Managing Marketing Cloud Cookie Consent

What is cookie consent?

Put simply, a company must have the end-user's explicit consent to place different types of cookies on a user’s browser. Cookies are small text files that help identify your device, meaning a company can track when and how you interact with their site.

Rather than asking for permission for each individual tool used within a site, they are typically grouped into sections such as: 

• Strictly Necessary Cookies - These are the ones that are needed for the website to run.

• Performance Cookies - Typically used to measure visits and sources with the aim of improving the website.

• Functional Cookies - These ones are related to website personalisation and other enhanced functionality on the site. 

• Targeting Cookies - Think conversion tracking, targeted ads, UTM parameters, Account Engagement (Pardot), or any other marketing automation platform.

Marketing Cloud Account Engagement (MCAE or Pardot for short) is probably one of many tools you use that places a cookie on someone's browser. If this is the case, you would typically use a cookie consent platform to manage all of your consent.

There are quite a lot of different cookie consent platforms but these are a handful of the most popular ones:

• OneTrust

• CookieBot

• Osano

• CookieYes

MarCloud has no affiliation with any of these companies.

1. Compliance

As mentioned earlier, there are regulations to think about when it comes to using cookies. Time to bring out the acronyms!

• The PECR (Privacy and Electronic Communications Regulations) and the GDPR (General Data Protection Regulation)

• I am paraphrasing here, but the gist is to tell people there are cookies on your site, explain what they are doing and why they are there, and finally, to obtain their explicit consent to store said cookies on their browser.
  MarCloud is not a replacement for legal advice, please always consult with your data protection team to ensure compliance. 

• Whilst the PECR and GDPR are similar and have crossover, you will need to ensure you comply with both. The PECR rules only apply to non-essential cookies and consent must meet the standard of the GDPR. Remember, ‘Implied consent’ is unnacceptable! 

• See more about the Information Commissioners Office (ICO) position on cookies here.

Important note: The UK GDPR and the EU GDPR are two different things, albeit very similar. In the context of cookie consent, they are the same.

• The CCPA (California Consumer Privacy Act)

• This is the most lenient regulation because it simply requires that you make users aware that you are placing cookies on the user’s browser instead of asking for permission. Disclosing the information in the form of a banner is considered acceptable. One thing to remember though, end-users are protected and can request the deletion of their data or even access to whatever is being tracked, specific to them. 

Non-compliance can result in fines and generally speaking, it’s poor practice, so you’ll want to ensure you are up-to-date and compliant. 

2. Marketing attribution

Cookie consent is such an important piece of the marketing attribution puzzle. If you do not get this tracking piece right, you will not be able to track:

• Lead Source

• Source campaign

• Web page visits

• First touch / last touch UTM parameters

So, in short, it’s kind of a big deal.

1. Understand the lay of the land

The first step is to understand how your cookie consent tool will work and what tool you use to manage scripts. 

It’s common for companies to use Google Tag Manager and if this applies to you, it will be important to read the technical documentation on how to integrate your cookie consent tool with GTM. Every reputable consent platform should have documentation! 

Some tools are quite intuitive and operate an auto-blocking feature that will prevent code running on the site, and will even auto-categorise your cookies.

Other tools might be free, or quite basic, and in these instances, you may need to configure triggers in Google Tag Manager to listen for when permission is attained. 

For example, in OneTrust you can listen for when the OptanonConsent cookie contains C:0004:1 - which means ‘Targeting cookies’ have been accepted. You can duplicate this trigger to listen for C:0004:0 to know when the permission has been retracted, too.  

At MarCloud, we don’t use Google Tag Manager. We use ‘Piwik Pro’ which has a tag manager and consent tool all-in-one. We opt for this approach simply because we like to go all-in on compliance across GDPR, HIPAA (Health Insurance Portability and Accountability Act), TTDSG (German Federal Act on Privacy in Telecommunications and Telemedia), etc. 

2. Prepare your policies and notices

Some tools are intuitive enough to update your privacy policy for you as and when you add or amend scripts that reference cookies. In any case, it’s important to be aware that any changes to cookies being placed on users’ browsers, you will need to update your policies and notices to reflect this.

3. Enable Tracking & Consent Javascript API

This is a crucial step to ensure Account Engagement can integrate with your cookie consent tool. It’s a simple checkbox that you need to tick. 

Pay attention to the settings surrounding the feature though, as you can align these settings with your privacy policy. Take note of: 

• When you delete visitor records that do not convert.

• Types of cookies placed from your first party domain i.e. will you still place third-party cookies?

• Retroactively recording first touch after an opt-in is a good feature, I recommend enabling this for better lead source data. 

• The max. duration of your cookies

4. Customise the MCAE tracking code as needed

One step that a lot of teams seem to miss is customisation of the MCAE tracking code. To use a cookie consent tool, the original tracking code becomes primitive and you’ll need to update it as per the documentation.

See the Tracking & Consent API documentation here.

The documentation is really good and provides you with a menu of snippets so you can customise your tracking code to exactly how you need it. 

5. Test, test, test! 

It should go without saying, but I’ll say it anyway. Unless you know what you are doing, you should do all of the above in a testing environment. Keep everything siloed in a safe environment because you do not want to be non-compliant! 

Testing is a critical part of this process, simply because there are lots of moving parts when it comes to cookie consent. There’s the cookie consent tool itself with all of the other code it has to manage, likely Google Tag Manager and then of course MCAE. 

I’ve seen lots of mistakes from companies when it comes to cookie consent. Here are the greatest hits: 

1. The cookie consent banner doesn’t add the MCAE tracking when you accept all. 

2. The cookie consent banner appears as well as the MCAE banner (2 x banners).

3. The cookie consent banner is branded exactly like the website and sits in the bottom right of the page without blocking scrolling, effectively making it invisible.

4. Cross-domain problems - no consistency across domains and tracking issues.

5. Without any action whatsoever, automatically opting people into tracking (non-compliant!). 

If all is done correctly, you should see the pi_opt_in set to ‘true’.

I wrote this blog because cookie consent is fiddly and can get quite complicated. Hopefully, it helps but if it just muddies the water more, please do reach out. 

A short project with us to get this fixed is a one-time deal and you don’t need to worry about cookie compliance with MCAE again for a long time.

See more about integrating Account Engagement with your cookie consent tool or get in touch to discuss your project and receive a quote.