Monitoring consent compliance: Scan websites and apps to eliminate risks
The EU’s GDPR (General Data Protection Regulation) created the need for consent compliance in 2018. Now new regulation has made consent compliance an imperative for US companies in 2024. Although most companies have implemented consent banners on web and app, very few monitor whether data flows are compliant with consent choices.
Enforcement for CPRA (California Privacy Rights Act), the US’s most groundbreaking privacy law, began in February, 2024. This law gives the state of California new authority to issue fines for sharing personal data against users’ preferences. Prior to this law, the CCPA (California Consumer Privacy Act) only restricted selling personal data against users’ preferences. As a result, companies with users in California must give users the opportunity to opt out of data sharing for advertising purposes on all websites, apps, and any other product or service.
Now almost every other US state is following suit. Six states since 2023 have started enforcing similar privacy laws, including Texas and Oregon whose laws went into effect July 1, 2024. Over the next two years, 12 more states will start enforcing their new privacy laws. Even though New York doesn't have its own privacy law yet, the New York State Attorney General published a website privacy controls guide on July 30, 2024 to direct businesses on deploying tracking technologies and complying with New York's consumer protection laws.
If companies aren’t already consent compliant with California’s privacy laws, they will be subject to fines in nearly 20 more states because every state’s law restricts what data can be shared or sold without asking for consent.
This presents a huge challenge for most companies because most websites and apps are covered with pixels and SDKs (software development kits) from marketing partners collecting user data on every visit. Even if cookie consent banners are implemented, third party pixels may still capture personal data without consent. Full visibility and governance over consent banners, pixels, tag managers, and SDKs are needed to ensure consent compliance.
Many privacy teams lack this visibility over consent compliance because they rely on people to properly configure consent banners and data flows.
Even though most companies leverage consent management platforms (CMP) to centrally manage consent banners and data flows, privacy teams don’t have a way to reliably audit their CMP. Someone must manually check the configuration of each banner, pixel, tag manager, and SDK for every website and app in every region.
With most websites and apps getting updated on a weekly basis, automated and regular monitoring is required to ensure consent compliance. Without it, companies open themselves up to privacy fines and reputational damage.
Privado offers a comprehensive consent compliance solution that continuously scans all websites and mobile apps to ensure:
- Consent banners load properly on every page
- Data flows are limited according to consent choices and applicable regulations
- Risks are immediately communicated to the privacy team
Example consent compliance risks identified by Privado
Consent compliance monitoring works together with Privado’s privacy code scanning platform to monitor and manage all personal data sharing with third parties, a practice known as digital tracking governance.
How digital tracking works on websites
Before we discuss the needs for a consent compliance solution, we need to first clarify how websites (and then apps) share personal data with third parties, primarily marketing partners.
Websites use pixels, also known as tags. Before launching the first ad campaign, each marketing partner typically requires the website owner to implement their pixel to enable measurement and retargeting. Instead of implementing a new pixel for each marketing partner, marketing teams often implement one tag manager for their website to send data to all marketing partners.
The key to targeted digital advertising is unique user identifiers. Identifiers enable marketing partners to build user profiles of personal data and match the appropriate profile to a website or app visitor across the internet.
Cookies are used as the primary identifier on desktop and mobile websites. If a marketing partner’s pixel does not recognize a website visitor, it will drop a third-party cookie that gets stored in the user’s web browser. Once this is done, the marketing partner will be able to identify that user on any website for the purpose of attributing ad performance and targeting them with personalized ads, that is unless the user or the other website decides to block cookies.
There is a separate type of cookie that is used by the website owner called a first-party cookie. First-party cookies enable the website owner to identify that user each time they revisit their website for the purpose of personalizing the user’s experience on their website. Because first-party cookies cannot be used to identify users on other websites, these cookies do not represent a large privacy risk.
In addition to dropping cookies, pixels can capture all kinds of personal data from the user’s browser and the user’s website activity such as sign-ups or purchases. Third-party pixels capture this data via what’s called a network request. Much of the data captured via network requests would not be considered personal data, e.g., products purchased, unless it is tied to personally identifiable information (PII) such as a cookie, email address, home address, etc.
Although you can identify someone by their home address, home address typically does not enable a marketing partner to identify someone online. Cookies can identify users all over the internet. That is why they are so important to marketing partners, especially when cookies are combined with users’ data from network requests.
How digital tracking works in apps
Digital tracking with mobile apps works a bit differently. Mobile apps use SDKs instead of pixels to send personal data to marketing partners. App owners can implement SDKs for each marketing partner, or they can implement one mobile measurement partner (MMP) SDK to send data to all marketing partners.
Each phone (or tablet) is assigned a unique device ID that can be used to identify a user in any mobile app. Marketing partner SDKs are designed to capture this device ID when the user opens an app. Similar to network requests on web, SDKs can capture all kinds of information from the user’s device and their activity within the app.
The process for capturing device IDs on iPhones got a lot more complicated when Apple introduced its app tracking transparency (ATT) framework in April 2021. Apple has since required all apps to implement this framework and ask users if they want to be tracked for advertising purposes. If the user says no, Apple will automatically hide the user’s device ID from the app owner and any third party SDK.
Apple’s ATT framework functions as the primary consent banner for US app users, but it complicates GDPR consent compliance for EU users. Since GDPR requires consent for personal data collection and sharing, app owners must show a second consent banner if they want to give the user the option to have their data collected but not shared.
In addition to monitoring consent compliance in apps, it is critical to regularly audit app SDKs to control what third parties have access to your apps and identify exactly what data elements they collect.
