{"id":23332,"date":"2023-05-10T08:57:40","date_gmt":"2023-05-10T08:57:40","guid":{"rendered":"https:\/\/e-cens.com\/?p=23332"},"modified":"2024-10-29T14:31:14","modified_gmt":"2024-10-29T14:31:14","slug":"data-privacy-on-the-rise-part-2-how-does-a-cmp-work","status":"publish","type":"post","link":"https:\/\/e-cens.com\/blog\/data-privacy-on-the-rise-part-2-how-does-a-cmp-work\/","title":{"rendered":"Data Privacy on the rise:\u00a0Part 2 \u2013 How does a CMP work?"},"content":{"rendered":"\n<p>In the first part of this series &#8220;<a href=\"https:\/\/e-cens.com\/blog\/data-privacy-on-the-rise-part-1-introduction-and-risk-analysis\/\" data-type=\"link\" data-id=\"https:\/\/e-cens.com\/blog\/data-privacy-on-the-rise-part-1-introduction-and-risk-analysis\/\">Introduction and Risk Analysis<\/a>&#8220;, we&#8217;ve provided you with an overview of which data protection regulations exist, which requirements you need to meet in order to collect data in compliance with the GDPR, and what the consequences are.<\/p>\n\n\n\n<p>In this part, we will address the question how a CMP (Consent Management Platform) technically works.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-why-do-i-see-consent-banners-over-and-over-again\">Why do I see consent banners over and over again?<\/h2>\n\n\n\n<p>Perhaps you have wondered why you keep seeing the consent banner on a website, even though you have already made your decision? Well, there can be different reasons for that. <\/p>\n\n\n\n<p>Apart from special situations, the most likely reason is that you are visiting the website with different devices or browsers. This is because, just like most web analytics systems, the CMP cannot recognize a user across different browsers or devices. So let&#8217;s have a look on how the CMP works.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Users are browser instances<\/h2>\n\n\n\n<p>So, when a user visits the page of a website where a CMP has been implemented correctly, this particular CMP will be involved immediately.<\/p>\n\n\n\n<p>In other words, if a user visits the website for the first time (or repeatedly without having made an explicit decision), the corresponding Consent banner will be displayed.<\/p>\n\n\n\n<p>If the user has already made an explicit decision in a previous session, this decision is used to fire those technologies to which the user has consented.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"853\" height=\"480\" src=\"https:\/\/e-cens.com\/wp-content\/uploads\/2023\/05\/Data-Privacy-Regulations-Browser-Instance-CMP.gif\" alt=\"\" class=\"wp-image-23333\"><\/figure>\n\n\n\n<p>So how does the CMP distinguish the user and how does the CMP know what technology the user has consented to?<\/p>\n\n\n\n<p>First, let&#8217;s take a look at how the CMP identifies a user. To do this, we will review the CMPs from <strong>Usercentrics <\/strong>and <strong>OneTrust<\/strong>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Usercentrics<\/h2>\n\n\n\n<p>As soon as a web page is opened in the browser where Usercentrics is implemented, a <strong><em>controllerId<\/em><\/strong> is generated and stored in the browser&#8217;s <strong><em>Local Storage<\/em><\/strong>.<\/p>\n\n\n\n<p>Initially, it does not matter whether the user explicitly consents to the use of technologies or not &#8211; the <strong><em>controllerId<\/em><\/strong> only serves the purpose of recognizing the user or the browser instance.<\/p>\n\n\n\n<p>In the context of this <strong><em>controllerId<\/em><\/strong>, however, the explicit consent or rejection of technologies by the user is also stored.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"853\" height=\"480\" src=\"https:\/\/e-cens.com\/wp-content\/uploads\/2023\/05\/Data-Privacy-Regulations-CMP-Usercentrics-ControllerID.gif\" alt=\"\" class=\"wp-image-23337\"><\/figure>\n\n\n\n<p>The main advantage of storing the <strong><em>controllerId<\/em><\/strong> as well as the explicit consent\/rejection in the <strong><em>Local Storage<\/em><\/strong> is primarily that this &#8211; unlike cookies &#8211; cannot be automatically deleted without further intervention.