How to setup cookie consent Opt-in and Opt-out configurations in SiteSpect
This help article describes how SiteSpect can support cookie consent opt-in and opt-out configurations. But first…
What is Cookie Consent and why do I care?
Cookie Consent is when the end user (visitor to your site) gives permission to a website to use cookies to track user behavior and potentially enhance the user experience.
Understanding cookie consent is important because there are many new privacy laws and browser privacy changes that are taking place in the industry. Your organization may have already implemented, is about to implement, or is actively modifying a cookie consent policy for your site. Below we have captured a few important links to various regulations (both new and old) that pertain to cookie consent.
Important links to help inform you about about cookie rules and privacy laws
- We suggest reading PrivacyPolicies and their descriptions of the laws listed below.
- 2009 ePrivacy Directive - sometimes referred to as “the EU cookie law”, even though it is a directive, not a law.
- General Data Protection Regulation (GDPR) - adopted in 2016 and turned into law in 2018.
- European Data Protection Board (EDPB) guidelines on valid consent from May 2020. Which gives clearer guidelines on how to follow the regulations laid out in GDPR
- California Consumer Privacy Act (CCPA) - gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law.
- California Privacy Rights Act (CPRA) - California’s passed proposition 24 which will build upon and replace the CCPA and will go into effect in 2023.
Browser Privacy Changes
It is also important to keep in mind that browsers themselves are changing their own privacy rules. These rules are in addition to the laws and regulations mentioned above. SiteSpect is able to avoid these browser changes because they mostly pertain to cookies set at the client. This can be a problem for several javascript tag based solutions which set cookies at the client. Even if a cookie consent policy is handled properly, client side cookies may expire or in some cases not work at all. Below are a list of important links to learn more about browser privacy changes and what that means for your site.
Important links to help inform you about browser privacy changes
- Interview explaining ITP / ETP
- SiteSpect webinar explaining ITP/ETP and how it affects you
How do I configure SiteSpect with my Cookie Consent policy?
SiteSpect understands that with any new regulation there may be different interpretations of that regulation. Fortunately, SiteSpect can leverage the same power and flexibility of our optimization solution to offer multiple ways to support your Cookie Consent policy. SiteSpect is able to see every request from the user and every response from your server. SiteSpect leverages that capability to check to see if user consent has been given.
The setup for new customers is usually taken care of during the implementation process by a SiteSpect Solutions Architect. That said, if you wanted to set up the configuration go under Site in the left navigation and select “Site Settings”. On the “Edit Site” page that appears, select the “Communications & Pass-Through” tab. Scrolling down you should find a text box called “Pass-Through Request Headers (case-insensitive)”. There are most likely some default pass-through headers already in the text box dealing with Robot exclusion. We just want to add our rule to the bottom of this list.
In the example above if the cookie “SSenabled” does NOT exist, the request is passed through without tracking. This setup can be used for both Opt-Out and Opt-In Policies.
Important
- Any cookie you set to manage this policy should be persistent rather then session based.
- With the opt-in approach it is recommended to disable SiteSpect in-site referrer feature.
- With the opt-in approach you will also need to decide if you refresh the user page view on user opt-in to enable experiments on the landing page OR if you defer this to the users second page view.
Opt-Out Policy
In this scenario, SiteSpect is using cookies until the user tells the site not to use them. Since SiteSpect can see every user request and webserver response, SiteSpect can inspect request headers and pass-through users based on the presence or absence of a given cookie.
If a user opts out of the use of cookies for your site, simply remove the “SSenabled” cookie (or whichever cookie you wanted to use to signify consent) and future requests will be passed through.
Opt-In Policy
For Opt-In Policies, SiteSpect can be configured in the same way. Using the same configuration as above, the site should only set the “SSenabled” cookie AFTER the user has given consent. SiteSpect will then see that cookie on future requests and will make the appropriate assignments. With the opt-in approach it is recommended to disable SiteSpect in-site referrer feature.
Pass Through requests are not tracked
If the designated cookie is not present in the request, SiteSpect will “pass through” that request and response, and will not track the user. This means that this user will not be able to be in any A/B or MVT tests or personalized campaigns. Once a user opts-in to the content policy, the site should add the designated cookie. At this time SiteSpect will see the cookie and remove the user from pass-thru and will set the normal cookies for SiteSpect use.
Opt-Out Endpoint via script
Alternatively, there is an endpoint that can be called with javascript that will expire and opt the user out of any test campaign on the site. Calling this endpoint will set the SSID cookie to 0 and ensure that user does not appear in SiteSpect reporting.
fetch("https://sitedomain.com/__ssobj/opt-out");