As of January 1, 2025, significant amendments have been introduced, particularly concerning cookie guidelines and user data collection. 

These changes aim to enhance user privacy and align Norway’s regulations with broader European standards, such as the General Data Protection Regulation (GDPR) and the ePrivacy Directive.

Understanding the Norwegian E-Com Act

The E-Com Act serves as Norway’s implementation of the aforementioned EU’s privacy regulations, focusing on regulating electronic communications networks and services. 

A critical aspect of this Act concerns the use of cookies and similar tracking technologies – web beacons (pixel tags) or JavaScript trackers – on websites, mobile apps, and other digital platforms. 

Cookies, small data files stored on a user’s device, are widely used to enhance user experience, facilitate website functionality, and gather data for web analytics and marketing purposes. However, in some cases, this raises concerns about user privacy.

Norway’s new cookie guidelines (2025)

The 2025 amendments to the E-Com Act introduce stricter requirements for obtaining user consent before setting cookies or other online tracking technologies. 

Previously, implied consent methods, such as pre-ticked boxes or reliance on browser settings, were considered acceptable. Under the new cookie guidelines of the E-Com Act, such practices are no longer allowed. 

Consent must now be:

• Freely given: Users must have a genuine choice without any form of coercion or deception.
• Specific: Consent should be obtained for distinct purposes, ensuring users fully know what they agree to.
• Informed: Users must be provided with clear and comprehensive information about the data being collected, its purpose, and who will process it.
• Unambiguous: Consent must be indicated through explicit affirmative action, such as ticking an unchecked box or clicking an accept button, leaving no room for misinterpretation.

Additionally, the scope of cookies that do not require consent has been narrowed. Only those deemed “strictly necessary” (instead of just “necessary” in the previous version of the E-Com law) for a website or service’s basic functionality are exempt from consent. 

This change emphasizes the importance of obtaining explicit, active consent for analytics, marketing, or tracking cookies. 

In addition, companies are to meet the following requirements:

• Classify cookies under categories (strictly necessary, marketing, functional, etc.).
• Ensure users can easily give granular consent, i.e., agree to one cookie category but not the others.
• List the categories and respective cookies in the website’s privacy or cookie policy (this step can be easily automated with a tool like Cookie Information, which updates your cookie policy according to the cookies found during your website’s scan).

Proper cookie categorization on your website is essential to complying with Norway’s updated cookie regulations. These regulations now give authorities tools to easily determine which types of cookies are strictly necessary.

Implications for data collection in web analytics

These stringent consent requirements have significant implications for data collection, particularly in the realm of web analytics. 

Web analytics relies heavily on data gathered through cookies to monitor user behavior, measure site performance, and fuel marketing strategies. 

Under the updated E-Com Act, analytics cookies do not fit into the ‘strictly necessary’ category and require user consent.

With the new regulations in force, you have to bear in mind these crucial aspects of your web analytics:

• Data availability: If users choose to withhold consent for analytics cookies, the pool of data available for analysis may diminish.
• Data accuracy: Without comprehensive data, analytics may not accurately reflect user interactions, potentially impacting business decisions.
• User trust: Transparent data practices can enhance user trust, potentially leading to higher consent rates and more reliable data. 
• Compliance: Non-compliance with the E-Com Act can result in substantial fines and reputational damage.

Therefore, organizations must adapt by implementing robust consent management solutions that allow users to easily grant or withdraw consent.

Impact of the E-Com Act compliance on businesses

The updated E-Com Act 2025 should not be considered another set of business limitations. Despite the challenges associated with stricter regulations, it offers numerous opportunities.

Here are some of them:

Building trust with users

Businesses can foster trust and loyalty by providing users with clear and detailed information about data collection practices. A privacy-centric approach can differentiate your organization from competitors who don’t comply with the new consent requirements and strengthen customer loyalty.

Future-proofing against regulatory changes

The E-Com Act aligns with broader trends toward stricter data protection laws worldwide. Compliance now ensures businesses are well-positioned to adapt to future regulations, minimizing disruptions.

Gaining competitive advantage

Adopting compliant analytics tools like Piwik PRO allows organizations to balance privacy with performance. Businesses prioritizing user privacy can market themselves as ethical and trustworthy, appealing to increasingly privacy-conscious consumers.

Improved data quality

While the new consent requirements may limit the volume of data collected, the quality of the data obtained will likely improve. With explicit user consent, businesses can have more confidence that the analyzed data reflects genuine engagement, which allows them to target their audiences more precisely.

Steps to achieve compliance with the E-Com Act

Businesses operating in Norway or targeting Norwegian users should take the following steps to ensure compliance with the newly introduced requirements:

1. Audit your current practices

• Review the types of cookies and tracking technologies used on your website.
• Identify whether you rely on implied consent or collect data without explicit user approval.

2. Implement a consent management platform

• Deploy a consent manager that allows users to give, withdraw, or modify their consent easily.
• Ensure the tool meets the E-Com Act’s requirements for obtaining clear, specific, and informed consent.

3. Update your privacy policies

• Clearly outline your data collection practices, cookie usage, and user rights in your privacy policy.
• Make the policy easily accessible to users on your website.

4. Leverage privacy-friendly analytics 

• Switch to analytics platforms like Piwik PRO that prioritize user privacy and offer robust compliance features.
• Consider using cookieless tracking to mitigate data loss while respecting user privacy.

5. Train your team

• Educate your staff on the implications of the E-Com Act and the importance of compliance.
• Provide ongoing training to ensure your team stays informed about changes in privacy laws.

How Piwik PRO can assist you in complying with the E-Com Act

Piwik PRO Analytics Suite is a privacy-friendly analytics platform that enables businesses to meet regulatory requirements while maintaining effective data collection and analysis. 

Here’s how Piwik PRO supports compliance with the stricter cookie and consent regulations:

Privacy-centered data collection

Piwik PRO enables companies to collect data in compliance with the E-Com Act, GDPR, CCPA, and similar regulations. 

Its analytics platform offers flexible solutions that allow you to adapt to privacy requirements:

• Integrated consent manager: Piwik PRO is equipped with its own consent manager. It also integrates seamlessly with consent management tools like Cookie Information, ensuring users’ consent preferences are respected at every data collection stage. Only the data authorized by the user is processed, supporting compliance with the E-Com Act’s demand for specific and informed consent.
• First-party data focus: Piwik PRO allows you to gather first-party data, which is less intrusive and aligns with privacy regulations. This helps organizations reduce reliance on third-party tracking technologies while improving data privacy.

Enhanced transparency for users

Transparency is a cornerstone of the updated E-Com Act. Piwik PRO simplifies compliance by offering functions that make it easy to communicate with users about data collection:

• Customizable cookie banners: Businesses can create transparent, user-friendly cookie banners that adhere to E-Com Act requirements. 
• Granular opt-in/out settings: Users can consent to specific types of cookies, such as those for analytics or marketing, giving them greater control over their data.

