If you’ve followed along with our privacy validation series, you know that we’ve checked for the presence of the privacy policy, the “do not sell/share” link, and the cookie consent banner tag. The next thing you should ask is, “Does my consent management platform (CMP) effectively block/allow specific cookies and tags based on user-specified consent preferences.”
Essentially, you want to know if the CMP is implemented correctly. Just because the cookie banner is there and website visitors can click on it, that alone doesn’t mean it’s effectively functioning as expected behind the scenes.
To demonstrate how you could validate this, we used ObservePoint to run an Audit of OneTrust.com, our example website for this series, and simulated a user that has opted out of non-strictly necessary cookies. In the resulting report, you can see that there are still 11 tags that are firing, even after opting out to a “Disable All” state. This could be fine. There are some tags (and cookies) that are absolutely necessary for a website to function properly.
If we look more closely at the Audit results, however, we can see that some of these technologies are not categorized as “Strictly Necessary” – tags like Google Ads Remarketing and Google Universal Analytics. While they are not being detected on most pages of the site when a user has opted out, there still are a small handful of pages (46 out of the 1000 scanned) on which user consent preferences do not appear to be fully respected.
If you were to find similar behavior on your own website, you would want to examine those pages to see if your CMP is not implemented as expected or if there are other reasons for that potentially noncompliant state to exist.
If you’d like to see how well your own Consent Management Platform is respecting consumer preferences on your website, reach out to get a pre-recorded demo.
Read the next post in our Website Privacy Validation series: Where are new and/or unapproved cookies and technologies showing up on my website?