaces by default and if the CMP is set up in a manner that would violate one of those policies Privado will to generate an "Issue" for your team to review.

How do I disable Policies/Issues in Privado?


Navigate to "Policy" > Select the Policy that you'd like to disable > Select the toggle to disable. You will be presented with the following warning which you'll need to confirm before moving forward.


Image: Disabling the Policy:

Selecting the Active toggle in the upper-right corner or next to any "Control" for more granular disable selection.

Image: Warning when disabling a Policy:

Warning Pop: Disable Policy? When disabled, no more issues will be created for this policy. Any existing issues remain unchanged in system.

Why am I seeing differing results for various EU regions?


Your organization's website's Consent Management Platform (CMP) has not been configured to block cookies/services in one country vs another.

Although the intention to protect privacy is there, somethings can potentially slip through the cracks. Consent Compliance is your safety net to make sure your hard work has the outcome you intended. This check is why Privado built Consent Compliance to simulate various regions rather than an overall GDPR check.

Privado's Consent Compliance simulates a data subject's consent interaction on the website based on the regions you selected to test against in order to make sure your CMP is working as intended.

  • Consent functionalities on sites are typically region based. CMPs function based on region.

  • "Deployments" or "Site Delivery" are typically region based

    1. For example, different data centers could serve assets in two different locations, some can have a different delivery network or node

  • Historically, we have found that some services/vendors are blocked in certain regions but not others

What is the IAB Transparency & Consent Framework (TCF)?

  • IAB: Interactive Advertising Bureau is an American advertising business organization that develops industry standards, conducts research, and provides legal support for the online advertising industry.

  • TCF: An open-standard technical framework that enables websites, advertisers, and ad agencies to obtain, record, and update consumer consent for web pages.

What is Online Consent?

Legal requirements:

Some privacy laws like GDPR (EU) require websites to only drop these cookies once the data subject has given explicit consent for them. They also require data subjects to be given an option to give consent to each purpose separately like Marketing, Analytics, and Functional amongst others.

While CPRA (California) requires data subjects to be given an option to opt-out of these cookies and other tracking technologies. They also allow for data subjects to set their online consent through their browsers Global Privacy Controls (GPC) settings, which is a signal that is sent to websites which tells the site to block or fire all sharing and selling cookies.


Solutions:

In order to honor data subject's privacy rights online, organizations have deployed Consent Management Platforms (CMPs) which are the banner experiences you're probably familiar with seeing when browsing online.

CMPs allow organizations to understand, categorize, and block various cookies and services on a website to honor data subjects online consent preferences. This is done prior to collecting or sending their personal data to any organizations outside of their own as required by regulation.

What happens when I delete a website scan?

When you delete a website scan all Issues generated by the scan will be removed. You will need to readdress any Issue remediations you had made for that site prior.

What happens when I rescan a previously deleted website scan?

When you rescan a website that was previously deleted Privado will act as if it's a net-new scan.

Did this answer your question?