According to the Article 5(3) of the European Union ePrivacy directive website owners must adequately inform users and obtain their consent before setting cookies and any other technology falling within the scope of the directive.
This is a form of implied consent and in fact a very problematic approach from legal perspective because of the following reasons:
Cookies are usually set to the visitor’s browser automatically when landing on the website for the first time without any possibility of rejecting setting the cookies. This also leads to a situation that the user has no means of understanding which providers are going to set cookies, how they are going to be used, and what are the other terms of processing the user’s personal data.
A recent EU court decision about cookie-consent
Implications to website owners
Here are examples of Cookie Management Platform (CMP) end-user facing functionality from CookieFirst.
Cookie consent banner
Adjusting cookie settings
Review specific cookies
Implications to N.Rich setup
When using the “legacy” implied consent model, there is no possibility of verifying that an active informed consent was actually given by the user. This leads to a possible risk of cookies being set illegally without consent, which could result in disruptions in the use of the data and in the worst case to being found guilty of violating the GDPR and getting fined a maximum amount of 20 Million Euros. In order to avoid such risks, N.Rich recommends the following actions:
Migrating to an informed, explicit cookie consent model by using a Cookie Managment Platform as soon as possible.
While the “legacy” implied consent model is used, only N.Rich Cookieless Tag should be used. This tag does not set cookies, so it can be used safely even without consent from the end-user. Even with some downsides of using the Cookieless Tag, the benefits of ABM are far greater than delaying the launch because of a missing explicit consent process. The downside of using only the Cookieless Tag is that analytics and optimization functionalities of N.Rich won’t be able to identify a specific user, but all data is aggregated to account level.
After upgrading to a CMP that supports receiving an explicit cookie-consent, N.Rich Cookieless Tag should still be used until the user explicitly accepts the cookies, and after the consent has been granted, N.Rich Standard Tag should be used, which will be taking advantage of cookies and enabling optimisation and analytics on person / cookie level.
How to implement N.Rich tags using a CMP and a Tag Manager
When using a CMP, a special first-party cookie that is set to the user denoting the cookie consent. The Tag Manager can typically access this cookie and it can be used as the basis of setting a rule about which tag to load. For example:
If cookie-consent = 1, fire N.Rich Standard Tag
If cookie-consent = 0 or not available, fire N.Rich Cookieless Tag
Since N.Rich Cookieless Tag is not using cookies, it is not dependent on the cookie-consent and it should be fired outside the scope of the CMP. However, if it is absolutely necessary from a technical perspective, N.Rich Cookieless Tag can be also included within the scope of the CMP in the “Necessary” category
N.Rich Standard tag should be placed in the marketing or advertising category of cookies within the CMP.