Data protection at every stage

Piwik PRO Analytics Suite is designed to protect user data throughout its lifecycle, from collection to storage and processing. Key features include:

• Data hosting in secure locations: Piwik PRO allows businesses to store data in Europe or other trusted locations.
• Retention period management: Companies can set and manage data retention periods to comply with the principle of data minimization.
• Data anonymization: This feature allows you to respect users’ privacy preferences while gaining valuable insights into their behavior on your website.
• Cookieless tracking: If you want to reduce your reliance on cookies, Piwik PRO enables cookieless tracking, an ideal alternative for companies navigating stricter cookie consent rules.

Conclusion

The Norwegian Electronic Communications Act introduces stricter requirements for data collection and cookie consent, emphasizing the importance of user privacy. 

While these changes present challenges, they offer businesses opportunities to build trust, enhance transparency, and future-proof their operations against evolving regulations.

By leveraging privacy-friendly solutions like Piwik PRO Analytics Suite, organizations can meet the E-Com Act’s demands and gain a competitive edge in today’s privacy-conscious market. 

With features like customizable cookie banners, first-party data, and cookieless tracking, Piwik PRO empowers businesses to balance compliance with effective data-driven decision-making.

Discover Piwik PRO’s privacy-friendly and E-Com-compliant analytics. Create an account or book an individual demo.

FAQ

What is the Norwegian E-Com Act?

The E-Com Act in Norway, which aligns with the European Union’s ePrivacy Directive, governs electronic communications within the country. This comprehensive legislation impacts various aspects of online interactions, including data collection, storage, and processing. 

It aims to safeguard individuals’ privacy and ensure that businesses and other digital entities responsibly handle their personal information.

When did the E-Com Act come into force?

The E-Com Act, with its latest amendments regarding cookies and user data, came into force on January 1, 2025.

What are the new cookie guidelines in Norway?

Norway’s new E-Com Act has updated cookie guidelines, requiring explicit user consent for all but strictly necessary cookies. Websites can no longer use pre-checked boxes or imply consent, and must clearly communicate their data practices. Only cookies essential for core functions are exempt. 

Analytics practices must also comply, potentially requiring consent for analytics cookies or alternative tracking methods. These changes give users more control over their data and require businesses to adapt to maintain compliance and ethical standards.

How must companies obtain user consent under the Norwegian E-Com Act?

The E-Com Act has strict requirements for user consent: it must be freely given, specific, informed, and unambiguous:

• Freely given consent means users have a genuine choice without facing negative consequences. 
• Consent must be obtained separately for each specific purpose. 
• Users must be provided with clear and comprehensive information about the data processing. 
• Unambiguous consent means it must be expressed through explicit affirmative action. Pre-checked boxes or passive methods are unacceptable.

Companies gathering cookies must also list them in their privacy policy and categorize them properly, enabling users to give granular consent, i.e. to accept only some cookie categories while declining others. See the full checklist.

Which companies must adapt to the new cookie guidelines of the E-Com Act?

Any business that operates in Norway or targets Norwegian users and utilizes cookies or similar tracking technologies on its websites and/or mobile apps must adapt to the new cookie guidelines.

How does the E-Com Act impact web analytics?

The Norwegian E-Com Act classifies analytics cookies as non-essential and requires explicit user consent before their deployment. This can lead to incomplete datasets and skewed web analytics reports, as users who decline cookies won’t be included in data collection. 

Businesses operating in Norway or targeting Norwegian users must adapt their strategies by implementing cookie consent mechanisms, exploring alternative data collection methods, or adjusting analytics practices to account for data gaps.

How can businesses comply with the E-Com Act?

To comply with the Norwegian E-Com Act, businesses should take a multi-faceted approach to data protection and privacy by following these steps:

• Conduct a thorough cookie compliance audit
• Implement a consent management platform (CMP)
• Update privacy and/or cookie policies
• Utilize privacy-friendly analytics
• Train staff on data protection
• Consider data processing agreements with vendors
• Stay informed about regulatory changes

By taking these proactive steps, businesses can navigate the complexities of the Norwegian E-Com Act, ensuring compliance and fostering trust with their customers.

How can Piwik PRO help with E-Com Act compliance?

Piwik PRO provides a comprehensive suite of tools designed to assist businesses in achieving and maintaining compliance with various data protection laws, including the Norwegian E-Com Act, while collecting user data. These tools include:

• Privacy-friendly analytics
• Integrated consent manager
• First-party data focus
• Customizable cookie banners
• Granular opt-in/out settings
• Secure data hosting
• Data retention management
• Data anonymization
• And many more

With Piwik PRO’s comprehensive suite of tools, businesses can navigate the complexities of the Norwegian E-Com Act and similar regulations, ensuring compliance while collecting valuable user data.

The post Navigating the Norwegian E-Com Act 2025: How it Impacts Web Analytics and What Steps You Should Take appeared first on Piwik PRO.

How does the integration work?

We made sure that connecting Cookie Information and Piwik PRO is as simple as possible. You can now integrate the two platforms through a native tag available in Piwik PRO Tag Manager.

The tag automatically maps all consent categories from Cookie Information to consent types in Piwik PRO. This lets you trigger tags based on consent collected via a Cookie Information banner and respect people’s choices across your marketing stack.

If you’d like to learn more about the implementation, read our help center article.

What are the benefits of the integration?

Through the integration, we want to equip our respective clients with even more effective tools to analyze and streamline customer journeys while respecting privacy every step of the way.

Cookie Information clients interested in Piwik PRO will benefit from:

• An easy way to make data collection privacy-friendly. Clients of Cookie Information can switch seamlessly to an analytics platform that fully supports their privacy compliance.
• More insights into the customer journey. By integrating with Piwik PRO, CI clients get access to a wide range of anonymous tracking methods. This allows them to gather valuable data even when visitors decline or ignore their consent requests.
• Streamlined data activation. Integration with Piwik PRO’s CDP enables CI users to activate their data using consent-based audiences. This helps them enhance their first-party data strategies while complying with data protection laws.
• Integrated consent statistics. Users can now view detailed consent statistics in Piwik PRO reports. This includes insights into banner performance, such as the number of people who refused, revoked, declined, or gave consent to tracking.

Additional reading:

• What is data activation?
• What is privacy-friendly analytics?
• How to do useful analytics without personal data?

For Piwik PRO clients, choosing Cookie Information over our native CMP is especially useful if they wish to:

• Work with a Certified Google CMP Partner that offers native integration with Consent Mode v.2. Although Piwik PRO Consent Manager also allows you to connect with Consent Mode v.2, the integration provided by CI is done by a template, making it more convenient.
• Keep visitors informed about all cookies used on your website. To align with some data protection authorities’ requirements, you need to inform visitors about cookies that are currently used on your website. Cookie Information CMP simplifies this task by automatically detecting and categorizing cookies and listing them on your cookie banner. It also generates a cookie script for your privacy policy page that updates whenever you add tools or change their settings.
• Audit cookies for compliance regularly. Using Cookie Information’s Cookie Management Platform, you can scan your cookies daily and weekly for potential privacy threats.
• Take advantage of a library of ready-made consent pop-up translations in 44 languages.
• Use features unavailable in Piwik PRO Consent Manager. They include cookie autoblocking, monitoring of cookie lifespan requirements, unclassified cookies, and non-EU/EEA data transfers.
• Be compatible with WCAG 2.1 accessibility standards and IAB / TCF 2.2 framework.

