Since 2018 and the establishment of the GDPR in Europe, it has been mandatory for a website to request the consent of its users to store cookies in their browsers. But asking is not enough; it is also necessary to consider the choice well. And this is not always the case… This is what is called “façade consent.” You think you are making a choice, but whatever happens, third-party scripts and, therefore, cookies are executed.
We could establish three types of consent:
- Rule-based consent: requested and respected
- Facade consent: requested but not respected
- Absence of requested consent
Not asking for consent is not necessarily a sign of violating the rules. Many sites do not implement any trackers, so they have no interest in setting up a CMP like Axeptio (Consent Management Platform).
The most problematic case is façade consent. This is often involuntary and results from a lack of technical knowledge when installing the consent module. The consequences can still be significant for a site concerned by this category. In addition to the lack of transparency and the potential loss of user trust in the brand, it risks being served with an injunction or sanctions from the CNIL.
So how can you check whether the user’s choice is considered?
Two methods can be used:
- Based on cookies
- Based on requests
1. A method based on cookies
A. Use the Web Inspector
To open the web inspector, you must right-click + Inspect on Chrome (right-click + Inspect Element on Safari).
Then, go to Application (or Storage on Safari) and select your domain in the Cookies section.
To test if consent is respected on a site, delete all cookies and do not consent. If you see cookies like _ga, _fbc, _fbp, and gid, the site is not compliant with the GDPR.
B. Use EditThisCookie
Another solution is to use the Chrome plugin EditThisCookie. It performs the same function as the web inspector but in a more simplified way. Additionally, you can delete all your cookies at once by clicking on the trash can.
2. A method based on requests
A. Analyzing outgoing requests
Another method to analyze if analytics or marketing trackers are present on the site is through outgoing requests.
Once again, open the inspector and go to the Network section. You can then search one by one for vendors such as:
- Snapchat
- TikTok
- Youtube
If a request is associated with a refusal of consent, it is possible that the site is not compliant with current legislation. However, there are exceptions detailed below.
B. The case of server-side tracking
Some sites choose to configure their tracking on the server side. It may happen that a Google Analytics request is still sent despite the refusal of cookies. This does not necessarily mean that the site is not compliant with the GDPR. To make sure, additional checks must be performed:
The outgoing request must be directed to a tracking subdomain (e.g., measure.mondomain.com) and not Google Analytics. No cookies should be deposited in the browser, as this would mean that consent is not managed on the server side (and therefore, we are in a case of facade consent). To learn more about consent management in the context of server-side tracking, you can read our dedicated article.
C. The case of Google Consent Mode
Google Consent Mode is a feature that allows tracking tags to be triggered for Google Analytics and Google Ads, even when the user does not consent. The CNIL has not ruled on this feature, which does not deposit cookies, but still sends (anonymized) information to Google’s servers.
At Axeptio, we do not recommend installing Google Consent Mode.
Thanks to the gcs parameter in the content of a Google Analytics or Google Ads request, you can detect a site that uses it. This gcs can have several codes depending on the user’s choice:
G100: The user has refused consent.
G101: The user has banned advertising tracking but accepted analytics cookies.
G110: The user has accepted advertising tracking but refused analytics cookies.
G111: The user has given consent for both advertising and analytics.
Conclusion
Installing a consent management platform (CMP) is insufficient to make a site compliant with the CNIL. It is necessary to ensure that the CMP is correctly linked to the triggering of tracking scripts. As you have seen, verifying that the user’s choice is respected is simple, so it is essential to install your module fully. Do not hesitate to contact the Axeptio teams to help with your module installation.
