When the EU’s General Data Protection Regulation (GDPR) was put into effect, web users from the EU gained a legal ability to maintain rights over their personal data for the first time. Awareness of privacy issues became mainstream at that point, too.
In 2021, similar regulations took effect in the US. The California Consumer Privacy Act (CCPA) grants similar rights to CA residents. With two additional states passing similar bills this year, Colorado and Virginia, and even more in the works, we have to put in the extra work to be in compliance.
Today, every serious marketing website should implement a consent management system that gives users control over the tools in use for tracking data. The user needs to be able to opt out of anything that could lead to retargeting or even personalization.
In our MarTech implementation practice for rapidly growing companies, we’ve been implementing consent management with Segment. We find Segment’s documentation to be great as is, but we also added our own spin and added Google Tag Manager into the mix. So below, we’re laying out the steps you can take for an amazing solution. Get ready to geek out.
Common Consent Management Terms, Defined
One of the current marketing analytics trends is that regulatory mandates keep pouring in, and many marketers are taking up consent management for the first time. It’s a complex sub-topic of measurement setup, and you’ll need a developer experienced or interested in analytics. But once you know the concepts we’re about to explain, it can be fairly straightforward, and we’re writing this guide for the general public.
Here is a handful of definitions to introduce or clarify the essential terms:
- Consent State: The currently-selected set of consent preferences.
- Default Consent State: The consent preferences that are automatically applied to users who chose not to set their own preferences, or who haven’t done so yet. Default settings can differ by region, for instance. Visitors coming or potentially coming from Europe tend to get default consent states that are more limited.
- Consent Forms: The forms in which the users record their consent preferences, typically in a box at the bottom of the page. You can see one right above this section.
- Google Tag Manager Tags: Code snippets that execute the tracking.
- Google Tag Manager Triggers: Commands that define when tags that would otherwise remain inactive execute their tracking.
- Google Tag Manager Variables: Values in tags or triggers that can be replaced automatically, as a way to automate or scale your data collection setup.
- CCPA: California legislation that grants state residents rights in regards to the processing and selling of personally-identifiable data.
- GDPR: EU legislation that requires businesses to protect privacy and their personal data, which applies for all transactions occurring to residents of member states.
- First-party Cookies: Records of user activity. Created, stored and used directly by the site or platform that the visitor was on. So e.g. when Facebook records a cookie about your visit and uses that to show you an ad, it only needs to use a first-party cookie. When you personalize your site (e.g. with the help of Segment Personas) based on the user’s previous visit to the same site, it’s also based on first-party cookies.
- Third-party Cookies: Cookies stored and used by a site different from the one where they were originally recorded. So e.g. when Facebook retargets you based on a cookie about your visit to another website, third-party cookies are being stored. This is a common way for large ad platforms to target users, and it’s also the subject of intense regulation right now. Third-party cookies are what IOS14 and its ITP, and also Google Chrome are finally deprecating.
Why Combine Segment and GTM for the Best Consent Management Platform
The goal is to create a solution that’ll stand the test of time and the intensifying legal requirements. As a stepping stone, we need the solution to rely on first-party data, instead of the deprecating third-party type.
The Integration Powers of Segment
As described in Segment’s consent management write-up, Segment alone can do a lot for you and your users’ cookie preferences. We’ve been a Segment technology partner for years, we’ve built tools for the Segment platform such as the historical and offline data importer, and we love recommending Segment as the backbone of the best tech stacks. It’s our customer data platform (CDP) of choice, an excellent connector, and a key tool for building solutions for tracking customer journeys or for marketing automation.
For the needs of consent management, Segment’s consent solution is a great choice because it already is the platform you use to translate and pipe data through your entire stack. So the team integrated this amazing consent management feature which saves a first-party cookie that automatically manages downstream data destinations. In other words, without a lot of extra work, Segment Consent Manager tells your tools which data they’re allowed to receive.
When a user visits the website with Segment’s consent solution, a consent form is triggered, usually embedded in an alert shown during the first visit. Through the alert, the user is informed about the different tracking in place, and asked for consent or preferences. They also will be given an option to opt out. The default state needs to be such that when the user doesn’t select preferences, the consent state defaults to no consent for regions where this is a requirement.
Segment reinforces the consent process for you in two ways that we like to highlight:
- Automatic detection of visitor region
- Automatic sending of the preferences to all your integrations
For (1.), Segment uses language and time zone settings to determine the user’s approximate region. They stay on the safe side, so if you’re e.g. using a European language but you’re browsing from the US, your default consent state will still comply with GDPR.
For (2.), Segment makes sure that all the tools you integrate via Segment understand the tracking preferences for the user. A first-party cookie is stored, and the consent preferences are followed until cookies are reset.
The fact that the team at Segment is truly proactive about data privacy is one of the reasons we love implementing Segment. The compliance solutions are built for GDPR, and now also updated for CCPA. They proactively help you abide by the strict regulations regardless of your data infrastructure. The team even put their standalone content management script on GitHub, which you can use as a part of your analytics.js.
The Future-Proofing Powers of GTM
With all the above praise for Segment’s consent management abilities, let’s now explain why our solution integrates with GTM.
First, we don’t like to think “Segment vs. GTM”. We like to think “Segment with GTM”. GTM is implemented in most of our stacks in combination with Segment. GTM truly is a great tag manager, with the best capabilities for managing website triggers and variables. We default to it for firing all analytics tags.
