Consent Banner Compliance: Is Your Website’s Consent Banner Meeting Privacy Regulations?
- Kaitlyn Fisher
We’re thrilled to introduce a new feature on our Privacy Edge platform: consent verification.
We recently published a research report and uncovered something quite striking: over 90% of websites load cookies before any interaction with the consent banner (like accepting or rejecting all cookies), with an average of 18 third-party cookies loading before any interaction occurs. And once loaded, removing cookies from the site becomes nearly impossible. This poses a significant challenge for website visitors who expect (and are assured) that their data won’t be shared until they provide permission, except for “Strictly Necessary” cookies and scripts. It also poses a significant challenge for companies; because cookies accepted without user acceptance create legal and privacy risk for the website owner.
This finding underscores the pressing need for companies to ensure their consent banners are properly configured. If not, they need practical steps to rectify the situation. This is what prompted the development of our new consent verification feature.
How consent verification works
Our consent verification feature assesses the outcomes when a user interacts with a consent banner, choosing to accept all, reject all, or take no action. It examines the implications of each scenario and provides answers to critical questions:
- What cookies, trackers, and tags are active on the website in each user state (reject, accept, no interaction)?
- Where are they located (on which web pages)?
- After the user hits reject all, did anything load on the site that should have been blocked?
- Are there trackers, pixels, or tags loaded on the site that weren’t surfaced in the consent banner?
- Are any piggybacking trackers appearing on the site but not placed there by the website owner?
Our detailed report with the results can be used to review and rectify any issues with the consent banner.
A properly working consent banner is essential as more laws require opt-in or opt-out mechanisms for data sharing via third parties. Take, for instance, the Washington My Health My Data law, which mandates opt-in for data sharing. It’s crucial that consent tools block all data sharing without proper consent. This new feature ensures users that their consent banners comply with evolving regulations.
Consent tools require ongoing management
There’s a misconception that cookie consent tools can be set and forgotten. In reality, updating these tools requires an ongoing, often very manual process.
We identified the following concerning trends in the current consent management process:
- There’s no standardized distinction between performance, analytics, and advertising trackers. Advertising tools can often be misclassified as ‘analytics’ or’ performance’ trackers. The user could unknowingly give permission by allowing performance cookies but not advertising.
- Consent banners frequently misclassify or overlook cookies and trackers—one website we examined listed nine cookies in its consent banner for users to accept or reject. However, in reality, clicking “Accept All” would deploy 74 cookies, 66 of which are third-party.
- Technologies like fingerprinters, pixels, beacons, and trackers, which are used to identify users and share customer data, are often excluded from consent tools. These tools primarily look for cookies, so if a tracker doesn’t set a cookie, it may be excluded from the consent banner, and data might still be collected and shared, unbeknownst to the user.
- The dynamic nature of the web means tracker changes may be unnoticed by consent tools, meaning they might not be surfaced in the banner at all, resulting in users unwillingly consenting to undesired data collection.
- We frequently find the consent banner missing from certain website pages, especially things like one-off landing pages. Nothing prevents “unnecessary” tags from being dropped on these pages. As a result, users are exposed to tracking even though they haven’t given their consent.
- The opt-out doesn’t sync across browsers or different devices, meaning users may inadvertently share data on one browser or device they intended to keep private due to inconsistencies in opt-out settings.
These are just some of the challenges we have identified with traditional consent management tools. Our consent verification feature was developed to pinpoint shortcomings and potential compliance issues. This is available to all Privacy Edge users and as a standalone analysis to non-privacy edge users.