Understanding GDPR and Cookie Compliance in online data collection

19 April 2024 | 5 minutes of reading time

To ensure a robust protection of individuals’ personal data while also fostering innovation and economic development in the European Union, the General Data Protection Regulation (GDPR) has been in effect since May 2018
The GDPR is continually evolving to address the impacts of emerging technology such as AI and increasing global initiatives on data protection and privacy regulations. Around mid-2024, the European Commission is scheduled to publish an evaluation of the EU GDPR. However, it is clear that the GDPR is here to stay. But how does this regulation affect the way you collect online data of your customers? 

 Online data collection under GDPR

In the present day, companies are faced with the challenges of ensuring compliance with GDPR regulations, while effectively managing tracking and processing of your customer data. We all know that securing user consent for data processing, especially in relation to cookies, is a crucial factor. Using Tag Management Systems such as Google Tag Manager plays an important role in ensuring compliance. These tools simplify the implementation of tracking, making the data collection processes more efficient. However, they also introduce the capability to implement control mechanisms that determine who, when and what can be tracked. Let’s dive deeper into this capability using Google Tag Manager as an example. 

Google Tag Manager

Google Tag Manager is a tool created to streamline the organization and implementation of online data collection on websites, eliminating the necessity for development. Through Google Tag Manager, you can easily integrate a variety of tracking solutions, such as Google Analytics, Google Ads, and other tracking tools, to acquire eg. valuable information about your website’s effectiveness and user interaction. Depending on your use case, this information empowers your business to consistently improve and elevate your online activities. Some common applications of Google Tag Manager include:

1. Collecting insights on website page views.

2. Tracking user interactions such as button clicks.

3. Capturing data on outbound links or external clicks.

4. Tracking conversions, particularly within Google Ads campaigns.

5. Analysing user behaviour, including scrolling patterns and on-page interactions.

6. Collecting user-specific information such as geolocation, device type, and screen dimensions.

Google Tag Manager operates on the principle of tags and triggers.Tags are snippets of code provided by various marketing and analytics tools, such as Google Analytics, Google Ads, or custom HTML tags, that collect specific types of data about user interactions on a website. These tags are managed and deployed through Google Tag Manager.

Triggers determine when tags should be fired or executed on a website. Triggers are conditions or events that occur during a user’s interaction with the website, such as page loads, clicks on buttons or links, form submissions, or specific scrolling actions.

Suppose you want to track clicks on the order button in your website using Google Analytics. In this scenario:

– The tag would be the Google Analytics tracking code provided by Google.

– The trigger would be the specific event of clicking on the button.

By configuring Google Tag Manager to fire the Google Analytics tag when the button click trigger occurs, the website owner can effectively track and analyze user interactions without directly modifying the website’s code.

Under the GDPR, the tag itself is not the challenge; rather, the trigger is. The trigger determines who is allowed to track, what can be tracked, and when tracking is permissible, based on the user consent information. In tag management, it is considered necessary to have this information available in your tag management system to configure the triggers accordingly.

Misconceptions about cookie regulation 

There is a common misconception that utilizing Google’s tools automatically ensures compliance with GDPR.While Google does provide tools and support, relying solely on their platform for GDPR compliance may result in neglecting key aspects and potential vulnerabilities in data protection. A part of the GDPR are regulations on how third-party cookies are applied by tracking solutions to keep track of users. But keep in mind that the GDPR does not equal ‘the application of tracking cookies’. That is one of the many misconceptions. Cookies are an important tool that can give businesses a great deal of insight into their users’ online activity. Despite their importance, the regulations governing cookies are split between the GDPR and the ePrivacy Directive (ePD).Let’s look into a few common  misunderstandings and what it means for you..

A common misconception about GTM is related to the cookies and the assumption that by implementing a cookie consent banner alone, websites automatically become compliant with privacy regulations such as the GDPR. The regulation of tracking cookies is part of the European ePD, which supplements and sometimes overrides the GDPR.

Another misconception is that compliance involves just displaying a consent banner. However, it requires ensuring that all cookies and tracking scripts deployed through GTM are configured to respect user preferences regarding data collection and processing. This means adjusting the settings within GTM to control when cookies are set and ensuring that they are only activated after obtaining explicit consent from users. Simply displaying a consent banner without proper configuration of GTM and associated tags may still result in non-compliance with the ePD and other relevant regulations. 

The next misunderstanding about GTM and cookies relates to the belief that all cookies are subject to the same consent requirements. In reality, there are different types of cookies, such as essential, functional, and third-party tracking cookies, each with varying implications for user privacy and consent.

One may assume that obtaining consent for one type of cookie covers all cookies deployed on their site. However, the privacy regulations require differentiated consent for different types of cookies based on their purpose and impact on user privacy. Failure to differentiate between these cookie types and obtain appropriate consent for each category can lead to non-compliance with regulations.

Therefore, it’s crucial for businesses to understand the types of cookies used on their site, their purposes, and the corresponding consent requirements. This includes configuring GTM to manage cookies and tracking effectively.

Solution

To effectively address the complexities and potential pitfalls associated with Google Tag Manager , cookies, and compliance with regulations like GDPR and the ePD, you can adopt several strategies:

1. Comprehensive Audit: Conduct a thorough audit of all cookies and tracking scripts deployed on the website through GTM. Identify the types of cookies used, their purposes, and the associated data collection and processing activities.

2. Cookie Policy Review: Review and update the website’s cookie policy to provide clear and transparent information to users about the types of cookies used, their purposes, and how user data is processed. Ensure that the cookie policy reflects any changes made to cookie settings in GTM.

3. Consent Management: Implement a robust consent management system that allows users to provide granular consent for different types of cookies. This may include essential cookies, functional cookies, and third-party tracking cookies. Ensure that GTM is configured to respect user preferences and only deploy cookies after obtaining explicit consent.

4. Tag and Trigger Configuration: Adjust tag setups and trigger mechanisms within GTM to align with user consent preferences. This involves configuring GTM to activate tags and tracking scripts only after obtaining valid consent from users. Consider implementing conditional triggers based on user interactions and consent status.

5. Regular Monitoring and Updates: Continuously monitor GTM configurations, cookies, and consent mechanisms to ensure ongoing compliance with regulations and best practices. Regularly update cookie settings and GTM configurations as needed, especially in response to changes in regulations or website functionalities.

6. Use Google Consent Mode: Google Tag Manager can be used with Google Consent Mode to ensure that tags don’t fire unless a user has explicitly consented to having their data collected. 

Should you require further assistance or consultation on these matters, i-spark is here to provide expert guidance and support.