Second, Google is forced to be at the forefront of data privacy and is a key player in setting the new tracking standards. So now GTM comes with a baked-in consent system, along with thorough documentation. The system is only in beta at the time of this writing (late 2021), but it already provides significant benefits, and it has been evolving fast.
The Case Study of Implementing Consent Manager for Sprinklr.com
Sprinklr is a client of ours. In this case study about a solution we implemented together, we’re using the consent management provided by Segment, with our addition of a GTM integration.
The client’s developers implemented the Segment consent management solution on their sprinklr.com site on Gatsby. They worked with us for help with ensuring that this consent solution would also work with marketing tags deployed in GTM, so that the same consent solution would also work with GTM’s new consent system. Once we QA’d and confirmed Segment’s solution was working as expected,, we were able to expose Segment’s consent management cookie to GTM.
The Setup Steps for the Combined Consent Management Solution
The cookies we are describing are always first-party, set directly by the website’s server.
When visiting sprinklr.com, you see the Segment consent system in action via the familiar banner that shows by the footer, aka the privacy banner for GDPR or CCPA. We also call it the consent form.
The consent form is provided by Segment out of the box. You natively load Segment on the site, then you natively load the consent manager library, and the form will appear.
When clicking MORE INFO, the consent options will appear. If you’re in Europe, the default consent state is set to “No” for Marketing and Analytics, as well as for Advertising. This is because Segment identifies user location by IP and language settings.
What Segment does is set a first-party cookie, called tracking-preferences. The cookie manages the state of consent. Once it is present, it works automatically in Segment’s downstream destinations. Nothing else needs to be configured with those destinations, they’ll automatically be aware of privacy preferences; they’ll know when to track or not track an event in Amplitude, GA, or any other platform.
It’s important that we make sure Segment’s destinations receive the correct consent preferences. But using both GTM and Segment together allows us to use other tools that Segment may not currently have integrations for, so it’s equally important for tracking tags in GTM to receive the correct consent state. To make it seamless, we devised a way for GTM to interact with the Segment consent system.
We instruct GTM to watch the Segment cookie, tracking-preferences. We also include a new first-party cookie to track the initial consent state, called initial-preferences. The new cookie is set in the Gatsby site before the GTM container loads, which helps make sure that no tracking happens without a default consent state being defined.
At the bottom of the screenshot below, you can see the value of the initial-preferences cookie as they are set for a user in Europe. Functional is set to “true” — it is so by default for everyone, and marketingAndAnalytics as well as advertising are set to “false” — the default when you’re in Europe. In the US, the latter would be set to true. This is an example of the default consent state.
GTM’s consent state is built around the idea that there is a default state when the site loads, and you can change the state later by changing preferences in the consent form. Selecting a different preference on the form would trigger an update to the cookie, and GTM would see that change.
Let’s look at the GTM side and the customizations that let us hook GTM into Segment’s consent management feature. You can see that we set custom variables for marketing & advertising, as well as for analytics. There’s a default and an update version for each (default = initial).
If you’d also like a peek at the code of one of the custom variables, here it is.
You use the custom variable at different steps while GTM loads. It checks for the default/initial preferences first, followed by Segment’s tracking preferences. If Segment’s consent state doesn’t exist yet, we fall back to GTM’s initial consent state, which is also set correctly based on user location. Let us underline that it is the website that sets the cookie first, and has it ready for GTM to read before any tags fire.
What enables this system are GTM’s Consent Initialization and Initialization steps. These two steps are purpose-built for consent management. The steps always happen before the Container Loaded step. And adding our custom consent state variables means that we can define a default consent state in GTM ourselves. This is the perfect way to initialize GTM to honor consent state on the site..
GTM’s Debugger is another way we like to use to explain how this works.
Under “2 Consent Initialization”. The tag “Analytics – Set Default Consent State” is what sets the intial tracking preferences.
Then there is the Initialization step that always happens before GTM loads and after consent initialization, used to update consent if anything has changed. This second step is when we check Segment’s tracking-preferences cookie, which will have the most up-to-date consent settings from the visitor. The Segment cookie tracks when a user has interacted with the consent form, and maybe declined analytics or advertising.
The Perks of the Combined Consent Manager Solution
#1: GTM Already Natively Supports Consent States for All Tags
One thing we love about this solution is that GTM supports consent states natively for every tag. When you go into the configuration in any tag, you’ll see the key feature to let us manage consent this way. And once you’ve set a consent state, you can require it to be present for a tag to fire. Any tag!
On the example of a custom Vimeo interaction tag, you can see the toggle for requiring a consent state. The drop-down shows the available consent states we’ve set up before.
Every GTM tag type supports these consent settings, and it simply won’t fire if the requirement and the cookie are not set. You don’t need to mess with tag trigger exceptions anymore.
#2: Future-proofing Your Consent Manager Implementation
We think the combination of Segment and GTM is useful for future-proofing. As Google improves and expands features for consent management, we already have our foot in the door because we’re already using the foundational consent management features by Google.
Any other future features that Google’s consent management might provide will be faster for us to use. Even as regulations evolve, the current setup will likely integrate with new consent systems with minimal additional work. We expect the setup outlined above to have more and more value.
At this point, we should give you no more words to help explain. Instead, here’s a diagram we made to help you wrap your head around what we built.