Overview

MetaRouter Advanced Consent Enforcement (ACE) helps your organization achieve compliance with the European GDPR law and similar privacy-oriented regulations. It integrates with almost any Consent Management Platform (CMP) or homegrown solution to ensure that downstream vendors receive data according to a user’s consent selections made within a consent banner.

Prerequisites

Your organization must already be using a consent management tool, whether that is a dedicated CMP like OneTrust or another tool that manages functions such as triggering a consent banner, setting consent cookies, and managing consent categorizations.

In order to use Advanced Consent Enforcement effectively, you should understand your CMP configurations. Specifically, you need to know:

• The name of the consent cookie that your CMP sets.
• The consent categories, associated codes/identifiers that represent each category within your consent cookie, and vendors included within each category.
• The event payload being sent to MetaRouter needs to include a consent object in the following format. The cookie_code needs to align with the consent category codes you created within Advanced Consent Enforcement UI.

{  
    "context": {  
      "consent": {  
        "explicit": "true/false",  
        "optOut": {  
          "cookie_code1": "true/false",  
          "cookie_code2": "true/false"  
        }  
      }  
    }  
  }

You should be able to find all of this information within your CMP. If you do not know this information, please reach out to your CMP administrator or legal team for help.

Configuring Advanced Consent Enforcement

With the information you found in the Prerequisites section on hand, you can begin streamlining your consent management through ACE:

1. Create Your Categories

Login to your enterprise.metarouter.io account. From the main dashboard, select Settings in the left navigation and then select Consent Settings. Begin creating your categories by selecting Add Category and input a Category Code and Category name. The Category Name is a friendly name that will help you quickly identify the category within the MetaRouter UI, while the category code needs to map to the category code/identifier that is set within the consent cookie. Fill this information out for each category that a user can opt-in or out of within your banner.

2. Assign a Category to Your Integrations

In the left-hand navigation bar, open to the Pipelines tab. If you have existing Pipelines configured then you will just need to select Add Integration and then select a consent category from the dropdown. This list will be made up of consent categories created during step one. You will also be able to make updates to consent categories by selecting a Integration tied to a Pipeline and making changes in the model dropdown.

If you are creating a new Pipeline, you will need to create that first, and then follow the above steps. 

We recommend you consult with your legal and data team when determining your consent requirements. 

3. Assign a Category to Your ID Syncs

In the left-hand navigation bar, open the Pipelines tab. Find a pipeline associated with a web source where you’d like to implement ACE. In the top-right of the pipeline card, hover over the 3-dot button and select the File Builder.

Within the File Builder page, scroll down the Sync Injector section. When you add a new Identity Sync you will be able to assign the sync a consent category via the Consent Type drop down (the drop down will display the consent categories stored in the consent settings page). Typically, this should be set to the same category that the associated integration is set to. Fill this out for each sync you would like ACE to manage.

Implementing Consent Cookie on Your Site

1. Cookie Format

To ensure proper consent enforcement, the cookie must be formatted as described below and included the categories configured in the UI. Here’s an example script that rewrites a cookie to our required format:

window.addEventListener('CookiebotOnConsentReady', function() {
    let marketing = Cookiebot.consent.marketing ? 1 : 0;
    let necessary = Cookiebot.consent.necessary ? 1 : 0;
    let statistics = Cookiebot.consent.statistics ? 1 : 0;
    let preferences = Cookiebot.consent.preferences ? 1 : 0;

    let consentString = 'necessary:' + necessary + ',C0001:' + necessary +
        ',preferences:' + preferences + ',C0003:' + preferences +
        ',statistics:' + statistics + ',C0002:' + statistics +
        ',marketing:' + marketing + ',C0004:' + marketing;

    console.log("consent changed:" + consentString);
    document.cookie = "OptanonConsent=groups=" + encodeURIComponent(consentString) + ';path=/;domain=.metarouter.io';
    window.analytics.refreshCompliance();
});

In this example:

necessary, marketing, statistics, and preferences are the consent categories configured in your account.
The consent status (1 for granted, 0 for denied) is appended to each category.
The cookie is named OptanonConsent, which is the default but can be configured in the tag when you are building a file in the MetaRouter UI.

