Now that we’ve checked the privacy policy, and the do not sell/share link, the next issue we’re addressing in our continuing privacy validation series is the presence of the cookie consent banner. This is the banner that allows visitors to your website to opt into or out of the types of cookie categories they prefer. The question is, does the consent management banner load no matter which page of the website is the entry point?
A lot of the large privacy fines we’re seeing have been around cookie consent. In 2021, Amazon was fined €35M by France under the GDPR for dropping cookies before users had consented to them.
If we jump back into OneTrust (our example website and the company that actually provides the cookie consent technology), the consent banner appears right at the bottom of their homepage, and it shows up just about everywhere if you manually click through their site or enter from other landing pages.
When you click on the banner, it gives you the option to disable all (non-strictly-necessary) cookies, allow them all, or customize your cookie consent settings. This can either be a quick, one-click experience if you choose “Allow” or “Disable,” or it can provide a nice modal that pops up and allows you to choose the specific categories of cookies you consent to.
To check for the presence of the banner, you can manually click through hundreds or thousands (or more?) of URLs and verify it shows up on each page. But rather than trying to manually spot-check this on a regular basis and spending a lot of your own very limited time, you can use an automated auditing solution like ObservePoint. Let’s jump into the ObservePoint solution to show you an example audit of 1000 pages from OneTrust.com.
By reviewing the Tag Inventory report, you can see “OneTrust CMP” near the top of the results. That’s the tag that loads the cookie banner, and you can see that it was present on almost every page of the 1000 we scanned. Great! However, there were eight pages where we did not detect it, meaning there could be gaps in expected coverage. From here, we can click on it to see exactly which eight pages were missing the banner tag.
It may be appropriate in certain scenarios that the banner is not present on a page, for example, if you’re not on the public website but are behind user logins or other types of authentication gates. It is important for each organization to determine for themselves what level of coverage is appropriate for their website to meet compliance with data privacy standards. At a minimum, it would be important to become familiar with any pages-such as the eight pages here from our Audit on OneTrust.com-on which a consent banner is not detected. Is there a reason your banner isn’t loading? And if it should be, how do you quickly remediate the issue to close that gap?
If you’d like to see how your own website fares in delivering consistent coverage of your cookie consent banner, reach out about getting started.
Read the next post in our Website Privacy Validation series: Does my CMP effectively respect all possible consent profiles?
