Overview

The MetaRouter Compliance Module builds upon the foundation of server-to-server data integrations that our platform provides. We stop the stream of data for any users who have opted out of specific consent categories before any event or identity information reaches the relevant vendors. This leads to the maximum level of compliance and respect for your users' consent and privacy expectations.

Prerequisites

• Installation of the MetaRouter Platform
  • Sync Injector javascript library enabled/installed
• Consent management tool, like OneTrust

Using the Compliance Module

Our Compliance Module provides a means to limit the stream of data to vendors based on user consent preferences. The module seamlessly integrates with common consent tools that your users would interact with. This is how consent management works when you implement vendor integrations through the MetaRouter platform:

1. A user loads your website and the MetaRouter's Analytics.js library loads in the background.
2. Your consent banner (again, provided by a third party like OneTrust) loads on the user's browser. Your user opts out of some or all tracking.
3. Your consent banner tool drops a first-party cookie on your user's browser that indicates their desire to opt out of tracking for some or all tracking on your website.
4. MetaRouter's Analytics.js library reads the first-party cookie that was dropped on the page and looks for consent categories opted out of. MetaRouter will cease any identity syncing with vendor cookies and purge applicable client-side data for all categories the end user has not consented for.
5. As data is processed by the MetaRouter Platform, each event sent by the MetaRouter's Analytics.js library contains compliance metadata to provider server-side mechanisms with categories the end user as allowed. Events destined to be received by outside parties that match non-consent categories is dropped and prevented from making it outside the MetaRouter platform for that specific vendor.

Scope of Consent Management

The Compliance Module manages identity in the MetaRouter platform through two primary means:

Sync Injector Consent Management

The Sync Injector manages partner identity negotiation for any vendors it is activated for (please reach out to us for a list of integrations that are Sync Injector-compatible, as well as for more information on how the Sync Injector interacts with Analytics.js). The Sync Injector reads compliance preferences off of the first-party consent cookie set by your consent management tool and manages identity sync behavior in the following ways:

• If the Sync Injector has read vendor cookies and manages them at the time of user consent opt-out, it will purge the cookies that apply to category of tracking that the user opted out of.
• Following opt-out, the Sync Injector will ensure that no tools that fall into the category opted out of are allowed to perform identity syncs moving forward.

Integration Consent Management

The MetaRouter Analytics.js library maintains a copy of user consent preferences and passes them into each event you generate through Analytics.js, based on the first-party cookie that your consent manager sets. We will ingest every event into our system regardless of consent preference, but if a user opts out of all tracking or a specific consent category via your consent banner tool, we will drop the event before it reaches the integration. We discuss consent categories below.

Implicit vs. Explicit Consent

There are generally two types of consent that will be inferred when a user has loaded your page but has not stated an opt-out preference:

• Implicit consent means that we will allow tracking and vendor identity syncs by default. A user must opt out of tracking in order to not be tracked by MetaRouter or downstream integrations.
• Explicit consent means that we will not track users or perform identity syncs by default. Users must opt-in to tracking, at which point the platform will send events for integration categories opted into and perform identity syncs.

MetaRouter supports both types of consent. We typically recommend the implicit consent model unless applicable regulations require explicit consent to be granted.

Purging Cookies

MetaRouter will automatically edit the cookies that it manages directly to remove identification for integrations linked to categories the end user opts-out of tracking with. We cannot edit cookies set by logic controlled outside of our platform or by client-loaded tags that are present within the browser session, and recommend using the Explicit Consent method for consent as it will not unintentionally set cookies for categories the end-user does not want. Otherwise, you may be forced to purge all cookies and regenerate.

Consent Categories

Integrations are assigned common categories that users can choose to opt out of. This is helpful for ensuring compliance for certain laws such as the General Data Protection Regulation (GDPR) law enacted in the European Union. The MetaRouter library allows for custom category definitions based on the external upstream consent tool you have chosen and how you have configured it. This is also helpful for instances where a tool might provide value to both marketing/advertising and analytics.

Cleared Cookies

If a user clears all cookies from their browser, consent will need to be opted out of again. Our platform relies on the 1st-party cookies set by your consent management tool to store consent preferences and that cookie will need to be repopulated in order to send those preferences to our platform.

Case Study Example: OneTrust

MetaRouter and a Fortune 500 retail Client have partnered with OneTrust to mange browser-based user consent. In the following workflow overview, OneTrust manages the consent banner as well as historical data "opt out". The MetaRouter ecosystem operates downstream of the consent instructions provided by OneTrust to ensure user tracking preferences are maintained for all data destinations.

Here is the detailed lifecycle of steps for this case study:

1. Upon implementation of MetaRouter, the Client configures the Sync Injector to work off of Implicit or Explicit consent settings. If Explicit consent is configured, MetaRouter will require an "opt in" cookie value from the consent banner provider in order to pass data to 3rd-parties. If Implicit consent is configured, MetaRouter will operate normally until it reads an "opt out" cookie value.
2. Additionally, the Client configures the platform to either drop entirely or anonymize data for non-consent ("opt out") categories.
3. When a user on the Client's website interacts with the consent form managed by OneTrust, they are able to specify their preferences for the following categories inside of the browser:
   1. Strictly Necessary
   2. Functionality
   3. Performance
   4. Targeting Sale
   5. Targeting Service Provider
4. Once the user sets their consent preferences, OneTrust captures these preferences into a 1st-party cookie, that is readable by MetaRouter's Sync Injector. The following is an example of a typical cookie value: datetimestamp=2020-04-14%2010%3A19%3A17-04%3A00&groups=C0001%3A1%2CC0004%3A0%2CC0002%3A1%2CC0003%3A0
5. On the next library load, the Sync Injector will read this cookie value and take the following actions:
   1. If the user has opted out of any of consent categories, it will purge the 1st-party cookie set and subsequently restrict any further calls made from the Sync Injector while the consent cookie is available.
   2. The consent information is injected into all event tracking payloads that are ingested by the MetaRouter platform.
   3. Note: if no consent cookie is found by the Sync Injector, MetaRouter applies the configured Implicit or Explicit consent rules.
6. As MetaRouter splits the ingested event stream into specific destination streams, it reads the consent instructions and either drops or anonymizes data for any integration within a non-consented category.