The summary

Integrating Piwik PRO Analytics Suite and Cookie Information Consent Management Platform just got much easier. Both platforms now work in greater sync, bringing more value to clients by offering compliant data collection, analytics, and activation in one package. We’ll keep you posted on updates to our shared product roadmap.

If you’d like to learn more about the capabilities of our platforms, be sure to contact us. We’ll be happy to fill you in.

The post Integrating Piwik PRO and Cookie Information CMP is now easier than ever appeared first on Piwik PRO.

Most data privacy regulations share one goal – to give individuals more control over their personal data. At the same time, with the growing awareness of the importance of privacy rights amongst users, organizations have to take privacy compliance seriously. Users want to know what information is being collected about them. That’s why companies need to precede their marketing activities with user consent if they’re going to build relationships based on trust.

A consent management platform (CMP) makes consent collection and management easier and more transparent.

What is a consent management platform?

In late 2023, Cookie Information and Piwik PRO joined forces to provide an integrated analytics and consent management offering, combining privacy-focused analytics with robust CMP capabilities.

A consent management platform is a piece of software that helps you collect and manage personal information and consent in line with data protection laws and regulations.

With a consent management platform, you can display consent banners and pop-ups to users. Cookie consent pop-ups give users detailed information on how their online behavior may be tracked, the purposes for which that information is collected, and the specific entities that will use it. Users can choose whether to grant, refuse, or revoke consent to collect their data for any specified purpose.

CMPs enable you to gain insight into users’ personal data lifecycle from the moment of opt-in to the moment of data removal.

A CMP also helps you fire tags based on users’ consent decisions and prevent them from running before you obtain legal consent.

How to choose the right consent management platform

Selecting the right CMP requires careful consideration. Thanks to the recent merger of Piwik PRO and Cookie Information, organizations now benefit from a streamlined, privacy-first solution that combines powerful consent features with actionable data insights. When evaluating platforms, consider available deployment options, resources, and key requirements.

Experts opinion

Santi Roc Castells

Director of Marketing at Cookie Information

In the selection of a consent management platform, focus on its ability to provide clear and concise consent options to users, ensuring compliance with legal requirements like GDPR and CCPA. It’s important to choose a platform that offers detailed reporting and analytics, helping you understand user preferences and consent patterns. Also, consider the vendor’s reputation, customer support, and the community or resources available for ongoing guidance in the ever-changing data privacy field.

Below, we list some things you should consider when seeking a consent management platform that suits your business needs.

Privacy and compliance

Since a consent management platform is supposed to streamline your compliance efforts, look into the privacy aspects of the CMP you go for.

You can ask a few key questions:

• Does the CMP offer flexible data residency options? For example, if you process data of EU residents, it might be a good idea to store the data in the EU and not transfer it overseas.
• What privacy regulations does the CMP help you address and how? Beyond laws that require valid user consent, there are regulations like the France’s CNIL or Germany’s TTDSG/TDDDG that you can observe by applying zero-cookie load. If you’re subject to these laws, look for a CMP that offers this feature.
• Does the CMP support different tracking methods? For example, anonymous tracking can help you satisfy compliance requirements by not collecting personal data without consent but still gathering valuable insights.

Ensure that the CMP you choose complies with relevant data privacy regulations in your jurisdiction. Look for platforms that offer features specifically designed to help you comply with these regulations, such as granular consent options and documentation capabilities.

Integration

Evaluate the integration capabilities of the CMP with your existing systems and workflows. Look for platforms that can integrate easily with your website, mobile apps, and other digital properties, as well as with your data management and marketing automation tools.

Inspect the options for integrating channels that need consent collection to ensure a smooth, secure, and synchronized data flow. Make sure that all customer actions – consents, preference changes, unsubscription requests, and data subject access request logs – are consistently reflected in all systems.

You should also check if the consent management platform can be connected with a tag management system, if you use one. This way, you can adjust settings in these tools to respond based on users’ consent.

Customization

Look for a CMP that allows for flexibility and customization to tailor the consent collection process to your specific needs and preferences. This includes the ability to customize consent banners and dialogs, as well as the flexibility to adjust consent preferences and settings based on evolving regulatory requirements or organizational policies.

Consider the customization options:

• How easily can marketers adjust the content and appearance of opt-in banners and forms?
• Can you design and connect your own fully customized consent banner if needed?

Make sure that your consent banner allows you to reflect your site’s or app’s design and branding.

Technical requirements

See whether the setup and maintenance of your consent manager requires technical resources. If you don’t want to rely on developers, choose a platform that can be managed even by less tech-savvy people.

Consider the scalability of the CMP to accommodate changes in your organization’s needs and growth over time. Choose a platform that can scale with your business, whether you’re a small startup or a large enterprise, and that can handle increasing volumes of consent transactions as your user base grows.

Evaluate the level of support and maintenance offered by the CMP provider, including availability of customer support, documentation, training resources, and software updates. Choose a provider that offers responsive and reliable support to help you troubleshoot issues and stay up-to-date with changes in regulations and best practices.

Overview of vendors

We know that finding the right software is a complex endeavor. We’ve researched leading consent management platforms in-depth to help you find the best fit for your business.

Below is a list of vendors included in our comparison. These short descriptions are just a preview, as the comparison itself is much longer.

Piwik PRO

Piwik PRO  is an analytics platform built with a strong focus on data privacy and security. It includes features for web and product analytics, tag management, and integrations with consent tools like Cookie Information. Together, they offer a complete solution for tracking and compliance across digital channels.

Cookie Information

Cookie Information is a leading consent management platform, trusted by thousands of organizations globally to meet GDPR and other privacy law requirements. It offers extensive features such as automatic cookie detection and categorization, customizable banners, consent log retention, and support for frameworks like IAB TCF 2.2.

With out-of-the-box support for 44 languages and seamless integration with platforms like Piwik PRO, it’s an ideal solution for businesses of all sizes seeking robust compliance, transparency, and ease of implementation.

Cookiebot

Cookiebot CMP provides transparency and control over all the cookies and similar tracking technologies on your website. It enables proper compliance with privacy legislation through respectful and transparent data exchange between users and the websites they visit to make privacy an integrated part of each site.

Usercentrics

Usercentrics allows businesses to collect, manage, and document user consents across websites and apps, ensuring compliance with global privacy regulations. It provides smooth capture and management of user preferences and marketing permissions, empowering users with complete control over their data.

OneTrust

OneTrust provides privacy management and marketing compliance technology that helps organizations comply with global regulations. The platform lets you visualize and manage the data coming into your organization while ensuring compliance and honoring customer rights, choice, and transparency.

UniConsent

UniConsent is an independent CMP that helps publishers and marketers align with privacy laws like ePrivacy, GDPR, and CCPA. It offers a variety of additional features, like cookie scanning and disclosure, cookie banners, and data subject requests management, as well as consent analytics and insights.

Didomi

Didomi is a comprehensive suite with a wide range of integrations. Its focus on quality user experience and compliance with major data privacy laws helps companies put customers in control of their data, generating trust and revenue. It is a robust consent management platform perfect for users who can harness its customization options and integration capabilities.

Osano

Osano offers a range of tools and solutions to ensure compliance with data protection regulations and effectively manage user consent. It supports value-added services for analyzing and mitigating risks associated with third-party vendors, along with customizable cookie consent banners.

