Fun with consent cookies and meta tags
01 July 2019
This blog has GDPR consent management on it. (I'm running OIL.js which is open source.) That's the cookie dialog you probably saw on your first visit, or every visit if you clear cookies or use private browsing mode.
As any web user knows by now, the consent dialogs as currently used have a bunch of problems. Consent management platforms (CMPs) are behind on both UX and accuracy.
They're annoying, especially on small screens.
They don't accurately capture what the user really intends to consent to. They're more like "click to make this stupid dialog go away" management platforms.
If your site has to do consent management, and uses a CMP, there is a solution, currently being tested as a browser extension. Global Consent Manager does a couple of things.
First, it will temporarily populate your consent string (using the Interactive Advertising Bureau's own Transparency and Consent Framework) with a value indicating "no consent." This is equivalent to visiting the site the first time and drilling down to some consent managemnt screen and choosing all "no".
Later, if you show that you're interested in the site, Global Consent Manager removes the temporary "no consent" and allows the site or the CMP to present the original consent interface.
For a site, why would you want users doing this instead of capturing all the consent you can as soon as you can? Look at the engagement study. People stay engaged with a news task longer when they don't have to provide consent for everything up front. (This idea is totally borrowed from LinkedIn. They don't make you fill in your whole profile at once before you start using the site. They let you try it first, then prompt you for more info when you're more likely to think it's worth the exchange of value for value.)
Smoother consent management UX sounds great, but how do we scale it? How can Global Consent Manager, and future next-generation consent handling features in browsers, tell which of a site's many cookies is the consent cookie, and what to set it to?
I suggest a pair of meta tags.
meta name="consent-location" -- Name of the consent cookie. (Or could be extended to support other ways to persist the consent information.)
meta name="consent-format -- Format of the consent string. Oil.js has a little extra JSON around the IAB TCF string, so we need to handle that and any other CMPs that do their own thing.
More testing coming soon. The meta tags are on this page now, and I'll make some more test pages with different variants.