Adrian Javier
 · Pun Enthusiast

Cookie Consent & GDPR Compliance Support

Note: To fully leverage this feature, you will need access to the Ceros SDK.

As a Studio user, you may be wondering if the content you are creating on the platform is GDPR compliant. Or, you may be wondering, what even is GDPR Compliance? In this article, we’ll take a look at how GDPR Compliance and Cookie Consent are defined, and how this relates to the content you’re creating in the Studio.

First things first: What is GDPR?

The General Data Protection Regulation (GDPR) is a regulation in EU law that centers around data protection and privacy in the European Union and the European Economic Area. It is the toughest privacy and security law in the world. While the legislation was drafted and passed by the EU, its obligations apply to organizations anywhere, so long as they target or collect data related to people in the EU. It also addresses the transfer of personal data outside the EU and European Economic Area (EEA). 

GDPR requires businesses operating in the European Union (EU) to give consumers control and choice over the personal data that is collected and used, and in most cases, must ask for their explicit consent before data collection happens.

Source: GDPR.EU. Note: this is not an official EU Commission or Government resource.

Cookie Compliance

To be GDPR compliant, websites must adhere to specific rules regarding certain types of cookies and how they are stored. They must also allow users to decline or consent to websites storing cookies that are used to track them (for analytics, advertising, and other purposes). Cookies are an important tool that can give businesses a great deal of insight into their users’ online activity.

To comply with the regulations governing cookies under GDPR, websites must:

  1. Receive users’ consent before you use any cookies except strictly necessary cookies.

  2. Provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received.

  3. Document and store consent received from users.

  4. Allow users to access your service even if they refuse to allow the use of certain cookies

  5. Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place.

How does this affect my Studio experiences?

By default, experiences are not GDPR compliant, because they include analytics tracking cookies without asking the user for consent. However, you may enable a feature on individual experiences that will disable these cookies when a user opens the experience (more on this below). From there, you will be able to implement your banner and use our SDK, which will give the user the ability to accept or decline the analytics tracking cookies.

If the “Require User Consent” option is enabled, all analytics will still be collected, but the IP address will be anonymized so that it does not include the last octet of the IP address.

What data is still collected, but anonymized?

For Studio Analytics, the only Personal Identifiable Information (PII) we collect is the user’s IP address. This allows some geolocation information to be gathered, without potentially identifying the user. Additionally, any user who has opted out of tracking cookies will appear as a unique user on every visit. This is all that is required to meet basic requirements for compliance. 

For Google Analytics, we will use consent mode when the “Require User Consent” option is enabled. This will set the “analytics_storage” option to “denied”. You can read more on how consent mode works here. We also set “anonimize_ip” to “true”, which you can read more about here.  

Enabling GDPR Cookie Compliance for a Studio Experience

Once your CSM has activated Cookie Compliance for your account, you will have the ability to apply Cookie Compliance settings at an experience level. 

Once enabled, you’ll see a Cookie Compliance tab in your Settings panel. Here, you’ll have the ability to check “Require User Consent”. This setting disables analytics cookies and ensures that some analytics data will not be tracked until user consent is granted.

With the “Require User Consent” setting enabled, Studio Analytics and Google Analytics (if you use it) will still collect some anonymized statistics, but any information that would personally identify a user will not be collected. Additionally, users will not be tracked across visits, and will appear as a unique visitor every time.

Compliance settings work in both standalone and embedded Studio experiences. If you’re using a third party Consent Management Platform, read on to the CMP section for more information. 

Using a Consent Management Platform (CMP)

Consent Management Platforms (CMPs) are necessary to build compliant cookie consent banners on your website. 

These platforms are a gateway to a business’s website or native app. This means they are typically the first experience that visitors will have with your business. CMPs store proof-of-consent and preference choices, handle visitors who request to alter data the website collects, and can provide additional transparency into a site’s data collection and usage practices.

By following the below instructions, you’ll connect your CMP with the Studio and ensure that the code is placed first in the head of the experience, which will ensure that Analytics comes after the CMP code. 

How to set up your CMP in the Studio

  1. Login to the Studio and open the experience you’d like to make compliant 

  2. In your Settings panel, click on the Cookie Compliance tab

  3. Check the “Require User Consent” checkbox

  4. Check the “Integrate with a CMP” checkbox

  5. Once the text field appears, enter the Custom CMP HTML code. This code should be provided to you by your CMP, it is the same code that allows you to add your CMP to any other webpage.