CookieYes

CookieYes offers a straightforward platform with essential functionalities, such as a fully customizable cookie banner, tracking user consent, or a unified interface. It’s a simple tool focusing on its core consent management processes. The platform delivers a quick path to compliance at a low cost.

Ketch

Ketch is a comprehensive privacy management platform offering features such as data usage and storage management, consent management, risk assessment, and handling data subject access requests. While it provides robust tools for privacy compliance, its focus is primarily aligned with U.S. regulations. Some of its messaging and features are not fully compliant with GDPR, which positions it as a stronger fit for U.S.-based companies rather than those targeting the EU market. As such, Ketch may be a competitive choice for enterprises seeking AI-based privacy solutions tailored to the U.S. regulatory landscape but is less suitable for businesses with a GDPR-centric compliance strategy.

What we have covered in our CMP comparison

Our comparison consists of the following sections:

General overview

This section includes the most important features of the analyzed consent managers. You can see what hosting options are available, such as private cloud hosting or choosing data residency. Also, you can check which platforms have ISO 27001 certifications.

It’s also important to know whether these platforms comply with the General Data Protection Regulation (GDPR) that gives individuals full control over their personal data.

	Type of hosting	ISO 27001 certified	GDPR compliance	100% data ownership
Piwik PRO	Cloud or private cloud
Cookie Information	Cloud
Cookiebot	Cloud
Usercentrics	Google cloud servers
OneTrust	Cloud, private cloud or on-premises
UniConsent	Cloud
Didomi	Cloud
Osano	Cloud			n/a
CookieYes	Cloud			n/a
Ketch	Cloud			n/a

Features and functionalities

Check if the platform enables reporting features and dashboards, the option to export reports, or view user consent history. Learn which privacy-facing features related to cookies are available – for example, cookie scanning to detect what cookies load on the site, zero-cookie load that lets you comply with some strict laws, or cookie whitelisting. Some tools may also include Do-Not-Track support, cookie library, or can share consent across various domains.

Find out which vendors allow you to re-ask users for consent or offer real-time geotargeting. See if you can display the consent banner in different languages and whether the visitor’s language will be automatically detected. For example, Cookie Information supports features like zero-cookie load, consent log retention, and language localization – all designed to ensure both legal compliance and a smooth user experience.

Integrations

Check which consent management platform offers integrations with Google Consent Mode, v.1 and 2, Microsoft Universal Event Tracking (UET) Consent Mode, and Google Tag Manager. Such capabilities simplify compliance with data privacy regulations, enhance user experience, and streamline tag management processes, ultimately benefiting both users and businesses.

	Google Consent Mode	Google Consent Mode v.2	Google Tag Manager
Piwik PRO
Cookie Information
Cookiebot
Usercentrics
OneTrust
UniConsent
Didomi
Osano
CookieYes
Ketch

Banner customization options

Highly customizable consent banners can be adjusted to match your organization’s design and brand voice. Learn if you can visually customize the banner and the consent text, create the popup or bar layout, and add visual elements. Also, discover which consent management platform offers pre-built templates compatible with IAB TCF.

To check which of your banners perform better, you should also be able to perform A/B testing. One of the key features to look for in a CMP vendor is the ability to set consent collection for specific purposes, which we also include in this section.

	Visual customization	Popup layout	Bar layout	Ability to add visual elements
Piwik PRO
Cookie Information
Cookiebot
Usercentrics
OneTrust
UniConsent
Didomi
Osano
CookieYes
Ketch

Data subject access requests

Processing data subject requests is a significant benefit of using a CMP. Find out if the compared tools allow you to handle data subject requests and if they offer data subject request widgets.

Customer care

Customer support helps solve some issues you might experience with the CMP platform. If you need troubleshooting or assistance in configuration, it’s crucial to get the support you need from the vendor’s customer care department. Find out what customer support features are available – such as contact via email, online help center, or community forum.

Some vendors may offer more personalized assistance, like a dedicated support specialist. You might opt for personalized onboarding or training or benefit from custom integrations and development if needed.

Comparison of 10 leading consent management platforms

If you want more details about the most popular consent management platforms and how they stack up against each other in more categories than listed in the article, download our whitepaper (in English). The comparison includes insights from the recent merger between Cookie Information and Piwik PRO, reflecting their combined capabilities for enterprise-grade privacy and analytics solutions.

Comparison

Comparison of 10 leading consent management platforms

Compare 40 key differences to determine which CMP fits your business needs: Piwik PRO, Cookie Information, Cookiebot, Usercentrics, OneTrust, UniConsent, Didomi, Osano, CookieYes and Ketch.

Download the comparison

The post Comparison of 10 leading consent management platforms appeared first on Piwik PRO.

Marc Southwell: The problem here is the understanding of legislation and how to implement it nationwide and internationally.

It’s easy for privacy activists like noyb (‘none of your business’) to point fingers at companies’ cookie banners and how they try to comply with the GDPR.

And it’s easy for them to put companies’ lack of compliance on public display.

But who’s to blame? We all know about the GDPR and that we have to collect consent for using cookies. But the whole cookie issue is caught between the ePrivacy Directive, the GDPR, and national guidelines for using cookies. And as many companies operate across borders, it becomes increasingly difficult to know which rules actually apply.

I see a tendency that companies become caught between a rock and a hard place. It’s an unpleasant situation in which they don’t know how to act and what path to follow.

You might also like:
Everything you need to know about cookie consent in the EU

Maciej Zawadziński: So in your opinion, businesses want to be GDPR compliant. How did you reach this conclusion?

Marc Southwell: We don’t believe that the mentioned 82% of 500 companies in Europe are seeking to break the law. We believe the opposite. We have done a study with the Federation of Norwegian Enterprise (Virke) that concludes that most companies want to comply and respect their website visitors, but it’s too difficult to understand the GDPR.

In the fall of 2020, together with Virke, we asked 379 companies in Norway about their views on cookie consent solutions. The companies represented small, medium-sized businesses and enterprises. Less than 20% of the companies said that they had enough knowledge about legislation and guidelines for cookies to act properly. At the same time, 90% answered that it’s important that their company complies with current legislation so they can ensure the rights of their website visitors.

I believe this is a common picture all over Europe. Companies do not want to run the risk of heavy fines or bad publicity for not complying with the GDPR.

And it’s the companies that have the main responsibility for compliance. But as lawyer Maximillian Schrems, co-founder of noyb, argues: if it’s so hard to understand the privacy policies of tech giants, imagine how difficult it may be for the average company to understand the legal phrasing in GDPR. Let alone formulate their own.

If you ask legal experts across Europe, there are different interpretations of how consent is collected when it comes to
digital devices
,
the term we use for websites and mobile applications.

– Marc Southwell

Maciej Zawadziński: You continue to say the GDPR is hard to understand. Why haven’t companies gotten around to understanding the GDPR although it was introduced three years ago?

Marc Southwell: The GDPR doesn’t talk much about cookies. Cookies are the concern of the ePrivacy Directive (“the European cookie law”). However, the GDPR talks a lot about consent.

