As we know, opt-out requests happen in a dynamic environment. In part 1, we discussed the different moving pieces to consider in order to ensure that the request is completely and effectively honored. We learned that requests could come from varying sources and types of visitors. Different regulations have their own requirements for honoring opt-out requests. It is also vital to factor in third parties who have placed their cookies on our website, through which they can collect, store, process, and retain data.

After understanding the process and the requirements of opt-out, we now look at its implementation and some of the common challenges that come with it.

Integration with third parties

A common misconception we see is the expectation that the cookie consent tool takes care of all the opt-out requirements. However, it isn’t as simple. The website and the Ad tech ecosystem are complex. Some websites are powered by other tools or applications like Salesforce or CareerBuilder. Websites can also have third-party applications embedded in them, performing different functions. Third parties can be those parties employed to improve websites; the parties whose applications and features are used on our websites (for example, using integration with a third party to create forms or questionnaires on your websites); they can also be analytics and other measurement tools like Adobe Analytics, Google Analytics or Facebook pixels used to measure visits and to track performance and the overall user experience on the websites.

Now, cookies are often deployed in 3 ways:

1. Directly embedded inside the website as scripts

2. Through Tag Manager or other applications

3. Dynamically introduced through other tools. For example, a YouTube video embedded on the website might trigger cookies dynamically when the video is played by the visitor.

Cookie consent tools can block cookies. However, blocking cookies may not be a preferable solution as it disrupts numerous functions within the website. Blocking may also not effectively work on all cookies, especially cookies that are dynamically triggered from other embedded applications, and thus may end up exposing us to compliance issues.

As we consider mechanisms for honoring consent, it’s important to consider all options for blocking cookies. Sometimes it might be necessary to implement more than one way to block or stop cookies.

Options to consider include:

1. Integrating with various third-party providers’ APIs to pass the opt-out signal to them.

2. Using tag management tools like Adobe Launch or Google Tag Manager to trigger tags based on consent.

3. Blocking certain types of cookies from the website using blocking scripts.

4. Embedding certain tools and configuring them not to collect cookies or other PI

As we see, the actual implementation is not simple and can be error-prone if not handled properly. Correct implementation requires good knowledge of Ad Technologies and an understanding of various options offered by these third-party tools to pass consent signals. Integrating consent into tag management tools will give you control over the tags being introduced and might work well for tags added by us (first parties).

As mentioned before, sometimes cookies are dropped dynamically by third parties apps. In this case, it might be hard for tag managers to stop these collections. An example might be embedding YouTube videos into the website. When a user plays the video, YouTube can start tracking the user and may drop cookies.

In cases where websites are built on top of other tools like Shopify or Salesforce, for example, we can collect consent but often don’t have control over how data is collected internally. In such cases, the consent preferences will have to be passed back to the tool on which our website is built.

So, to summarize, the implementation approach is going to vary significantly depending on the type of websites and the third-party tools used to power the website.

The job of tracking cookies is further complicated when the third parties share the data collected with even more parties in the Real-Time Bidding market. The number of companies participating in the sharing and receiving of collected data is enormous, and the market is currently at $14.07 billion in 2023. Real Time Bidding (RTB) Global Market Report 2023

The Interactive Advertising Bureau (IAB) is currently amidst providing a solution to reach out to hundreds of third parties in the AdTech ecosystem. Companies can register with IAB and set up the IAB Global Privacy Platform (GPP), which informs those third parties tied with IAB of the users’ preferences, i.e., whether they have GPC turned on, their selection on the cookie banner, whether they opted-out of target advertising, whether they opted-out of sensitive data processing, etc. The user’s preferences should be stored in session or local storage so that third parties check the same and proceed accordingly. It is important to note that GPP requires different user preference information to be stored depending on which regulations apply to them. For example, in Colorado, in the U.S., information on the user’s consent preferences on targeted advertising is required; the same is not required for users from the E.U.

As mentioned above, one solution to overcoming the challenges with third parties on our websites is technical integration and communication with them.

Whenever an opt-out request is received, or a signal is detected, the opt-out technology used should have the capability to automatically communicate the information of the request to the third parties involved so that they honor the request as well. An opt-out request is not effectively and completely honored until the third parties involved are also in compliance with the requirements of the request. If a user wants cookies blocked and sets their preference via the cookie banner, the third parties involved should stop collecting data accordingly. If the user sends in a Delete request via the DSAR portal, the third parties who have collected their data will have to comply with the request and delete their data. Further, it is crucial that information on any changes to the users' consent preferences is passed to third parties. Honoring the user's request does not end once the initial preference information is communicated; ensuring that third parties remain updated is a requirement.

Here, it is important to note that the US does not have a cookie law, as we mentioned in the previous article. The cookies have to be suppressed as part of the opt-out process. When a user submits a DNS request, they opt out of sharing/selling of all data, including data collected via cookies. The same is true when a user opts out of targeted advertising. It’s important to understand the data that is collected and shared outside of cookies. If any data was collected and shared through fingerprinting, pixels, etc., then future collection/sharing with third parties needs to be stopped.

As we build compliance solutions that aren’t merely attempting to block all cookies, our focus should be on understanding how each tag, each cookie, and each pixel works and can be understood, managed, monitored, and controlled whenever needed.

Moving further, we know that opt-out requests can come in from universal opt-out signals like GPC, cookie banners, or subject access requests. While the sources of the requests may differ, their requirements are the same. Under the CCPA, once consumers have opted out of the sale/sharing of personal data, consent for the same cannot be asked again for at least 12 months. However, this can be a huge challenge due to some technical limitations of current solutions. The opt-out technology should be able to track users and their preferences/requests so that they can be informed of any relevant prior requests to ensure that multiple requests are not received within a year of each other. The consent preferences of the users should be retained for a year to ensure that consent need not be asked for again within that period. The CCPA also states that additional information is not required to process an opt-out request unless the information helps facilitate the request, especially if the request is from a known user. 7025 (c) (2) The business shall not require a consumer to provide additional information beyond what is necessary to send the signal. However, a business may provide the consumer with an option to provide additional information if it will help facilitate the consumer’s request to opt out of sale/sharing.

The technology used should allow the user to be automatically opted out while their DSA request is being processed. When this happens, the source of the request does not matter, and the request is honored in any case.

Complying with different regulations

The ePrivacy Directive in the EU requires that consent is obtained from users before dropping cookies on their websites. Whereas in the US, state laws like the CCPA, CPA, and VCDPA do not require consent to be obtained prior to collection. However, they require some form of opt-out of targeted advertising or DNS (Do not Sell) to be presented on websites.

Configuring your opt-out mechanisms according to the location of website visitors is key. A cookie banner configured for visitors from California will not be applicable to visitors from the EU.

Honoring opt-out requests and complying with the requirements, as detailed in the article, can be complex as the Ad Tech ecosystem itself is multiplex and nuanced. Complying requires the right technology as well as people with a deep understanding of AdTech and how Ad Technology works. While the variables and requirements of complying with Ad Tech regulations may be difficult to manage and meet, effective integration with third parties and a robust internal opt-out program is the right way to proceed in today's Ad Tech ecosystem as it leaves the least scope for privacy violations.