2. Ensuring the Cookie Changes with Consent

As consent preferences change, it’s crucial to update the cookie accordingly. The event listener CookiebotOnConsentReady (or the equivalent event for your cookie control system) should trigger when consent preferences are set. This ensures the cookie reflects the current consent state:

3. Verifying Cookie Changes in the Payload

To verify that the cookie changes are being correctly reflected in the payload, inspect the payload data sent to your server. Here’s how you can do it:

• Check the Cookie: Ensure the cookie is updated in your browser’s developer tools under the Application tab (for Chrome) or Storage tab (for Firefox). Look for the OptanonConsent cookie and check its value. (If you have configured your cookie to be a different name, then look for that naming convention in the respective cookie storage area).
• Verify Payload Data: Use network monitoring tools (like the Network tab in browser developer tools) to capture the requests sent to your server. Look for the payload that includes the consent data and verify it matches the expected format:

📘

If you are using the MetaRouter tag for collection, the payload can be found under the context object

Another Example Payload:

groups=necessary:1,C0001:1,preferences:1,C0003:1,statistics:1,C0002:1,marketing:1

By following these steps, you can ensure the cookie is updated correctly with each change in consent and that the changes are properly reflected in the data payloads sent to your server.

How Advanced Consent Enforcement Works

The Advanced Consent Enforcement workflow occurs through the following steps. Please note that ACE will only apply consent enforcement to vendors that are integrated through the MetaRouter platform; it cannot control tags or other data integrations that are setup outside of MetaRouter.

1. Your website loads along with your consent banner. This consent banner is typically either triggered through your CMP of choice, or through an in-house solution you have built to your users’ consent preferences.
2. A user makes their consent selections. Typically, the options include an Accept All button, Decline All/Strictly Necessary button, and options that further specify which vendors (or categories of vendors) may track a user.
3. Once a user makes a selection, a first-party cookie is typically set by the vendor that includes opt-in and opt-out preferences.
4. The MetaRouter Sync Injector looks for and reads the first-party consent cookie, including the opt-in/opt-out data contained within. It pulls this information into the MetaRouter first-party cookie space.
5. If a user accepts tracking preferences, the Sync Injector will function per usual. If the Sync Injector detects an opt-out, it will purge any identifiers that are associated with vendors that were included in the opt-out selection. It also will not fire any API calls to vendors included in the opt-out selection.
6. All events generated by the Analytics.js library are enriched with consent preference data and sent to your MetaRouter platform. Each integration will individually enforce consent preferences, ensuring that no data is sent to an opted-out vendor. Any vendors not included in the opt-out will continue to receive event data.

Implicit & Explicit Tracking

Within the File Builder, you have the ability to declare whether MetaRouter should use an Implicit tracking methodology or an Explicit tracking methodology. Implicit tracking means that MetaRouter will begin event collection and routing before a user interacts with a consent banner. This option will result in more event data being tracked, as it does not rely on a specific user opt-in to begin tracking. Implicit tracking is required by laws similar to the California Consumer Privacy Act (CCPA).

Explicit tracking requires a user to opt-in to tracking via the consent banner before any event collection can occur. This results in less data tracked, but may represent a more user privacy-friendly option. It is required by laws like the European GDPR law.

❗️

When determining whether to use Implicit or Explicit tracking, always refer to guidance from your legal council and regulations governing the region(s) where you are performing data collection.

Additional Considerations

Does Advanced Consent Enforcement meet the requirements of Google Consent Mode v2?

Google Consent Mode v2 was announced in November 2023 and will become mandatory for all Google services, including Google Ads and Google Analytics, by March 2024. Advanced Consent Enforcement meets Consent Mode v2 requirements. Users will just need to create the Google Consent Mode v2 category structure within the Advance Consent Enforcement.

If I add, update or remove consent categories what impacts will that have within my MetaRouter org?

You can add as many categories to your MetaRouter org as you wish. The only time your data flow will be impacted is when you utilize these categories for new Syncs or Integrations. When you create and deploy a file containing a set of consent categories, MetaRouter will specifically search for those corresponding cookie codes and filter events carrying those values. If you create new categories and assign them to syncs and integrations without generating a new file, the event payload will not incorporate the new consent category. Consequently, MetaRouter will not register a consent value for the sync and/or integration, instead passing all events with default settings. Should you add new consent categories and link them to syncs and integrations that are subsequently deployed, you must create and deploy a new file to include the consent cookie code as part of the payload.

Once consent categories are associated with syncs and integrations, you cannot make changes or delete them until they are removed. This helps safeguard syncs and integrations from searching for a consent code that no longer exists.

What consent circumstances would require me to create and deploy new file?

When adding or modifying consent categories assigned to active Identity Syncs or Integrations, it is crucial to ensure alignment between your active file and the consent categories utilized by these Syncs and Integrations.

If I am already using OneTrust with MetaRouter, what categories should I assign to my Integrations and Identity Syncs now that it is not a default?

When configuring your integrations using the OneTrust consent structure, please ensure to assign the following codes to the syncs and integrations. The friendly names can be customized according to your preferences and business requirements.