Rules on cookies and how to collect consent for them are caught between two legislations. This allows for national guidelines which are interpretations. Interpretations of the ePrivacy Directive, which is something all European member states have had to put into national law, and the GDPR which is mostly enforced at national levels.

What we see by reading the national guidelines and by talking to our clients is that these interpretations vary a lot. If a company operates on the whole continent or internationally, which guideline should it follow?

Much of the GDPR framework is centered around consent that should be “freely given, unambiguous, specific, informed”. But what does that really mean?

If you ask legal experts across Europe, there are different interpretations of how consent is collected when it comes to digital devices, the term we use for websites and mobile applications. Some experts talk about legitimate interest, others about passive consent, and some even say that just using a website or mobile app is considered as consent. If we still discuss what consent on a website or app is, then how far have we come? We have a set of rules, but how to follow them is perceived differently from country to country.

Maciej Zawadziński: Even if a company understands the guidelines, it has a hard time following them. What parts of the GDPR are the most challenging to follow and why?

Marc Southwell: Of course I cannot comment on the entirety of the GDPR. I can only comment on my field of knowledge which is collecting consent for using cookies and other tracking technologies on websites and apps.

The GDPR was enacted on May 28, 2018. It took the Danish Data Protection Authority almost two years and the Finnish Data Protection Authority three years to formulate clear guidelines for collecting valid consent to cookies. And we are still waiting for the Swedes.

According to The Digital Economy and Society Index (DESI) for 2020, these three countries are the most digital countries in the world. If it has taken them over three years to put forward guidelines, then no wonder it has taken so long for many companies to understand and implement solutions to keep them GDPR compliant.

I am in contact with hundreds of companies that want to follow the guidelines. And based on the interest in our materials, e.g. e-books and blog posts, we know that thousands more are interested. I can only join the bandwagon and request the data protections authorities (DPAs) across Europe help businesses comply. Guide and teach them. Those companies want to respect their customers, but they need to know how to do so.

It took the Danish Data Protection Authority almost two years and the Finnish Data Protection Authority three years to formulate clear guidelines for collecting valid consent to cookies. And we are still waiting for the Swedes.

– Marc Southwell

Maciej Zawadziński: Data protection offices in the EU are in charge of providing the local cookie guidelines and general education on the GDPR. How would you describe the current state of their efforts in those areas?

Marc Southwell: The GDPR was a big change, and is still a big thing. We have a long way to go before all companies can follow the rules of the regulation.

Bigger businesses with many resources have allocated entire departments and appointed data protection officers (DPOs) for redesigning their internal processes to comply with the GDPR.

On the other hand, small and medium businesses may not have these resources and have to hire external consultants. That’s costly and time consuming. But I also see that many businesses are working on it. Especially regarding cookies.

If we start seeing non-governmental organizations calling the authorities every time they spot a non-GDPR compliant cookie banner, something is wrong. Authorities should reach out to companies – guide instead of judge – help instead of penalize.

When I help businesses, who are being audited by the data protection authorities, I often learn it’s being audited because of an official complaint from a user of a website. This forces the authority to act and audit the website. When the business comes to us for advice, they have no idea what to do or where to start. And we see more and more of these cases. Just this year, we have helped more than 10 companies through official audits by the data protection authorities.

Maciej Zawadziński: In your opinion, what should change in DPA’s communication about compliance to make it more approachable and understandable?

Marc Southwell: I think the European data protection authorities should unite to give clear direction for cookies and consent. As I said earlier, there are a lot of different national interpretations of the ePrivacy Directive and the GDPR. It becomes difficult for international businesses to know what rules to follow.

There should be a unified and clear European guideline that all data protection authorities agree upon until the new ePrivacy Regulation takes effect. When that arrives, there will no longer be room for interpretations and the rules will be set in stone.

There are too many gaps,unanswered questions, interpretations and inconsistencies for companies to be able to do what they do: to do business.

And we want to see more positive stories from companies who got it right. Let’s learn from those so others can follow. What did they do, how did they solve the problems, etc.

With that level of clarity and transparency, all businesses in Europe would be able to follow the guidelines without spending unnecessary resources on it.

Maciej Zawadziński: Can you point out a data protection authority that does a good job in educating businesses about how to be compliant?

Marc Southwell: We are seeing very good initiatives by the Danish Data Protection Authority (Datatilsynet). They have succeeded in producing clear and often humorous content about data protection, privacy and consent. And best of all, everything is written for all to understand.

For example, every week they do something called “The Monday Myth” in which they comment on a common misunderstanding about the GDPR. A myth could be: “the GDPR says you’re not allowed to take photos at your kids’ birthday party”. And then they debunk such myths.

They have built a large audience on social media,especially on LinkedIn, by squeezing the legal mumbo jumbo out of legal documents and making them easy for all to understand.

Maciej Zawadziński: The ePrivacy Regulation is on its way. Will it create the same confusion among businesses? Or is it written in a more approachable manner so it will be easier to follow?

Marc Southwell: The new ePrivacy Regulation was supposed to take effect the same day as the GDPR (May 28, 2018), but it has been delayed. Hopefully, we have learned a lot from how the GDPR was received and perceived.

The ePrivacy Regulation will be written in the same legal language as the GDPR. The task of the European Data Protection Board and all the data protection authorities out there will be to convey the new rules in layman terms. That is, in plain English.

However, when the ePrivacy Regulation comes, this will be the final set of rules for using cookies and online trackers. No more confusion about whether cookies fall under the GDPR or ePrivacy Directive, or some national guideline. The ePrivacy Regulation will establish the standard for all European member states.

But as long as we wait, we are stuck with a complex and rigid system of different interpretations on cookie rules. And that’s the reason why many companies don’t comply yet.

It is imperative that we communicate in a good way to companies: these are the rules – this is how you can follow them – here’s how we can help you reach your compliance goals.

You might also like:
Christophe Alves: Brands that find new ways to build trust with their consumers will increase their market share [interview]

Marc Southwell, Senior Compliance Advisor at Cookie Information

Marc has extensive professional experience working with web agencies in different capacities. During that work, he found his niche in internet privacy. At Cookie Information, he provides small and global companies with expertise on compliance with privacy regulations, especially in relation to cookies and asking for legal consent.

The post Marc Southwell: European data protection authorities should unite to give clear direction for cookies and consent appeared first on Piwik PRO.

Christophe Alves: Based on our discussions with consumers around the world (APAC, EMEA, LATAM and USA), we believe they have the same requirement: to get a better understanding of why and how their personal data are used. Such figures indicate that many advertisers are not yet meeting this expectation or haven’t managed to assure their consumers about the legitimacy of their privacy policy.

Besides, more and more headlines stress the fact that even big organizations like Google or Facebook, to name a few, are facing data leaks. This definitely doesn’t help change consumers’ point of view and gain their trust.

Maciej Zawadziński: GDPR and other privacy laws try to secure citizens’ interests by giving them more control over the collection and usage of personal data. Under this law, individuals can decide what kinds of data they’ll share and how it’ll be used. They can also revoke their consent at any time. Is this the way of restoring trust towards consumer brands?

Christophe Alves: Speaking about trust towards consumer brands, at Scal-e, we don’t put everyone in the same basket. Indeed, not all brands are the same, nor are consumers. Some brands need to boost their image, just as some consumers need to regain trust.

