DataGrail Consent For Privacy Managers
"Consent" describes the general process for offering data subjects the right to control access to their data online. Not only is consent legally required for various regions of the world, it is an important mechanism for your brand to adopt a privacy-forward stance that builds trust with your data subjects.
This article provides an overview of the different behaviors and mechanisms for retrieving a data subject’s consent to the collection, processing, and selling/sharing of their data. We also discuss how DataGrail provides a comprehensive solution for automatically managing these processes using our Consent Management Platform (CMP) and Request Manager (RM) tools.
Consent Foundations: Online versus Offline Consent
Broadly speaking, there are two channels through which you can request consent for data processing: online and offline consent. DataGrail offers solutions for handling both types of channels and requests:
Online - IP Address/web-browsing
Is when consent is given explicitly and which typically entails the data subject’s IP address, allowing data subjects to determine how websites/organizations can utilize their online personal information and actions on the website.
DataGrail offers a Consent Management Platform (CMP) that makes it easy to automatically collect and apply your data subject’s consent preferences when visiting your web experience, ensuring you are continuously compliant with the latest privacy regulations that govern the regions your users access your web apps.
Offline - Email, address, etc
Is when consent is given explicitly and entails the data subject’s email, address, etc., allowing the data subject to determine how organizations can utilize their offline personal information.
DataGrail offers a comprehensive Data Subject Request Management platform for handling offline consent requests, which enables organizations to effectively manage and process Do Not Sell and Share/Opt-out requests submitted by data subjects of your web apps. For more information, see this article.
Consent Foundations: Opt-in versus Opt-Out
The collection, processing, and selling/sharing of a data subject’s data is granted by a data subject via two primary mechanisms: opt-in consent or opt-out consent.
DataGrail Consent automatically uses dynamic IP detection to automatically assess and apply the correct consent mechanism based on their location and governing policy framework.
Opt-in consent
By default, a data subject’s information is not automatically collected until they explicitly consent by selecting what an organization can gather from them prior to the organization collecting it.
Brazil, Quebec, the EU and the UK require businesses to provide explicit opt-in based consent prior to using a customer’s data for non-essential purposes.
Opt-out consent
By default, a data subject’s information is automatically collected via your web app until the data subject opts-out of the use of their data for non-essential purposes.
In California, Colorado, Connecticut, Delaware, Montana, Oregon, and Texas, you must have mechanisms to process a data subject’s consent preferences for both online and offline data. DataGrail’s Consent Management Platform ensures you are compliant with handling opt-out consent requests for online data. DataGrail’s Data Subject Request Manager platform provides a complete solution for a data subject to request their offline data to be automatically removed from your systems to comply with these requests.
If a region does not have an associated consent policy framework, such as GDPR or CPRA, you can generally use a person’s data for tracking, marketing, or advertising purposes. Many organizations view privacy as a human right and choose to honor all consent requests. This can have public relations benefits to the organization!
Configuring Policy Frameworks
In DataGrail, a policy framework refers to the combination of a framework and the regions that apply to this framework. After configuring the policies your business must adhere to, you can specify the behavior of DataGrail Consent for handling online requests via your web app.
How do I set up a policy framework?
Privacy Frameworks are set up during the initial implementation with your Engagement Manager (EM). If you are needing to update/add/remove Privacy Frameworks please reach out to your designated EM or Customer Success Manager (CSM).
How do I manage online consent requests using DataGrail?
After policy frameworks have been set up, you’ll be able to configure the behavior of online Consent (the "banner" that data subjects access on your web experience) via the settings tab under policies:
There are two main considerations for configuring online consent behavior, which have been assigned the appropriate defaults based on the language provided by the associated regulations:
-
Show/Hide a banner pop-up on load of your web experience: By selecting yes, the banner pops up on every page load until the user sets their consent preferences. These preferences are then saved as a browser cookie, which is used to either block or allow scripts that collect, process, sell or share this data.
-
Opt-in versus opt-out: By selecting opt-in, all non-essential categories of scripts are set to be blocked by default by DataGrail Consent, unless the data subject selects a different consent preference (i.e. accept all or by selecting specific script categories).
Categorizing Services
A common method for accepting online consent preferences via data subject includes the ability to customize consent preferences by making specific choices based on the category a vendor belongs in.
After retrieving the individual services (tags) from Google Tag Manager (GTM), you can categorize these services to enable category based Consent via DataGrail Consent. We offer four default categories based on the purposes as defined by the GDPR [gdpr.eu], which can be amended or expanded based on your organization’s needs.
When you scan for services, we automatically apply the appropriate category to the service, based on what we receive from GTM.
Here’s an overview of each category and some guidance on setting the correct category to each service.
Functional
Helps improve the website’s ease of use via performance and functionality for data subjects. Functional services store code on your device and/or browser that allows a website to remember selections that you have made during previous visits and how you interact with them on the website.
Services use code to remember language settings or a username and password to an account on that website. The website would still load if you did not have these services running.
Marketing
Services, usually third-party, store code on your device and/or browser that allows a website to track visitors’ web activity, creating a profile used for targeted advertising. These services, unlike similar analytics services, are used for online marketing by collecting information about data subjects to channel partners for extra revenue and a targeted ad experience.
Services that use code to remember things a data subject has viewed or clicked on when browsing the website. This information is then passed to other organizations or used internally to market other-like products or services to the data subject. The website would still load if you did not have these services running.
