Introduction
In this case study, we will explore the Tealium Consent Manager implementation for a leading UK bank that operates over 1000 websites & 14 mobile apps. The primary goal was to ensure an exceptional user experience while maintaining the highest levels of compliance across all EU countries.
Background
Facing the challenge of non-compliant consent management, the bank sought a robust solution across its extensive web presence. Tealium emerged as the preferred choice due to its ability to provide a consent solution as well as the level of flexibility needed.
Project Goals
- Consent Manager deployment across 1000+ websites, numerous countries and brands that can handle various regulatory nuances.
- Consent Logging Solution that would provide functional reassurance and actionable insights.
- Automated Quality Assurance to proactively identify and address any changes to cookies and tags.
- Integrate a custom solution for consent ingestion before video analytics tracking.
- Provide technical support to Data Privacy teams handling PIA/DPIA submissions and improve the process to categorise new trackers.
Challenges
- The websites are not identical in terms of dataLayer and tracking vendors.
- The solution must cover the same features & functions across web & mobile.
- There is no room for error. The solution needs to be vetted by several teams of internal stakeholders (Technical, Legal, Data privacy, Business) across all entities that are adopting it.
- While GDPR / ePrivacy is the framework to implement, country-level Data Privacy requirements must also be met. However, the solution has to remain as re-usable as possible across other websites & apps.
- Some websites are split into multiple subdomains. Each subdomain is owned by a separate entity, in some cases with different tagging vendors and conflicting compliance requirements.
Tooling selection
For consent management and consent logging, we explored “off-the-shelf” Consent Management Platforms (CMPs), which are specifically designed for this purpose. We found that these solutions struggled with the following:
- Capturing cookie consent logs is a sensitive area. You are capturing data for both users who have opted out of analytics/marketing and those who have accepted analytics/marketing cookies. In order to respect users preference, we had to segment those two types of logs. For the former we captured only the essential data, whereas for the latter we could capture more data and merge it with other datapoints used for analytics purposes. Then we needed that data going into our GCP cloud for data visualisations. The CMPs could not provide that level of flexibility.
- We needed to make sure that all trackers on the websites are respecting consent regardless if they are managed with Tealium. In one particular case we had to make a DOM variable for consent, which had to be dynamically created on every page with a specific video player. We used Tealium to capture the consent, make it available as a dataLayer variable, pick up the consent from the dataLayer and to create a tag that would fire on pages with the player updating the DOM and making the consent available to the player so the consent is respected.
- When exploring the CMPs we found that if you are specific about your consent managers look and feel, you will need a developer. And then someone will need to own the UI. With Tealium, you can create the UI in Tealium or in the Content Management System. That way, the setup is cleaner and there is no additional ownership to think about.
- Dynamic cookie policy that updates itself automatically as the CMP identifies cookie changes on the website. There are significant risks of cookies identified in error, failed categorisation and incorrect descriptions. Manual corrections are almost always necessary. GDPR requires companies to list our cookie Vendors in the Cookie Policy. However, CMPs automatically list out individual cookies. This creates more risk of errors and requires extra checks.
We also explored solutions to capture the trackers that were used on the websites. We again checked the CMPs for this. Our requirements were basic – we needed a solution that could capture the tracking tech used on the correct domains, while excluding certain URLs. We also hoped to capture trackers on the mobile apps. The issues we came across were as follows:
- Some of the most well-known CMPs failed on basic exclusions of URLs and domains. As a result, we captured cookies that were governed by different cookie notices.
- In some cases, the scan failed to interact with the existing consent manager.
- We lacked flexibility to add custom JavaScript which for example would allow us to check which of our pages had a certain media player.
- None of the platforms did a decent job of showing the correct tracking tech used on the mobile apps.
In conclusion, while Consent Management Platforms make it simple for users to do most of the basic checks, they failed when it came to a very large organisation that needed a lot of flexibility and custom features.
Tealium is the right tool for the job
For consent management we used the Tealium Consent Manager which allowed us to develop all what we needed including:
- Custom UI including language logic integrated with the host pages. That along with the possibility to create UI in our own Content Management Platform.
- Direct integration with all the tags and any additional logic where required.
- Consent logging via Tealium EventStream directly to Google Cloud Platform (GCP), which allowed a lot of flexibility and use cases for the data.
- The consent data was readily available on the dataLayer of the website, which gave us the flexibility for the consent data to be used by other features on the website.
- The historic consent data was also stored on the cloud for easy access by the systems that needed to make data usage decisions post data collection to ensure that use cases are respecting consent. We were also able to set up alerts for when we had discrepancies in consents captured.
Solution Architecture for our Tealium Consent Manager Implementation
Due to the high level of complexity of this solution, we worked closely with Tealium Professional Services. Their expertise was crucial and made it possible for us to align Web & Mobile requirements, when implementing the Consent Manager and the Consent Logging Solution. Their constant support & technical knowledge improved overall confidence that we are on the right track to deliver the solution, while also making sure best practices are always followed.
We used the Collect Tag deployed using Tealium iQ. The cookie consent data was captured through the Collect Tag and sent to Tealium EventStream. The data was then sent to BigQuery for storage, with Looker facilitating data visualisation and report generation.
Data points & fail-safes
On top of capturing various data points required for compliance purposes, our client also asked for features that would mitigate risks:
- Designed a robust database schema with built-in fail-safes.
- Implemented automated alerts for potential data integrity issues.
- Provided to the BAU team a troubleshooting process in case of missing/incorrect data, along with a remediation plan for an extensive list of scenarios.
Here is what the payloads to BigQuery looked like:
ObservePoint for Automated Quality Assurance
For auditing the trackers and cookies used on the pages, we used ObservePoint. We found it to be superior to all the offerings of the CMPs. ObservePoint’s onboarding team supported us throughout the implementation and made sure all aspects of the project are carefully considered and covered.
Here are the benefits we saw:
- ObservePoint balances flexibility with ease of use. It’s easy to pick up and you can learn more as you get comfortable. It allows you to go into a level of complexity that you might need for certain use cases.
- It allows you to include/exclude specific URLs or add regular expressions to be very specific of what you need to have scanned
- It allows adding custom JavaScript which is a massive flexibility boost. We automated interactions with our consent manager and features on the website. We used it to identify certain page elements. It can even be used to check if all third-party cookies are “partitioned”. See here why that’s important.
- It neatly shows where a specific cookie or tracker was found and what triggered it. This saves time and makes the handover easier to non-technical users.
- The BAU teams loved the privacy feature which shows what new tags and cookies were identified from the previous scan, which became the backbone of the automated compliance monitoring system.
Results and Benefits of Tealium Consent Manager Implementations
- Streamlined data collection through a unified solution.
- Enhanced Data Privacy and Security achieved via Server-Side Implementation.
- GDPR Compliance ensured throughout data collection and storage processes.
- Seamless user experience maintained across platforms using Tealium’s consent Manager.
- Automated quality assurance using ObservePoint.
- Handled consent for video player analytics using a custom JavaScript extension deployed using Tealium iQ.
- Provided documentation for the BAU teams handling the Consent Manager & Consent Logging Solution and improved the process to categorise new trackers using ObservePoint.
Conclusion
This analytics implementation project was a significant step towards achieving both regulatory compliance and a frictionless user experience for the UK bank’s extensive digital ecosystem.