Consent compliance requirements
GDPR in Europe
The EU’s GDPR remains the strictest consent compliance law. GDPR requires companies to obtain user consent before collecting, processing, or sharing any personal data.
As a result, users must opt in before companies can place first or third party cookies on their web browser, collect device IDs in mobile apps, or send any personal data to third parties.
Because user identifiers like cookies and device IDs cannot be collected without consent, that means personalized ads cannot be displayed unless the user gives consent. For websites and apps that run live ad auctions based on user data, ad auctions should not receive user identifiers by default, and the auction should be delayed long enough for the user to opt in.
To provide the digital advertising industry with a standardized approach to comply with GDPR, the IAB (Interactive Advertising Bureau) introduced the Transparency and Consent Framework (TCF) in 2018. TCF has been widely adopted by advertisers, publishers, marketing partners, and consent management platforms (CMPs) in Europe.
To comply with TCF, websites and apps must create a user preference center that gives users the option to opt into data usage and sharing by purpose and by third party. Most companies implement this by using CMPs to categorize data use and third parties and limit data flows based on user preferences.
Failing to comply with GDPR consent requirements can be extremely costly financially and reputationally. In 2021, Amazon was fined $888M, the second-largest GDPR fine to date, for targeting users with ads without proper consent. Criteo was also fined $44M for the same reason in 2023.
CPRA/CCPA in the United States
California’s CPRA has set the “do not sell or share” standard for consent compliance in the US. When the CPRA amendment to CCPA went into effect in February 2024, it required companies to give users the option to opt out of selling any personal data or sharing personal data for advertising purposes.
In addition to giving users the option to opt out on a website or app, CPRA also requires the companies honor users’ Global Privacy Control (GPC) setting in their browser. GPC allows users to universally opt out of personal data selling and sharing for all websites. Sephora was fined by California in 2022 because they ignored opt out requests from GPC signals and continued to sell those users’ data.
Although nearly 20 other states have passed their own privacy laws, CPRA is still the bar for consent compliance in the US. CPRA’s consent requirements are either similar or greater than the other state’s laws, and CPRA allows for stricter enforcement than any other state law.
Why consent management platforms don’t ensure consent compliance
Consent management platforms (CMPs) collect, act on, and record user consent for websites and mobile apps. On the surface, these tools offer customizable cookie banners that allow users to opt in or out of data sharing. On the backend, CMPs act on user preferences by limiting data sent to third parties and internal systems.
Although CMPs are needed to manage the complexity of implementing consent banners and data flows across websites and apps in each region, CMPs can’t sufficiently monitor consent compliance on their own.
CMPs rely on continual manual configuration to maintain compliance. If consent policies or data flows are not configured correctly for every device/channel, location, type of data, or third party pixel or SDK, there are no alerts or safeguards to prevent non-compliant data sharing.
Additionally, non-compliance can occur if the CMP is not updated when changes are made to the website or app by the engineering or marketing team. Unfortunately for privacy teams, companies have an increasing number of websites and apps, and they are being updated constantly with releases often occurring weekly.
How Privado continuously monitors consent and ensures compliance
Privado monitors consent compliance by running scans that simulate various user interactions and verify the expected behavior on websites and apps.
With the following capabilities, our consent compliance solution can ensure CMPs and consent banners function properly to collect and act on user consent.
Set regular consent compliance scans across all websites and apps
- Schedule recurring scans on all live websites and apps according to your software release cadence
- Get scan results in minutes
- Run scans on websites and apps in staging to prevent non-compliant updates from going live
Run compliance checks for GDPR, CPRA, IAB, and GPC
Consent banner visibility
- Check that consent banners load properly on every website and app
- Generate screenshots to validate banner visibility
Example consent banner visibility check
Data flow checks according to applicable regulations
GDPR
- Third-party cookie blocking: Ensure third-party cookies are only used if the user opts in
- Network requests: Flag any third-party pixels or SDKs that collect data without opt-in consent
- IAB Transparency and Consent Framework (TCF): Validate that data is only shared for the purposes and third parties that the user has opted into
- User ID storage: Check that first-party cookies and other user IDs are only stored with opt-in consent
- Prebid configuration: Ensure no personalized ad auctions occur on the web page or app unless the user has given consent
- Run all checks for each EU country’s version of websites and apps
CPRA/CCPA
- Third-party cookie blocking (traditional opt-out): Ensure third-party cookies are blocked if the user opts out on website or app
- Third-party cookie blocking (GPC signal): Ensure third-party cookies are blocked if the user opts out using browser’s GPC signal for all websites
- Network requests (traditional opt-out): Flag any third-party pixels or SDKs that collect data if the user opts out on website or app
- Network requests (GPC signal): Flag any third-party pixels or SDKs that collect data if the user opts out using browser’s GPC signal for all websites
Consent compliance check dashboard
Immediately notify privacy team of compliance risks
- Receive automated risk alerts for each banner, cookie, pixel, tag manager, or SDK that violates your consent policies
- Identify the reason for each risk and get recommended steps for resolution
Example consent compliance risk alert
Link risks to code-based evidence to accelerate resolution
- Download HAR file showing network log from consent compliance simulation
- Identify exact code causing each consent compliance risk
Example code strings causing risks
Getting started
- No technical implementation on website or app required: Simply input the necessary web domains or publicly available app store files (IPA for iOS or APK/AAB for Android)
- Request a free website scan by reaching out to our sales team
- Learn more at our consent compliance product page
Ben leads product marketing at Privado