  6. This code block will be added to the HTML source code of your Studio experience at the top of the <head> tag. 

Note: Ceros is not responsible for custom scripting or coding (JavaScript, HTML, etc) that affects the availability or functionality of your Studio experience as outlined in the Ceros SLA.

You will also need to add code that will use our SDK to control the analytics cookies when a user makes a selection using your CMP. You may need a Javascript developer to implement this code for you.

Here is some example code when using the SDK with the OneTrust CMP. Other CMP implementations will be different. In this example, the OneTrust-specific code is the OptanonWrapper function; the applyConsent function can be used with any CMP to apply the user’s consent selection. This code should come after any code provided by your CMP.

<script>
function applyConsent(hasConsent) {
 // If require isn't available, try again in a moment.
 // This can happen when this code is included before the Require.js script.
 if (typeof require === 'undefined') {
   return setTimeout(function() {
     applyConsent(hasConsent);
   }, 10);
 }

 // Configure Require.js to require the SDK
 require.config({
   paths: {
     CerosSDK: "//sdk.ceros.com/standalone-player-sdk-v5.min"
   }
 });

 // Use the SDK to find the experience and set the user consent selection.
 require(['CerosSDK'], function(CerosSDK) {
   CerosSDK.findExperience().done(function(experience) {
     // Apply the consent selection to the experience.
     experience.setUserConsentForAnalytics(hasConsent);
   });
 });
}

// Run it once to kick off the SDK loading
applyConsent(false);

/**
* OneTrust-specific code
* Function that runs any time there is a change to consent via OneTrust
*/
function OptanonWrapper() {
 var hasConsent = OnetrustActiveGroups.indexOf('C0004') !== -1;
 applyConsent(hasConsent);
}
</script>

Using the SDK to Control Analytics Cookies

Our SDK has a function to toggle analytics cookies “On” and “Off.” This function will cause your Studio experience to enable or disable analytics cookies and anonymization. Using a browser feature called “local storage,” it will also save this selection so that the user’s selection is remembered and analytics cookies are stored or not stored accordingly on subsequent visits.

If you are not familiar with the Ceros SDK, you can read about how to get started with it here.

The function to control analytics cookies is setUserConsentForAnalytics(consent). The consent argument should be set to true if the user consented to tracking, or false if not.

To determine if a selection has been made, you can use the function getUserConsentForAnalytics(callback). The callback function that is passed in should accept one argument called “consent”, which will be equal to a string with one of the following values:

  • “Consented” – When the user specifically consented to analytics tracking.

  • “Declined” – When the user specifically declined analytics tracking.

  • “Unknown” – When the user has not made a selection.

More information about these functions can be found in the Experience Level Commands section of our SDK documentation.

If you’ve built a banner within your Studio experience, here is how you connect it to the SDK:

  1. Create the banner in the Studio

  2. Copy the SDK IDs for each button as well as the banner itself

  3. In the experience settings, add the following Custom HTML that uses the SDK to set the user’s cookie consent selection and hide the banner whenever they click a button, as well as hide the banner when the experience loads if a selection has already been made:

<script>
require.config({
 paths: {
   CerosSDK: "//sdk.ceros.com/standalone-player-sdk-v5.min"
 }
});

require(['CerosSDK'], function(CerosSDK) {
 CerosSDK.findExperience()
   .done(function(experience) {
     var banner = experience.findComponentById('[banner-sdk-id]');
     var acceptButton = experience.findComponentById('[accept-sdk-id]');
     var declineButton = experience.findComponentById('[decline-sdk-id]');

     // When the Accept button is clicked, enable tracking and hide the banner
     acceptButton.on(CerosSDK.EVENTS.CLICKED, function () {
       experience.setUserConsentForAnalytics(true);
       banner.hide();
     });

     // When the Accept button is clicked, keep tracking disabled and 
     // hide the banner
     declineButton.on(CerosSDK.EVENTS.CLICKED, function () {
       experience.setUserConsentForAnalytics(false);
       banner.hide();
     });

     // When the experience loads, if the user made a selection, 
     // hide the banner
     experience.getUserConsentForAnalytics(function(consent) {
       if (consent !== 'Unknown') {
         banner.hide();
       }
     });
   })
   .fail(function(error) {
     console.error(error);
   });
});
</script>

If you use your own banner that is outside of the Studio (and is not a Consent Management Platform), you will likely need a developer to connect that banner to our SDK.

1