How to mature cookie consent using Adobe Analytics
Privacy requirements are changing.
Between GDPR legislation, Google sunsetting third-party cookie support, and users’ demands for more control over their data, things are getting very interesting in the consent space.
For companies using Adobe Analytics to track visitor data, these changes are an opportunity, not an obstacle. The changes also affect companies with in-house consent management processes, as those build-it-yourself solutions could be non-compliant.
Maturing your cookie consent strategy has several benefits:
Managing cookie consent with Adobe Analytics and Adobe Data Collection
Adobe Data Collection (part of the Experience Platform) and Adobe Analytics determine which data to collect and from which pages, based on a user’s consent preferences. They also work together to deploy analytics, marketing and advertising functionality.
Note: Adobe Launch was rolled into Adobe Experience Platform in 2021. Keep this in mind if you see literature referring to Launch.
There are two main ways to architect this trust exchange. One is by using a third-party integration like OneTrust. The other is with an Adobe opt-in object.
1. OneTrust integration
OneTrust is a third-party consent management platform (CMP) that handles user consent for Adobe and non-Adobe services.
It’s the industry standard CMP. So much so that Adobe mentions it by name in their customer consent literature. In particular, brands looking to move from basic (in-house) cookie consent to a streamlined platform usually find OneTrust to be a great solution.
It works like this:
Users set their preferences in a pop-up
OneTrust records which cookies the user opts in and out of
If the user consents to cookies, OneTrust passes the preference data to Adobe Analytics using a dedicated JavaScript variable
If the user doesn’t consent, OneTrust securely stores that information and blocks data collection
The JavaScript key tells the service to fire if a user consents to cookies. If they don’t consent, you can use a script-blocking rule to fire some, none, or all cookies.
Crucially, this needs to happen on every page, and it needs to happen first.
This is the big advantage of OneTrust as a CMP. You have greater control over cookies for Adobe and third-party services. OneTrust also integrates with a huge range of third-party applications to embed privacy management within existing workflows.
There is, however, one caveat. OneTrust doesn’t currently provide location information at the user level, only the domain level. So if a user from France visits your US domain, OneTrust (and Adobe services) could track their behaviour according to CCPA rules, thereby violating GDPR.
2. Adobe opt-in object
Adobe opt-in is an extension of the Experience Cloud ID (ECID) you can use to:
Determine if you can set a cookie on the user’s device
Control which Experience Cloud solutions can set cookies
Set protocols to integrate with your CMP
Specify if a visitor integrates with all Adobe solutions at once or in sequence
Retrieve approvals from the CMP
So far, so good.
But there’s one big limitation: Opt-in only deals with Adobe services. It doesn’t support or store a user’s cookie preferences for third-party services. You still need a CMP to handle these.
How to implement cookie consent in a tag manager
You might have guessed that we prefer the OneTrust approach at TAP CXM. There are a few reasons why:
OneTrust is a simple and reliable CMP from the user’s point of view
Clients can proactively migrate towards first-party data collection
OneTrust provides more granular cookie control
We’re JavaScript nerds
That last one is important. Making cookie consent work requires detailed knowledge of the layers and dependencies within an organisation’s information architecture.
However, to avoid turning this into a step-by-step guide to building rules in Adobe Analytics, we’ll zoom out and cover the broad strokes.
Step 1: Strategy
Cookie consent impacts everything from advertising revenue to audience segmentation to dynamic content, so it’s an important project.
Before embarking on a cookie consent maturity project, collaborate internally to ensure your organisation is aligned on the reasons, benefits, and costs.
In particular, map out the relevant legal requirements. That includes GDPR in Europe, CCPA in the USA, plus region-specific privacy regulations.
Step 2: Architecture
Once you can answer the why and who, move on to how.
For example, we architected a three-layer approach for a global client. (Keep in mind that the solution reflected their unique needs. It may not mirror yours.)
The core components that work together are:
OneTrust: The user-facing CMP serving a warm plate of cookie consent options and collecting user-defined preferences
Adobe Data Collection: A data collection mid-layer that tracks visitor behaviour, managing tags, and interfacing with Adobe Analytics
Adobe Analytics: The analytics platform bringing all the data together to generate value-adding insight
In this case, we used Adobe Experience Platform Tags as the dedicated tag manager.
Feel free to reach out to TAP CXM for help determining the cookie consent process and requisite platforms.
Step 3: Write the rules
Now let’s address the what of cookie consent.
This step looks different for every organisation depending on the strategy and systems involved, plus applicable regulations.
For example, integrating OneTrust, Adobe Data Collection, and Adobe Analytics requires those JavaScript keys that deploy cookies and fire services like tracking beacons and advertising tags.
But if you’re using the Adobe opt-in approach, the process that communicates a user’s preferences to the platform (and the resulting services that fire) is quite different.
You also need to decide which flavour of cookie consent suits your visitors:
Informational cookiestell visitors that cookies on the site track their behaviour; their only choice is to consent or leave the site
Opt-out cookies automatically opt visitors in; they need to manage their own preferences
Opt-in cookies automatically opt visitors out; they can choose to consent to tracking
It’s important that the user knows what type of cookie they’re allowing and how their data will be used. Be transparent with this information so users remain in control of their data:
Strictly necessary cookies enable basic website features and can’t be denied
Functional cookies remember a user’s preferences to provide customised content
Targeting or advertising cookies collect data to serve relevant ads based on their preferences
Performance cookies anonymously collect usage information to report on a website’s performance
Step 4: Build the rules
Cookie consent in Adobe Analytics uses a rules-based logic.
However, the work actually takes place in the Adobe Experience Platform tag manager, previously known as Adobe Launch. This is where you create the rules that determine whether a user sees the cookie consent banner, and what happens when they click around your site.
The advantage of using a tag manager is the flexibility to make minor changes to tracking and analytics without major website upgrades.
Step 5: Pop-up
We can’t understate the importance of a user-friendly cookie consent pop-up. Users don’t enjoy pop-ups by default, so try to make yours as unintrusive and streamlined as possible.
However, at the same time, you need to be transparent and comprehensive with cookie preferences. Users should be fully informed and in control.
Step 5.5: Testing
Test for user acceptance and back-end stability.
Test often, test repeatedly, and test strenuously, cycling through steps 3-5 until the system is humming. Then test a little more.
Expect this stage to take a while. Continually test and refine after deploying your cookie consent framework, because there’s no such thing as perfect in this business.
If you're facing difficulties with cookie consent or need assistance with your Adobe Analytics configuration, don't hesitate to contact TAP CXM and talk to one of our experts now
What happens if you don’t have a cookie consent strategy?
GDPR violation
Cookies are only one part of the consent equation. More specifically, tracking beacons are the only thing blocked when users decline cookies using a standard CMP.
User data could still be collected, depending on what other tags and scripts are firing in the background.
Visitors are misled by the not-quite-cookie-consent terminology, which violates GDPR regulations.
Functionality fail
Adobe Data Collection stores user preferences to determine which services fire for a visitor. So if there’s no way to opt-out, remaining GDPR compliant means turning off every service that could constitute tracking or advertising.
Obviously, this isn’t a good result for anybody.
Users receive a jarringly impersonal experience, and brands miss out on behaviour data, the gold dust driving marketing decisions.
But here’s the good news…
TAP CXM are seasoned experts in consent management. We consult with companies to understand their current cookie consent process and design, build, implement and improve a more mature solution.
It’s all part of improving customer experiences for brands who want to do better.
