How Compliance Becomes Sustainable

Digital marketing doesn't succeed without relevant and insightful data about users and customers. This recognition is neither new nor particularly revolutionary. However, it implies a large number of complex requirements for technological, organizational, procedural and legal frameworks that need to be put in place to ensure compliant use of data in one's own company.

Regulations, guidelines and legal terminology in the context of compliance requirements often are quite confusing, but the necessary measures that follow from them really have it as well. Most of the measures to be taken, however, concern the "engine room". In particular, promising process design and structural organization depend on many highly individual factors and are also hardly recognizable from the outside. Others, however, take place at the visible touchpoints, in direct contact with the customer, and therefore require all the more attention.

Bite Mark

"A key element of website compliance is the dialog that companies conduct with the users of their websites regarding the collection and use of personal data."

In other words, the very data that has become indispensable as the basis for successful digital marketing.

Ever since the GDPR came into force in 2018, consent to the use of tracking tools and cookies has become a buzzword. While consent management systems have become inevitable for most website owners, the road from using a consent layer to enabling compliance is quite long.

The first step, of course, concerns the design of the layer in terms of content and form. What information needs to be made transparent at what level and in what detail? Do you really need a directly and clearly visible "reject all" button? Or is it perhaps sufficient if this option remains somewhat better hidden from the user? And how does this work in an international context - within and especially outside the EU?

Another important aspect besides the design of the consent query is the technical functionality behind it. The customer's decision to consent to the collection and use of his data or to reject it - in whole or in part - must, after all, also be translated into technological reality. This task is usually solved by another tool, the tag manager. Depending on the user's consent settings, it controls the delivery of the required tracking tools and cookies. The coordination of the two components - Consent Manager and Tag Manager - presents many users with challenges time and again.

It only begins with an optimized setup

Many companies invest significant time and financial resources in establishing data protection compliance for their websites. It often takes several months until the described aspects in form and content are fulfilled to everyone's satisfaction. Once everything is compliant and approved, the topic usually disappears again.

However, most people overlook the fact that it is only then that everyday life begins, in which numerous influencing factors jeopardize the optimal status quo every day. These influences come from different directions. 

For example, internal or external employees will regularly want to integrate additional tags and tools to implement new marketing use cases that don't automatically show up in the consent layer and tag manager. The machines involved tend to be prone to errors in the context of comprehensive auto-updates or hardware defects. Responsibilities for the front end that are not clearly regulated in the corporate network or with the IT service provider make for incorrect information in the data protection notices. And to make matters worse, legal regulation develops a highly undesirable dynamic with direct consequences for the permissibility of certain gray areas in the layout of the consent layer.

If there is then a lack of binding specifications, consistent processes, and overarching quality assurance measures, it frequently results in a data protection violation due to the loading of tags or the setting of cookies without valid consent. At this point at the latest, the realization matures that the journey does not end with the legally compliant setup, but actually only begins.

Privacy By Design processes are effective risk mitigations

In order to mitigate the risk and get a grip on the influences, a number of measures are available that often already exist in similar form in the company. Starting with an internal view, in addition to conducting employee training, it is also important to create an understandable corporate communication with a clear definition of rules on expectations. The much-vaunted "awareness" of data protection topics cannot be placed high enough at this point.

At the core, however, is the task of revising existing processes and giving them an inherent "privacy-by-design" mindset. The further development of marketing or analytics use cases, for example, often creates the need to make changes to the tool and tracking setup of websites and apps. New providers are to enable new types of applications, cooperation with existing vendors is to be expanded, or previously successfully used tools fall victim to optimization. 

Usually, the associated processes and information flows are not sufficient to ensure a legally compliant transition.

Bite Mark

"The development and implementation of "privacy-by-design" processes is essential to ensure sustainable data protection compliance of the website with the help of the consent layer."

Trust but verify

Even the best process cannot do without comprehensive quality assurance measures. For the regular check of consent layer compliance, it is advisable to look for an automated solution that provides various alert channels in the event of a rule violation in order to inform the dedicated contact persons promptly.

A specific crawler setup, such as that provided by Ryte, offers the possibility of automatically ensuring the correctness of the loaded tags even for a larger number of web pages. This allows faulty load rules to be detected at an early stage and data protection violations to be rectified as quickly as possible.

For effective quality assurance, a number of requirements must be met by such crawler software. Starting with a technically and legally flawless setup of the consent layer and tag manager on a specific date, the tool should perform a regular and fully automated check of the trackers provided in the Tag Manager with regard to any changes that have occurred since the previous check. At the same time, a comparison should take place to determine whether the scripts activated by the Tag Manager match the user's individual selection in the Consent Layer. In this way, all sources of error, from hardcoded scripts to incorrectly defined load rules, can be monitored effectively.

If the system then also documents the data transfer triggered by each individual loaded tracker, even unilateral changes to the data collection by integrated scripts from external partners do not go undetected.