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">OneTrust<\/h2>\n\n\n\n<p>If a user now opens a web page in the browser where OneTrust is implemented, a so-called <strong><em>consentId<\/em><\/strong> is created. However, unlike Usercentrics, this is not stored in the browser&#8217;s local storage, but rather as a <strong><em>cookie<\/em><\/strong>.<\/p>\n\n\n\n<p>Similar to Usercentrics, it does not matter whether the user explicitly consents to the use of technologies or not, because the <strong><em>consentId<\/em><\/strong> also is used to recognize the user or the browser instance.<\/p>\n\n\n\n<p>In the context of this <strong><em>consentId<\/em><\/strong>, the user&#8217;s explicit consent to or rejection of categories is also stored.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"853\" height=\"480\" src=\"https:\/\/e-cens.com\/wp-content\/uploads\/2023\/05\/Data-Privacy-Regulations-CMP-OneTrust-consentId.gif\" alt=\"\" class=\"wp-image-23341\"><\/figure>\n\n\n\n<p>Storing this data in a cookie carries the risk that it will be deleted as well when cookies are deleted (e.g. via the browser settings) and the user will then be presented with the Consent banner again.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Visiting the website for the second or repeated time<\/h2>\n\n\n\n<p>Now, as soon as the user visits the website for the second or repeated time, the CMP extracts the stored information regarding the given or denied consent and then pushes this information into the browser&#8217;s data layer.<\/p>\n\n\n\n<p>This information can then be used by the corresponding technology to fire a tag or not. In this way, you ensure that the tags requiring consent are actually only fired if the user has indeed given his or her consent.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Using data provided by CMP<\/h2>\n\n\n\n<p>Now let&#8217;s take a look at how we can use information provided by the CMP with Google Tag Manager.<\/p>\n\n\n\n<p>First and foremost, the CMP provides the user-given consents in the DataLayer of the GTM upon initialization. How this is done depends primarily on the CMP being used.<\/p>\n\n\n\n<p>For example, the CMP from Usercentrics provides the consent for each configured technology granularly in the dataLayer:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"540\" src=\"https:\/\/e-cens.com\/wp-content\/uploads\/2023\/05\/Data-Layer-Values-for-Usercentrics.jpg\" alt=\"Usercentrics provides detailed information: if the user consented or not is outlined for each technology.\" class=\"wp-image-23345\" srcset=\"https:\/\/e-cens.com\/wp-content\/uploads\/2023\/05\/Data-Layer-Values-for-Usercentrics.jpg 960w, https:\/\/e-cens.com\/wp-content\/uploads\/2023\/05\/Data-Layer-Values-for-Usercentrics-600x338.jpg 600w, https:\/\/e-cens.com\/wp-content\/uploads\/2023\/05\/Data-Layer-Values-for-Usercentrics-300x169.jpg 300w, https:\/\/e-cens.com\/wp-content\/uploads\/2023\/05\/Data-Layer-Values-for-Usercentrics-768x432.jpg 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p>OneTrust\u2019s CMP, on the other hand, groups several technologies into categories and thus only stores the category number in the dataLayer for which there is a consent:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"540\" src=\"https:\/\/e-cens.com\/wp-content\/uploads\/2023\/05\/Data-Layer-Values-for-OneTrust.jpg\" alt=\"OneTrust provides consent information by showing categories where the users\u2019 consent is organized and stored.\" class=\"wp-image-23349\" srcset=\"https:\/\/e-cens.com\/wp-content\/uploads\/2023\/05\/Data-Layer-Values-for-OneTrust.jpg 960w, https:\/\/e-cens.com\/wp-content\/uploads\/2023\/05\/Data-Layer-Values-for-OneTrust-600x338.jpg 600w, https:\/\/e-cens.com\/wp-content\/uploads\/2023\/05\/Data-Layer-Values-for-OneTrust-300x169.jpg 300w, https:\/\/e-cens.com\/wp-content\/uploads\/2023\/05\/Data-Layer-Values-for-OneTrust-768x432.jpg 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p>Both approaches have their advantages and disadvantages, which I will discuss in more detail in another article.