Even if the previous privacy law already addressed these concerns and some brands were compliant even before GDPR, unfortunately some others were not. The advantage of this new regulation (GDPR) is that it strengthens controls and constraints, and therefore the data protection.

Building such a regulatory framework encourages brands to improve their compliance and thus their communication, allowing consumers to feel more protected and indirectly in control of their data.

As an example, a website like Marmiton found a simple way to explain to the consumer the benefit of granting consent. The benefit is clear: either they subscribe for 50 cents a month to access the website’s content, or they agree to share their data for Marmiton to monetize. Time will tell if Marmiton is a pioneer, or if consumers won’t accept this type of exchange and go elsewhere.

Since May 2018, thanks to the effort of advertisers and suppliers to protect consumers’ data privacy, individuals seem more concerned about this topic and certainly more interested in dealing with brands that respect their rights.

Brands that find new ways to reassure and build trust with consumers – and thus make better use of their data – will increase the market share, as they can more easily acquire and retain customers.

The advantage of GDPR is that it strengthens controls and constraints, and therefore the data protection.

– Christophe Alves

You might also like:
Tim Schumacher: It’s impossible to be online and not in the orbit of Big Tech [an interview]

Maciej Zawadziński: There’s a general trend of giving consumers more control over many aspects of their customer journey. Why now? When did people start demanding more control over their online identities?

Christophe Alves: Whether we’re talking about the customer experience or customer journey, it’s clear that giving consumers more control over how companies exploit their data impacts the business models of brands. It’s no surprise that we’re talking more and more about this topic. Brands are changing their business models as much as consumers are changing their habits and taking back control of their identity, both offline and online.

Maciej Zawadziński: With the death of the third-party cookies, businesses have to rely on first-party data. How should businesses adapt to give customers control while acquiring the data they need to operate at the same time?

Christophe Alves: As we explained earlier, these regulatory and behavioral changes are impacting brands’ business models. Until now, brands have benefited from rich information about their consumers thanks to the data collected by their partners, with the use of third-party cookies. Since they no longer have – or have less – access to this additional information, brands are obliged to improve the collection and enrichment of their customer data (first-party data). This is why we mentioned that the brands that build this customer knowledge before others will have a competitive advantage. It’s because they will be able to acquire or retain customers at lower cost.

It’s up to the brand to build the relationship expected by the consumer, according to their chosen level of engagement.

– Christophe Alves

Maciej Zawadziński: Too few options to choose from won’t give customers the feeling of control, while too many can overwhelm them. How to keep the balance between the variety of options and ease of use? What would the ideal preference center look like?

Christophe Alves: Indeed, one size doesn’t fit all. Building the right preference center strategy might be, as explained above, one of the key success factors in building a relationship with consumers and inviting them to share their information with the brand.

Based on our idea that all brands are different and all consumers are different, we believe that the most suitable preference center is dynamic and allows everyone to share more or less information. This would depend on the level of relationship and interaction they want with the brand.

It’s up to the brand to build the relationship expected by the consumer, according to their chosen level of engagement.

For example, many websites offered to improve the customer journey in return for consent. However, the path was identical with or without consent, which doesn’t encourage the consumer to change their mind over time. If, on the contrary, by sharing their information, they have the possibility of receiving benefits in the form of promotions, vouchers, after-sales service, or access to exclusive content, then each consumer will find something that interests them.

You might also like:
The CJEU sheds more light on trackers and consent requirements

Christophe Alves is a French entrepreneur and the CEO of Scal-e, a digital marketing hub based in Paris. Christophe runs different projects all over the world (US, Russia, Israel, France, Spain) with startups, big corporations and IT companies. His mission is to create the perfect bridge between IT, marketing and sales.

The post Christophe Alves: Brands that find new ways to build trust with their consumers will increase their market share appeared first on Piwik PRO.

New rules around consent can lead to a lot of sleepless nights. However, it must be remembered that the new Regulation was created for a reason – to protect users’ privacy and to help restore trust and transparency of activities between ordinary people and the entities which process their data.

Studies show that there’s a lot of work to be done.

The 2017 State of Consumer Privacy and Trust survey conducted by Gigya found that 68% of respondents don’t trust brands to handle their personal information appropriately.

A telling result, right?

Now it’s about to change.

Ok, but what exactly is going to change?

As you surely know, GDPR introduces some major shifts in many aspects of processing users’ data.

If you want to dig into the details, we recommend these blog posts:

• How GDPR Affects Your Web Analytics Tracking
• Your Most Burning Questions About GDPR Answered:
  Part 1, Part 2 & Part 3

The new law also makes significant changes in the definition of consent. Here’s a comparison of the new definition of consent and the one from 1995.

EU Directive 95-46-EC:

Any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed

GDPR:

Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her

As you can see, GDPR introduces a new clause, as consent now must be unambiguous and involve a clear affirmative action.

What it really means

It’s enough to say that the definition of consent is rather general and doesn’t provide you with actionable tips for your compliance strategy. But don’t be afraid! Fortunately, there are many documents and guidelines interpreting the provisions of GDPR.

Consent as understood by Article 29 Working Party

One of the most important (and helpful!) of these guidelines is the one prepared by Article 29 Working Party. Their “Guidelines on Consent under Regulation 2016/679” contain an overview of the elements of valid consent under Article 4(11) of GDPR (freely given, specific, informed, and unambiguously indicated).

Here you can find what Article 29 Working Party has to say about the particular adjectives used in the definition:

Freely Given

The element free implies real choice and control for data subjects. As a general rule, the GDPR prescribes that if the data subject has no real choice, feels compelled to consent or will endure negative consequences if they do not consent, then consent will not be valid. If consent is bundled up as a non-negotiable part of terms and conditions it is presumed not to have been freely given.

Accordingly, consent will not be considered to be free if the data subject is unable to refuse or withdraw his or her consent without detriment. The notion of imbalance between the controller and the data subject is also taken into consideration by the GDPR.

This point is particularly helpful, because it makes it easier to determine whether visitors of your website can freely decide if they want you to process their data. Unfortunately, this won’t be the case with data controllers who are public authorities and employers – the balance of power is skewed and there is a risk that users’ consents will not be fully voluntary.

Such an organization should use one of the five other lawful processing means (yes, there’s five more of them).

Also, it’s important to emphasize that consent should never be a prior condition for using your site or taking advantage of your services. For instance, it can’t be included in the terms and conditions of a website. This prevents the user from having a free choice when making decisions regarding consent.

Important tip: If you can’t provide your users with a genuinely free choice regarding the processing of their data, consent is not the best legal grounds for you to choose. In this scenario, you should seek other ways to justify your right to process users’ personal data.

Specific

Article 6(1a) confirms that the consent of the data subject must be given in relation to one or more specific purposes and that a data subject has a choice in relation to each of them. The requirement that consent must be ‘specific’ aims to ensure a degree of user control and transparency for the data subject. This requirement has not been changed by the GDPR and remains closely linked to the requirement of ‘informed’ consent. At the same time it must be interpreted in line with the requirement for ‘granularity’ to obtain ‘free’ consent. In sum, to comply with the element of ‘specific’ the controller must apply:

• Purpose specification as a safeguard against function creep,
• Granularity in consent requests, and
• Clear separation of information related to obtaining consent for data processing activities from information about other matters.