Essentials
Allows the loading and ability for data subjects to interact with websites. Essential services are automatically loaded when data subjects access a website and use its features and functionality. These services are only used to send the data online and are strictly necessary to make a website operational.
Services that are utilized to allow a website to be loaded and navigated by data subjects. They serve no other functions and without them the website would not load.
Performance
Similar to Marketing and Functional Services. Analytics, is an optional category that organizations are utilizing in attempts to maintain business intelligence to improve the website function and UX by looking into general trends of how people use the website, and not how a user interacts with the website or to market to them.
Volume of traffic on a website throughout the week, how long data subjects browse certain pages, and which parts of the website they frequent. The website would still load if you did not have these services running.
Configuring Banner Appearance and Text
Before publishing your online consent banner to users of your web app, you can update the "first-level" banner text and configure its appearance to data subjects when they view the banner on your web app.
Banner Text
The first-level text, or text that is first visible upon banner load, can be configured within the Settings tab of DataGrail Consent. You can configure the heading text, description, and button text as seen above.
Banner and category text can be localized for more than 30 different locales/languages. Learn more by following our localization guide.
Banner Appearance
DataGrail Consent banner UI can be configured under the appearance tab. You can make basic appearance adjustments, including where the banner appears when it loads on the page. For more customization options to fully style the banner notice to your brand's design system, follow our customization via CSS guide.
Additionally, you can optionally expose an "X" or dismiss button within the banner. This action retains any currently set consent preferences for that user, including those implicitly set based on the behaviors defined in the policies tab. For example, if a user visiting from an EU based country clicked the exposed X button, they would be implicitly confirming their choice to not be tracked or have cookies set during their use of the website. To reiterate: clicking the close button is an acknowledgement of their non-selection of Consent, thus continuing whatever policy default is set by your team.
Appendix: A Survey of Consent Policy Frameworks
Below are a few key regulations that we monitor and use to guide any updates to our Consent tools to ensure your organization is continuously compliant with policies set around the world:
International Regulations
GDPR & UK-GDPR
Requires explicit consent of data subjects to opt-in to any non-essential online data use:
"any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."
Brazil - LGPD
Requires explicit consent of data subjects to opt-in to any non-essential online data use:
XII – consent: free, informed and unambiguous manifestation whereby the data subject agrees to her/his processing of personal data for a given purpose;
Also view Article 8 for further details.
Quebec
Requires explicit consent of data subjects to opt-in to any non-essential online data use:
53.1: "Consent under this Act must be clear, free and informed and be given for specific purposes. It must be requested for each such purpose, in clear and simple language and separately from any other information provided to the person concerned. If the person concerned so requests, assistance must be provided to help him understand the scope of the consent requested. The consent of a minor under 14 years of age is given by the person having parental authority. The consent of a minor 14 years of age or over is given by the minor or by the person having parental authority. Consent is valid only for the time necessary to achieve the purposes for which it was requested. Consent not given in accordance with this Act is without effect."
United States - State Regulations
Generally, data subjects in the US must opt-out to any non-essential online data use:
California - CCPA/CPRA
California Consent - by Rob Bonta, AG of California
"Businesses that sell personal information are subject to the CCPA's requirement to provide a clear and conspicuous "Do Not Sell or Share My Personal Information" link on their website that allows you to submit an opt-out request. Businesses cannot require you to create an account in order to submit your request. Businesses also should not require you to verify your identity, though they can ask you basic questions to identify which personal information is associated with you."
Colorado - CPA
Colorado Consent - Phil Weiser, AG of Colorado
"Beginning on July 1, 2024, organizations that fall within the CPA’s application thresholds must allow Consumers to opt-out of the Sale of their Personal Data or use of their Personal Data for Targeted Advertising using a Universal Opt-Out Mechanism (UOOM)."
Connecticut - CTDPA
Connecticut Consent - William Tong, AG of Connecticut
"Yes, a consumer can opt-out of the sale of personal data to third parties. A consumer can also designate a third party to opt-out on his or her behalf.
The right to opt-out of:
- the sale of their personal data;
- the processing of personal data for the purposes of targeted advertising; and
- profiling that may have a legal or other significant impact."
Delaware - DPDPA
"(6) Opt out of the processing of the personal data for purposes of any of the following:
a. Targeted advertising.
b. The sale of personal data, except as provided in subsection (b) of § 12D-106 of this chapter.
c. Profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer."
Montana - MTCDPA
Montana Consumer Data Privacy Act: SB0384
Section 5:
"(e) opt out of the processing of the consumer's personal data for the purposes of: (i) targeted advertising;
(ii) the sale of the consumer's personal data, except as provided in [section 7(2)]; or
(iii) profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer."
Oregon - OCPA
Section 3:
(d) Opt out from a controller’s processing of personal data of the consumer that the controller processes for any of the following purposes:
(A) Targeted advertising;
(B) Selling the personal data; or
(C) Profiling the consumer in furtherance of decisions that produce legal effects or effects of similar significance.
Texas - TDPSA
"(5) opt out of the processing of the personal data for purposes of:
(A) targeted advertising;
(B) the sale of personal data; or
(C) profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer."
Disclaimer: The information contained in this message does not constitute as legal advice. We would advise seeking professional counsel before acting on or interpreting any material.