Implementation of cookie consent management for 500+ websites in less than six months for GDPR/ePrivacy compliance, further deployment and optimization after initial implementation
Challenge
The General Data Protection Regulation (GDPR) and ePrivacy Directive require that website owners must obtain user consent from website visitors from the EU before installing cookies that are not strictly necessary for making a website work. Similar laws are in place for the UK with the Privacy and Electronic Communications Regulations or for Brazil with its Lei Geral de Proteção de Dados Pessoais (LGPD) and in preparation for countries like Canada, Switzerland and India.
What are cookies? Cookies are small text files that are sent to the computer when visiting a website. Cookies are used for storing, for example, your language preferences, your credentials for letting you return to a protected area without entering your credentials again or your shopping cart in an online shop to let you continue a shopping tour after having temporarily left the online shop. Besides those functional (and very useful) cookies, there are also so-called performance cookies that track how you use a website to allow the website owner to optimize, for example, marketing campaigns and targeting cookies that store information about your website visits for advertisement reasons.
Cookie banners were being implemented already for years. However, website visitors were just informed that the website is using cookies and that by continuing the website visitor accepts this. This is not compliant with the above “cookie laws”. They require to
- Receive users’ consent before implementing any cookies except strictly necessary cookies
- Provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received
- Document and store consent received from users
- Allow users to access the website even if they refuse to allow the use of certain cookies
- Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place
Being uncompliant with cookie laws puts organizations at significant financial and reputational risk. The first cases were seen in France in December 2020 when the French data regulator (CNIL) fined Google 100 million euros for not compliant cookie management and Amazon for 35 million euros for automatically placing advertisement cookies when visiting amazon.fr.
The initial situation with our customer was that a cookie consent management tool (SaaS) had been selected and implemented for some corporate communication sites. However, the implementation scope was not clear as no accurate website inventory was available. Furthermore, the capabilities for a quick and resource-saving implementation while ensuring that no new websites go live without proper cookie consent management were not available.
What KVALITO did
- Management of a 10 weeks planning phase with:
- Definition and accurate implementation scope by establishing a website inventory based on multiple existing inventories
- Standardization of text for cookie banner and cookie preference centre (element to manage cookie settings) in collaboration with data privacy organization
- Development of 3 design templates for the cookie banner with limited personalization possibilities in collaboration with UX experts
- Design of an efficient implementation process with project office facilitating communication between website owners and technical implementation specialists
- Development of controls to ensure sustainability of compliance status
- Management of 10 weeks implementation period for appr. 500 websites for an audience of EU/UK residents
- Mobilization of website owners
- Development of a design proposal for each website in scope
- Implementation of the design (after approval or revision by website owner) in the consent management tool and generation of the scripts for consent management integration into websites
- Support of internal and external (80+ agencies) web developers for web integration
- Validation of the consent management for all websites
- Development and implementation of operations processes for new websites and changes to existing websites
- Establishment of a monthly review and reporting cycle to measure sustainability of operations processes
- Development of a monthly acceptance rate report to inform website owners about numbers regarding new visitors and their cookie management decision
- Implementation of a major text and design change which facilitated a cookie acceptance increase of 20-150%
- Onboarding of 4 new countries (Brazil, Canada, Switzerland and India)
- Deployment of a similar solution to mobile applications by following same implementation process
People, Processes and Tools
People / Roles:
- Project and Service Manager
- Project Office
Processes:
- Website and Mobile Assessment
- Remediation Management
- Website and Mobile Governance
- Data Privacy Compliance Management
- Website and Mobile Change Management
- Periodic Website and Mobile Quality Control
Tools and Technologies:
- One Trust (Cookie Consent Management, Mobile Application Consent Management)
- Drupal web content management
- Episerver web content management
- HTML5
Value Delivered
- Reduction of implementation time and effort by > 50 % compared with initial customer expectation
- Efficient and action-oriented privacy remediation of digital assets before compliance gaps receive attention of authorities
- Transparent status for data privacy stakeholders through periodical quality controls
- Increase of availability of analytics data after cookie banner design optimization
Clients /References:
- Novartis