As you can see, the Article 29 Working Party guidelines advise you to indicate every possible purpose for using user data. That way, you’ll make sure they give you specific consent for processing their data in a particular way.

In practice, this means you’ll need a separate consent for every use of personal data. For example: one for content personalization activities and another for remarketing campaigns; one for using first-party cookies and another for third-party cookies. All these should be listed in the consent box displayed to users when they visit your page for the first time.

However, it’s likely that not every purpose for using personal data will require direct user consent.

Some experts predict that the Regulation on Privacy and Electronic Communications (also known as ePrivacy) in its current (and still not final) form will exclude from this list, among other things, cookies used exclusively for analytics purposes.

Unfortunately, we still have to wait to see how everything unfolds when the regulation assumes its final form. Until then, it’s safe to assume that using web analytics trackers will also require consent.

If you’d like to learn more about ePrivacy, we advise you to read these blog posts. They offer a thorough overview of the subject:

• How ePrivacy Impacts Marketing Automation, Re-marketing, Personalization and Web Analytics
• Current state of the ePrivacy Regulation as it enters the home stretch

Important tip: Make sure that your cookie consent box lists every purpose you have for using personal data. Otherwise, you can’t say that your users’ consents were specific.

Informed

The GDPR reinforces the requirement that consent must be informed. Based on Article 5 of the GDPR, the requirement for transparency is one of the fundamental principles, closely related to the principles of fairness and lawfulness. Providing information to data subjects prior to obtaining their consent is essential in order to enable them to make informed decisions, understand what they are agreeing to, and for example exercise their right to withdraw their consent. If the controller does not provide accessible information, user control becomes illusory and consent will be an invalid basis for processing.

The consequence of not complying with the requirements for informed consent is that consent will be invalid and the controller may be in breach of Article 6 of the GDPR.

The most important thing in this case is the fact that you must clearly explain to people what they are signing up for. Individuals should be informed that they are consenting to the processing of their personal data. Additionally, they should be aware of their rights concerning the given consent, like the right to withdraw it, the right to correct their data, and other rights.

Also, the request for consent needs to be:

• easy to understand,
• prominent,
• concise,
• separate from other terms and conditions, and
• presented in plain language.

If your consent request doesn’t meet this requirements (in other words, it’s vague, difficult to understand, or not separate from other matters) it will be considered invalid.

Unambiguous

The GDPR is clear that consent requires a statement from the data subject or a clear affirmative act which means that it must always be given through an active motion or declaration. It must be obvious that the data subject has consented to the particular processing.

A clear affirmative act means that the data subject must have taken a deliberate action to consent to the particular processing. Recital 32 sets out additional guidance on this. Consent can be collected through a written or (a recorded) oral statement, including by electronic means.

As you can see, the word unambiguous suggests that there should be no doubt that the data subject has agreed to the data processing. Later in the guidelines the WP29 provides more information on the range of possible mechanisms by which data subjects can take a clear affirmative action. It includes:

• ticking a box,
• swiping on a screen,
• waving in front of a smart camera,
• turning a smartphone around clockwise or in a figure-eight motion.

It means that the consent is considered valid only when the data subject had to take action in order to agree to your request. Pre-clicked boxes are no longer an option.

A helpful guide to GDPR Consent Manager

We hope that all these requirements haven’t scared you too much. Of course, the new demands change many things in the way you deal with data, but there are a ranges of solutions and possible scenarios to ensure compliance with the new law.

That’s why we decided to put together an exhaustive guide on collecting user consents under GDPR. We’ve titled it A Practical Guide to Acquiring Consent in the Age of GDPR, and it will:

• describe more characteristics of proper GDPR consent,
• present you with actionable tips on consent prepared by the Information Commissioner’s Office and the Article 29 Working Party,
• show you some practical examples of GDPR-compliant consent requests,
• discuss five more legal grounds for processing user data,
• detail the most important principles of storing user consents,
• and much more!

What’s more, we’ll present the most important advantages of GDPR Consent Manager – a tool designed to collect, manage, and store user consents.

The post How consent manager can help you obtain GDPR-compliant consents from your users appeared first on Piwik PRO.

To learn more about the most important changes introduced by GDPR, we encourage you to go through our informative blog post on that very topic:
How Will GDPR Affect Your Web Analytics Tracking?

In recent weeks, Google has introduced some product updates that aim to help their clients comply with the new law – for example, data retention control and a user deletion tool. However, it’s the client (data controller) who is responsible for collecting, managing, and storing consents (via opt-in) from visitors (for both Google Analytics and Google Tag Manager).

In addition, clients have to be sure they aren’t collecting any personally identifiable information (like emails, zip codes, names) because it’s against the Google Analytics Terms of Service (you did know this, right?). Following all these rules can be a big hassle for website owners.

If you want to dig deeper into the advantages of safe personal data processing (including first-party data), be sure to check out this blog post:
Why First-Party Data is the Most Valuable to Marketers.

Collecting user consents: a tricky business

Cookies seem to cause the most trouble. They’re mentioned in Recital 30 of GDPR, which states:

Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags.
This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

This means that in order to remain compliant with the new laws, your website should now require your visitors to acknowledge and consent to the use of cookies before they start browsing your site.

If you want to deep-dive into the characteristics of proper GDPR consents and how they should be handled, we advise you to read this blog post:
How Consent Manager Can Help You Obtain GDPR-Compliant Consents From Your Users.

However, the list of your responsibilities doesn’t end there. Processing personal data (including cookies) involves many more obligations on the data controller’s side.

If you’re in this situation, here’s some of the things you must do:

• Develop a mechanism for collecting granular consents, tying them to specific users, and ensuring that the data will be used only for agreed purposes (for example, only for analytics purposes, but not for remarketing or data personalization activities).
• Gather all the consents (plus all the information we’ve discussed above) in one database which you can easily access and update on a regular basis.
• Prepare a mechanism for your users to change their mind, exercise their rights, and send you data subject requests.

Sounds like quite a challenge, right? These kinds of tasks take not only a lot of time, but also loads of human resources. Obviously, automating this process would make many lives easier.

Consent manager – just the job

Luckily, nature (or in this particular case – the market) abhors a vacuum. Many vendors have decided to take matters into their own hands and create a tool to mediate between visitors and analytics software. Depending on the provider, it’s called Cookie Consent Manager, Cookie Widget, GDPR Consent Manager, etc.

These tools are a kind of gatekeeper that passes information about consents between individual visitors and your analytics system. That way, you make sure that the data you’re operating on has been collected in a manner compliant with the new law.

An interesting comparison of these offerings can be found here: Tools & Widgets to Manage Cookie Consent.

Tag manager – a perfect partner in not-crime

As mentioned in the article by Vicky Dallas we linked above, a good idea is to use the combined forces of Consent Manager and Tag Manager to handle user consents.

Tag management systems have proved themselves an extremely useful asset in the marketer’s arsenal. Now they can serve as a tool for reducing the burden of dealing with consents. Because these tools support a range of tag types, they make it a lot easier to ensure compliance of the analytical software and marketing tools placing tags on your website.

