Consent Policies
DataGrail has worked with outside counsel to configure how consent initially controls the execution of trackers on your site by geolocation with using policies, which is a shared concept across DataGrail Consent and Request Manager.
This article reviews how policy configuration works in DataGrail Consent, geared towards privacy managers and developers implementing our product.
Online Versus Offline Consent
Broadly speaking, there are two channels through which you can request consent for data processing: online and offline consent. DataGrail offers solutions for handling both types of channels and requests.
Online - IP Address/Web-Browsing
Online consent is explicit, session‑level permission (often inferred via the user’s IP address) that determines which trackers may process the user’s online personal data and browsing activity.
Offline - Email, Address, etc.
Offline consent is explicit permission granted via identifiers like email or mailing address that governs collection and use of a data subject’s offline personal data.
DataGrail's Data Subject Request Management platform allows you to effectively manage and process Do Not Sell and Share/Opt-out Requests submitted by data subjects of your web apps.
You can configure how DataGrail Consent honors offline Opt-Out Requests by editing your policy configurations, as described here.
Configuring Policies
You can review how DataGrail manages the firing behavior of trackers and cookies within the Policies tab under Settings. Here, you will see the list of policies that have been configured for your environment, each corresponding to common regulutory frameworks such as CPRA or GDPR.
When a user arrives visits your web app, we detect their location and map this to a policy so that we can initialize trackers based on the behaviors defined within this screen.
The default policies in your account have been established by DataGrail on a best effort basis under the guidance of our legal counsel; however, you should consult your own in-house counsel to verify the behaviors within each policy align with your internal stance towards privacy and business objectives.
If you would like to make changes to your configured policies, please reach out to support@datagrail.io.
Visibility
You can set whether the banner is visible to first-time data subjects arriving on your website.
Visible: The banner will appear and remain visible until the data subject has made a consent choice, either through making a selection on your banner notice or using a browser signal.
Hidden: The banner will not be visible unless the data subject finds a link to your banner, often in the footer of your page.
As an example, GDPR requires that you show a notice to data subjects when they first arrive on your site, so we have preconfigured this setting to Visible. In contrast, many US states do not have this requirement, so we set this configuration to Hidden.
Layout
You can set which layout configuration is displayed on your site when users see your banner notice by policy. This means you can offer specifically designed banner notice to data subjects visiting your site from a specific location.
DataGrail has configured two default layouts: a Global layout and a US Standard layout, which are mapped to the appropriate policies.
The main difference between these two is the verbiage of both the primary text and button actions, but you can override these defaults per your counsel's guidance. For example, you may wish to create a California Layout that specifically has a "Do Not Sell or Share My Information" button that triggers the rejection of marketing trackers only.
Initial Tracking Behavior
The collection, processing, and selling/sharing of a data subject’s data is granted by a data subject via two primary mechanisms: opt-in consent or opt-out consent.
Opt-In Consent
Opt-in consent means a data subject is automatically opted out of non-essential tracking services until they give explicit permission.
To achieve this behavior in DataGrail, deselect all non-essential tracking services under Initial Tracking Behavior for the policy.
Opt-Out Consent
Opt-out consent means a data subject is automatically opted in to all non-essential tracking services until they explicitly opt out through the banner.
To achieve this behavior in DataGrail, select all tracking services under Initial Tracking Behavior for the policy.
If a region does not have an associated consent policy framework, such as GDPR or CPRA, you can generally use a person’s data for tracking, marketing, or advertising purposes.
Many organizations view privacy as a human right and choose to honor all consent requests. This can have public relations benefits to the organization!
Browser Signal Opt Out Handling
GPC (Global Privacy Control) and DNT (Do Not Track) are proposed web standards that have been implemented by Chrome, Firefox, Brave, and other browsers to allow users to set their consent preferences for all websites they visit.
For each policy, you can configure whether or not these signals are honored for data subjects visiting your site from these regions and, if honored, what trackers should be enabled upon the receipt of this signal.
As an example, CPRA requires website owners respect the GPC signal as a means of opting out of the sale and share of personal data, but does not explicitly acknowledge the DNT signal.
In DataGrail Consent, you can configure the CPRA policy using the example above, which means that data subjects who arrive on your site with the GPC signal will disable any trackers or cookies assigned to the marketing category.