<\/p>\n\n\n\n<p>The information available in the dataLayer can now be stored in a data layer variable and used accordingly in the configuration of triggers for the respective tags.<\/p>\n\n\n\n<p>So, for example, if you want to customize the trigger to fire the Google Analytics tag, you will fire the trigger only if the dataLayer had the value<\/p>\n\n\n\n<ol style=\"list-style-type:lower-alpha\" class=\"wp-block-list\">\n<li>&#8220;Google Analytics: true&#8221; when using Usercentrics or<\/li>\n\n\n\n<li>&#8220;C0002&#8221; in &#8220;OnetrustActiveGroups&#8221; when using OneTrust.<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">Potential problems<\/h2>\n\n\n\n<p>However, the procedure described here can also lead to so-called race conditions.<\/p>\n\n\n\n<p>A race condition is an undesirable situation that occurs when the GTM attempts to trigger two or more triggers simultaneously, but these fail due to event sequence or missing data in the data layer.<\/p>\n\n\n\n<p>Therefore, it is necessary to ensure that the information and events provided can be executed in the correct order. A proven means in GTM is, for example, the use of trigger groups.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Need help?<\/h2>\n\n\n\n<p>When you are unsure if you are experiencing a race condition or if you are completely unfamiliar with implementing a CMP, feel free to <a href=\"https:\/\/e-cens.com\/contact-us\/\"><strong>turn to us at e-CENS<\/strong><\/a> &#8211; we&#8217;re here to help.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Upcoming<\/h2>\n\n\n\n<p>The next part of the series will focus on how to compensate for the gaps created by the lack of consent&#8230;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In the first part of this series &#8220;Introduction and Risk Analysis&#8220;, we&#8217;ve provided you with an overview of which data protection regulations exist, which requirements you need to meet in order to collect data in compliance with the GDPR, and what the consequences are. In this part, we will address the question how a CMP [&hellip;]<\/p>\n","protected":false},"author":7,"featured_media":23361,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_eb_attr":"","content-type":"","ub_ctt_via":"","footnotes":""},"categories":[212,211,76],"tags":[179,178,180,168,169,210,209],"class_list":["post-23332","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cmp","category-data-privacy","category-other","tag-cmp","tag-consent","tag-consent-management-platform","tag-data-privacy","tag-gdpr","tag-onetrust","tag-usercentrics"],"acf":[],"featured_image_src":"https:\/\/e-cens.com\/wp-content\/uploads\/2023\/05\/e-cens_data-privacy-on-the-rise_banner-2.png","author_info":{"display_name":"Holger Tempel","author_link":"https:\/\/e-cens.com\/author\/holger\/"},"_links":{"self":[{"href":"https:\/\/e-cens.com\/wp-json\/wp\/v2\/posts\/23332","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/e-cens.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/e-cens.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/e-cens.com\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/e-cens.com\/wp-json\/wp\/v2\/comments?post=23332"}],"version-history":[{"count":1,"href":"https:\/\/e-cens.com\/wp-json\/wp\/v2\/posts\/23332\/revisions"}],"predecessor-version":[{"id":31399,"href":"https:\/\/e-cens.com\/wp-json\/wp\/v2\/posts\/23332\/revisions\/31399"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/e-cens.com\/wp-json\/wp\/v2\/media\/23361"}],"wp:attachment":[{"href":"https:\/\/e-cens.com\/wp-json\/wp\/v2\/media?parent=23332"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/e-cens.com\/wp-json\/wp\/v2\/categories?post=23332"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/e-cens.com\/wp-json\/wp\/v2\/tags?post=23332"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}