At least a couple of cookie consent manager providers have integrated their products with tag management systems. One of them is Piwik PRO. The GDPR Consent Manager we’ve developed works closely with a secure tag manager, providing more robust privacy of your data. For instance, you can store all your data in an on-premises environment, encrypt all the collected information, and use a chosen SSO method to log into your system for ensuring that only authorized employees can access the data.

How it works

All this might sound a bit abstract and hard to imagine. That’s why we’ve prepared some examples to show you how Consent Manager and Tag Manager work together. For your convenience, we have divided this process into steps you have to take in order to configure our tools for GDPR compliance:

1) Turning compliance on and off for each site

GDPR Consent Manager allows you to apply settings to every website that adjust the mechanism for firing tracking tags .

If you decide that GDPR compliance should be disabled on a particular website, then new visitors will be opted-in by default. But if you turn GDPR compliance on, new visitors will be opted-out by default and will receive a consent form pop-up (served by Tag Manager).

2) Choosing the types of tags that require visitor consent

Then you’ll have to decide which tracking tags don’t need consent and will be fired automatically for every visitor, and which of them will be fired after receiving consent.

Typically, the following categories of tags should be fired only after consent is received:

Analytics – web and mobile app analytics data tracking for basic information like IP address, device and browser information, etc.

A/B Testing and Personalization – tags for A/B tests via third-party vendors and personalized offers targeted at visitor segments.

Conversion Tracking – designed to track when and how visitors accomplish desired actions (purchases, downloads, form completions, etc.).

Marketing Automation – for audience segmentation in order to schedule and track marketing campaigns.

Remarketing – tags creating audiences for ads displayed to visitors after they leave your site.

User Feedback – information about user experience from visitor behavior and feedback.

Custom type – tags whose properties you can freely define.

However, every client can customize them based on their needs and compliance team’s suggestions. This information will tell Tag Manager which tags can be launched automatically and which require the user’s prior consent.

3) Creating consent pop-ups and widgets

Now it’s time to create the message you’ll show your visitors. With a little help from a user-friendly editor, you can design messages that will be shown to people visiting your website for the first time, as well as those who have already been there but haven’t made a decision about consent.

4) Displaying the pop-ups to your visitors

Once you’ve created all the dialog forms, it’s time to approve the messages and make them visible to all. Pop-ups and widgets give both first-time visitors and returning visitors who haven’t responded to your request the chance to make a decision.

Information about their choices is then saved by Tag Manager in a single first-party cookie and in the Cookie Consent Manager database accessible from your admin panel. All consent decisions will be kept there for one year.

Summary

We hope that we’ve convinced you that Consent Manager is the right tool for dealing with GDPR consents from your visitors. And it will be extremely useful if the tool works smoothly with Tag Manager.

If you would like to learn more about collecting consents in accordance with GDPR, we invite you to follow our blog. And remember – you can always contact our team, we’re happy to share our knowledge with you!

The post How cookie consent manager and tag manager work together for your GDPR compliance appeared first on Piwik PRO.

According to a survey by the Direct Marketing Association (DMA) only 54% of businesses expect to be compliant by May 25, 2018.

Consent is key

We believe one of the problems companies are facing right now is the lack of a data privacy culture within their business partners.

Alter all, one of the most important steps in preparations towards GDPR will be making sure that data processing consents are collected in an appropriate manner, especially since new regulations are really strict in this regard. Among other things, consents will have to be freely given, specific, informed and unambiguous.

The regulation also introduces new obligations related to the exercising data subject’s rights, such as:

• Right of access (Art. 15)
• Right to rectification (Art. 16)
• Right to erasure (also known as: right to be forgotten) (Art. 17)
• Right to restrict processing (Art. 18)
• Right to data portability (Art. 20)
• Right to object to processing (Art. 21)

In the case of digital businesses, aligning to the new law will involve making many adjustments to their analytics tools and making sure that all their business partners are also up to the task, and can support them in ensuring compliance.

Unfortunately, most of the vendors (including Google Analytics) haven’t provided solutions that would allow companies to comply with certain aspects of GDPR such as collecting lawful consents or respecting users right to data access, rectification and erasure, or the right to data portability.

If you’d like to learn more about the responsibilities GDPR will bring, we recommend you these blog posts:

• How Will GDPR Affect Your Web Analytics Tracking?
• Your Most Burning Questions About GDPR Answered. Part 1/3
• Your Most Burning Questions About GDPR Answered. Part 2/3

Consent Manager can help you with the task

We decided not to follow this worrying trend.

What’s more, following the Piwik PRO team’s commitment to data privacy, we made sure our marketing stack is ready to handle such tasks by design.

In order to aid our clients in their preparations towards GDPR, we designed a tool that makes it easier to respect GDPR rights by allowing you to collect visitor consents for specific data processing purposes, handle consent changes and other requests, all in one place.

It’s called a Piwik PRO Consent Manager.

Consent Manager has the features to cover the whole visitor life cycle: from getting the consent of a new visitor to addressing data subject rights requests.

Collecting users’ consents properly – without bundling, pre-ticked boxes and vague generalization about the purpose seems to be the biggest challenge in the history of digital marketing, but the truth is, it’s not. It’s a matter of respecting the rules and people they’re protecting. For Piwik PRO customers this respect for privacy has always been a crucial part of the corporate DNA and we’re proud to support it with a proper tool. – says Grzegorz Jendroszczyk, Data Protection Officer in Piwik PRO.

What Consent Manager Does

Using a simple editor, you’ll be able to create and edit consent request popups and other types of widgets helping you collect lawful consents. They will serve as a “gatekeeper” between your website’s visitors and an array of tools that will later operate on agreed types of data.

First-time visitors will receive a consent form asking for permission to collect data for a clearly defined set of purposes, which you can specify and update as needed. Until consent is given, certain categories of tags, including third party tags, won’t fire. Visitors will be able to view and update their consent status at any time through Consent Manager widgets.

Exercising data subject rights

Piwik PRO Consent Manager will also support their clients in exercising data subjects’ rights.

Data subject request and Privacy Settings widgets to install on Privacy Policy page will let visitors exercise their GDPR data subject rights such as data erasure, rectification, access and portability.

Additionally, admins will monitor all submitted requests, view individual visitor consent status and data subject request history from one place – all from a clear and highly informative panel.

The system will allow admins to review each request, change its status, and keep track of progress and status to make sure all are processed within demanded time frame.

Some conclusions

So, to sum things up – Piwik PRO Consent Manager will support our clients in:

• Creating customizable consent popups and widgets for visitors to get their consents,
• Collecting and storing the visitor consent,
• Collecting only pre-approved data by firing only accepted tags,
• Collecting and managing data subject requests in one place,
• And fulfilling many other tasks related to dealing with visitors’ consents and requests.

And by all that, it will automate a huge part of collecting personal data in alignment with the new law. Sounds quite good, right?

For more information about our new product be sure to visit GDPR Consent Manager subpage.

Also, remember that if you’re interested in our product or simply want to learn more about your responsibilities involved in dealing with personal data under GDPR – don’t hesitate to contact us anytime you want. Our team will be happy to help you!

The post We’re Releasing GDPR Consent Manager! appeared first on Piwik PRO.