Opt Out Request Handling
You can configure how DataGrail Consent responds to offline opt-out requests using the Request Manager tool with a simple configuration by policy. This makes it easy to link an offline request to an online request.
As an example, CPRA requires that you honor both a user's right to opt-out of e-mail communications and online trackers. If you have Request Manager enabled, you can configure DataGrail Consent to automatically set a data subject's consent choice after the user submits a request.
US Privacy Strings
This feature is available on request for customers. We will need some information from your privacy/legal teams to set up the variables necessary to emit the correct consent choices to third party advertisers.
If your website serves personalized advertising, you can enable support for the GPP US Privacy Strings (uspv1 and usnat), which informs these advertising networks to serve ads that are non-personalized or otherwise not dependent on personally identifiable information.
By selecting Enabled, DataGrail will emit the appropriate information (as an encoded string) when a user makes a consent preference.
If this setting is Disabled, DataGrail will not emit US privacy strings.
Appendix: A Survey of Consent Policy Frameworks
Below are a few key regulations that we monitor and use to guide any updates to our Consent tools to ensure your organization is continuously compliant with policies set around the world:
International Regulations
GDPR & UK-GDPR
Requires explicit consent of data subjects to opt-in to any non-essential online data use:
"any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."
Brazil - LGPD
Quebec
Requires explicit consent of data subjects to opt-in to any non-essential online data use:
53.1: "Consent under this Act must be clear, free and informed and be given for specific purposes. It must be requested for each such purpose, in clear and simple language and separately from any other information provided to the person concerned. If the person concerned so requests, assistance must be provided to help him understand the scope of the consent requested. The consent of a minor under 14 years of age is given by the person having parental authority. The consent of a minor 14 years of age or over is given by the minor or by the person having parental authority. Consent is valid only for the time necessary to achieve the purposes for which it was requested. Consent not given in accordance with this Act is without effect."
United States Regulations
Generally, data subjects in the US must opt-out to any non-essential online data use:
California - CCPA/CPRA
California Consent - Rob Bonta, AG of California
"Businesses that sell personal information are subject to the CCPA's requirement to provide a clear and conspicuous "Do Not Sell or Share My Personal Information" link on their website that allows you to submit an opt-out request. Businesses cannot require you to create an account in order to submit your request. Businesses also should not require you to verify your identity, though they can ask you basic questions to identify which personal information is associated with you."
To promote consumer awareness of the right to opt out, the Attorney General has developed a recognizable and uniform opt-out icon that businesses can use on their website. As a best practice, DataGrail recommends using this icon on your site's footer to launch the Consent Banner.
Colorado - CPA
Colorado Consent - Phil Weiser, AG of Colorado
"Beginning on July 1, 2024, organizations that fall within the CPA’s application thresholds must allow Consumers to opt-out of the Sale of their Personal Data or use of their Personal Data for Targeted Advertising using a Universal Opt-Out Mechanism (UOOM)."
Connecticut - CTDPA
Connecticut Consent - William Tong, AG of Connecticut
"Yes, a consumer can opt-out of the sale of personal data to third parties. A consumer can also designate a third party to opt-out on his or her behalf. The right to opt-out of: - the sale of their personal data; - the processing of personal data for the purposes of targeted advertising; and - profiling that may have a legal or other significant impact."
Delaware - DPDPA
"(6) Opt out of the processing of the personal data for purposes of any of the following: a. Targeted advertising. b. The sale of personal data, except as provided in subsection (b) of § 12D-106 of this chapter. c. Profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer."
Montana - MTCDPA
Montana Consumer Data Privacy Act: SB0384
Section 5: "(e) opt out of the processing of the consumer's personal data for the purposes of: (i) targeted advertising; (ii) the sale of the consumer's personal data, except as provided in [section 7(2)]; or (iii) profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer."
Oregon - OCPA
Section 3: (d) Opt out from a controller’s processing of personal data of the consumer that the controller processes for any of the following purposes: (A) Targeted advertising; (B) Selling the personal data; or (C) Profiling the consumer in furtherance of decisions that produce legal effects or effects of similar significance.
Texas - TDPSA
"(5) opt out of the processing of the personal data for purposes of: (A) targeted advertising; (B) the sale of personal data; or (C) profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer."
Disclaimer: The information contained in this message does not constitute as legal advice. We would advise seeking professional counsel before acting on or interpreting any material.