8 things CMPs don’t want you to know

ByKrzysztof Planeta

I’ve started working on WP Full Picture over 6 years ago. For all this time I saw a lot of misinformation and false beliefs circulating over the internet concerning privacy regulations and requirements. Some of them benefit CMPs (Consent Management Platforms).

Let’s find out what they are.

P.S. This is not legal advice.

1) When a “Google-certified CMP” matters (and when it doesn’t)

google cmp partner program

From time to time people tell me that they won’t use WP Full Picture in their stores because my plugin is not a Google-certified CMP (Consent Management Platform). My reply is always the same – it doesn’t have to be.

Let’s be clear – Google certification is about compatibility with Google’s ad network requirements, not a guarantee of overall legal compliance.

A Google-certified CMP is important if you show ads on your site (e.g. via Google AdSense) to users in the European Economic Area, UK and Switzerland.

If you don’t run ads (or you do, but to users from different countries), Google certification is not your concern.

WP Full Picture is mainly for online stores and business websites, which – by their nature – don’t display ads, and so, it is not certified by Google.

2) “Certified CMP” vs “the plan you bought” (a common trap)

Even when a CMP is “certified” (or listed) by Google, that does not automatically mean that the version you use (free or paid) meets the requirements of this certification.

In order for the CMP to get the “Google Certified” badge, it needs to use TCF IAB framework (for managing consents for ad networks). However, usually only the most expensive plans of CMPs include it. But CMPs tend not to mention it.

Let me give you an example.

In the description of a free version of a popular WordPress plugin My Agile Privacy, we read this:

my agile privacy repository description tcf iab google certified

However, the TCF IAB certificate (required to get the “Certified” label) is only available in the highest PAID plan.

my agile privacy plans

And here’s another example from CookieYes.

Their homepage says this…

cookieyes homepage

And their pricing says this…

cookieyes pricing

If you don’t look at this specific entry in their pricing, you may believe that all plans are certified to work with google ad networks.

3) Yes – you should keep proof of consent (if you rely on consent)

If you rely on consent as your legal basis, GDPR expects you to be able to show that consent happened.

Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

GDPR Article 7.1

However, some CMPs seem to “forget” to mention it on their websites, do not share all the details, or plainly say something opposite.

Here’s another example from the My Agile Privacy plugin I mentioned earlier.

my agile privacy consent log

I followed their blog posts and found information that this claim is based on FAQ on an (unspecified) Italian website. After a quick search I found one this is likely to the one they talk about. In one of the points we read:

garanteprivacy italian faq consent proof

So, does this mean that a mere cookie on the visitor’s browser is enough?

It may seem so, but, in my view, this is just poor wording.

If interpreted as “a cookie alone is enough proof”, that would conflict with GDPR’s requirement to be able to demonstrate consent.

This means that you may use a technical cookie to store/remember the user’s banner preference (e.g., so you don’t show the banner again for a period). Legal duty is ability to demonstrate consent, which you cannot do with just a cookie on user’s device.

And since we are talking about proofs of consent…

4) What should “proof of consent” include (in practice)

The proof of consent is not just a record of a click + date. It’s an audit trail. This means it needs to show clear evidence to answer questions like:

  • Did the user give consent?
  • When?
  • What did they agree to?
  • What information did they see?

To answer them, a strong consent record should include:

  • Time and date of the choice (plus timezone!)
  • What choices were made (accept all, reject all, or per category)
  • Consent categories/purposes (e.g., “stats”, “marketing”)
  • Vendor set / vendor list identifier (important if you use TCF / many vendors)
  • A copy of the texts from the consent banner and policy version (or a hash and ID of the text, if it is stored separately)
  • Country where the choice was made (because privacy regulations differ by region)
  • A consent ID you can look up later (usually also saved in a cookie – this is the ID that I talked about in the previous section)
  • And, optionally, for added security, records of tracking configuration – to show that your tools respected consent preferences.

Is it a lot? Yes it is. But only this information lets you reliably answer questions above.

Sadly, many CMPs collect only minimal consent information and many don’t do it at all.

Please, have a look at an example of a proof of consent that is saved by WP Full Picture (saved in ConsentsDB.com).

5) No – you do not need cookie lists

Sometimes people ask me whether WP Full Picture can list cookies in the privacy policy.

The answer is simple – no, because it is not legally required, plus, it is technically almost impossible. However, this does not mean that you should not put any information about cookies in your privacy policy. Quite the contrary.

You are legally bound to inform your visitors what tools on your site use what types cookies, for what purpose, what do they do with the collected data, etc.

In fact, not that long time ago I wrote a separate article with all the details on this topic. Just check what is says. It also sheds some light on why cookie lists even exist and why CMPs like them so much.

6) Cookie scanning is necessary unreliable

CMPs scan websites of their clients for cookies, to learn what tracking tools they use and which ones they need to block.

But it doesn’t work that well. This is because:

  1. There are millions of individual cookies and only a small percentage of them is listed in databases of cookie scanners
  2. Scanning for cookies can find only the ones that are set on website load. Others, that are set later or after user actions are never found
  3. Some tools don’t use cookies for tracking (but they use different methods)
  4. Even tools that don’t track visitors at all… may require consents (more on that in the next section)

The result? Cookie scanners give many false alarms, miss many cookies and cannot block all that needs to be blocked. You can use them as a starting point, but take scan results with a pinch of sault.

7) Tools that don’t need consent… can still need consent

“No cookies” doesn’t mean “no personal data”.

Some analytics tools market themselves as “no cookies, no consent needed.” Sometimes that’s true but often consent may still be required if you send to it data that contains personal information of your users.

No CMP is going to detect it. None will tell you that this is something you shouldn’t be doing, and that you risk fines during audits.

Simple rule: it’s not only about cookies. It’s about unauthorized collection, processing, and sharing of personal data.

Did I get everything right?

While writing this article I did my best to give you correct and clear information. However, there may still be errors. Let me know in the comments.

Krzysztof is a WordPress plugin developer, the author of WP Full Picture analytics plugin and a big web-analytics enthusiast. At the moment he lives with his wife and 2 cats in Spain where they enjoy the sun.

Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments