The evolving nature of advertising technology can make verifying consumers' cookie consent preferences a difficult component of their data governance obligations.
With the aim to streamline companies' consent verification processes while managing multiple jurisdictions' opt-out requirements, data privacy management vendor Lokker released its new Consent Management Solution. The tool is built into its existing Privacy Edge Platform and is now available to the public.
Lokker's CMS can be deployed on top of a company's existing cookie preference management solution, or operate as the sole tool managing consumer preferences, Lokker CEO Ian Cohen said.
"Basically, we give customers a complete report of everything that's actually happening in their cookie banners, whether they're not using anything, or if what they're using is totally broken," Cohen said. "We give a very clear list that says, 'here are the gaps,' and we keep a list of gaps that they can either fix through their own consent manager, or we can interject with our technology and just block it ourselves."
Cohen indicated the experience of Lokker customers is somewhat similar to that of a consumer browsing the internet and selecting their cookie preferences on a given website's banner.
The tool automatically scans their cookie banners to ensure their correct configuration and presents privacy teams deploying the solution with a "Consent Verification Report" on how effective their websites are at honoring a consumer's preferences. It also identifies banner practices that could be considered dark patterns by a regulator.
At that point, if need be, Cohen said the CMS can be used to block any additional cookies that have been modified by advertising technology firms to circumvent the present signals blocking data collection deployed by a given cookie banner. For instance, if a user is logged in to a social media account while they are selecting "reject all" cookies on another website, the social media site could still potentially drop pixels onto that website that will still extract personal data, despite the user’s preferences.
“Inconsistent cookie blocking is one of the biggest issues we see,” Cohen said. “Adtech and JavaScript are extremely dynamic. They change every week, so we built (Lokker's CMS) to be able to visualize those changes and block them.”
According to Lokker’s Online Data Privacy Report, published in March, 90% of websites reviewed by the company containing a consent banner would share customer data before being able to provide consent to the collection of personal data. Cohen said a best practice for companies is to screen their consent management solutions for customer preference compliance weekly, in order to stay on top of how various adtech trackers are modified.
He added that a given webpage can receive anywhere from 300 to 500 requests a day and each third party embedding a tracker is relying on their own cloud software, which in turn, rely on other cloud software that will drop additional trackers of their own.
"That’s how you get this huge ballooning number of trackers, so while the marketers need to run what they need to run to make money, they're also getting all this downstream stuff that they didn't ask for piggybacking on other trackers," Cohen said. "So, with the consent manager, you have to run it frequently. A lot of the things that are going to drop on a page because of the other trackers on your site, the pixels on your site and the other tags on your site."
Further complicating matters is a lack of regulatory guidance in the U.S. on how categories of cookies are tagged. Cohen said oftentimes websites will still ultimately classify targeted advertising cookies as performance or analytics cookies. Even if a consumer chooses to reject all nonessential cookies, targeting advertising cookies will still get grouped among cookies required for website functionality, he said.
"The problem is there's no real federal guidance around what these categories mean," Cohen said. "So, you have sites putting cookies in categories that are relatively random, but no one would argue that something called targeted advertising should be served in a reject all state."
Alex LaCasse is a staff writer for the IAPP.
