The information below is not intended to be legal advice. The document gives an overview of what various organisations have chosen to do and how it can be implemented on Impact Stack - decisions about how to manage tracking and consent are for individual organisations to make. Our relationship to you, our clients, is the relationship of “data processors”. You are the “data controller”. That means it is your duty to ensure legal compliance with regulation. Our role is to follow your decisions and implement what you have decided to be your interpretation of legislation.
Consent to store personal data
When collecting personally identified data (such as IP address, email address, tracking IDs, etc.) you need the consent of the user. For more information please read the EC guidance or the ICO guidance.
If you're building an Impact Stack form, this could be relevant:
- when asking supporters or donors to provide personal information via a web form,
- when using tracking where the tracking information is linked to a specific person (source tracking, webform tracking).
Different interpretations of how this consent can be given are:
- active consent, for example by asking users to tick a box accepting the privacy policy,
- implicit active consent, for example by adding a legal disclaimer that your forms can only be submitted after reading and accepting the privacy policy.
Is this really personal data?
Sometimes data, such as tracking information, is not linked to a person (anonymous). However, at the point where this data is linked to personal information (for an example, when submitting the tracking information along with form submission) it becomes personal data. Therefore it requires consent.
There are different interpretations on when exactly this data becomes personal data that requires consent. Some interpretations suggest that even the possibility of linking the (at the time anonymous) data to personal data means that consent is required.
Cookies and tracking
Cookies (and other technology such as session storage) are ways to temporarily save data in a users’ web browser.
This technology is used for essential things, such as the ability to log in on a social media platform. It is also used for things that are not absolutely essential for the delivery of the service, such as pre-filling of forms, tracking and analytics.
That’s why there are two categories of cookies:
- Essential cookies
- Non-essential cookies
For more information please read the ICO guidance on cookies or the EC guidance.
It’s up to you to decide what you would (based on legal analysis) interpret as essential or non-essential cookies and which category each cookie of services you use belongs to.
For non-essential cookies the most widely accepted interpretation is that you do need active consent before allowing these cookies to be set.
How does this work?
- A cookie bar that blocks all non-essential cookies and external services until the user gives active permission to set non-essential cookies by pressing “OK”.
- A combination of a cookie bar and a reference to the privacy policy (see “consent” above) that outlines how various cookies are used
You can reference the Impact Stack privacy policy that lists all cookies that are set by Impact Stack in your own privacy policy.
Impact Stack's cookie bar can be set up in one of two ways. You can have it:
- just show a cookie disclaimer text and close button, or
- you can show the text and two buttons: one with option for the user to block non essential cookies and other one to agree to the cookies.
If you choose option 2, external tracking that integrates with the cookie bar would be blocked. That could for example be Google Analytics or Facebook Pixel tracking.
Unless the user has Do-Not-Track enabled in their browser, parameter tracking (utm_source, utm_medium etc.) as well as referrer urls (internal, external, entry page) etc. would still be tracked in Impact Stack and available in your data exports (but not sent to Google).
With both options, if you add tracking scripts via Google Tag Manager they would not be blocked, unless we change a setting for you to block GTM entirely, when someone clicks "Block".
In both cases, if the use ignores the bar, cookies will not be set. Someone ignoring the cookie bar has the same effect as someone clicking "Block". The only difference is that they will be presented the cookie bar every time they visit the page, while once they've made the decision that decision will be stored and they won't be shown the cookie bar again.
How you can ensure compliance with Impact Stack
Data protection
You will need a privacy policy for your organisation that covers all scenarios of how you’re collecting personal data using Impact Stack. This privacy policy will have to cover all the outlined sections described in the EC / ICO guidance.
Based on your legal interpretation of the consent you will have two options:
- Provide a checkbox or similar on the form asking for active consent to the privacy policy,
- Provide a link to your privacy policy and a statement explaining, that the submission of the form means agreeing to the privacy policy.
Cookie compliance
You will have to make a decision on how you manage cookie compliance for your website and your Impact Stack pages.
You can think of cookie compliance as having three layers:
- The service(s) you use that use cookies (such as Google Analytics)
- The way these services are loaded on your Impact Stack pages (via Google Tag Manager, directly on the page via Java Script)
- The cookie bar that is shown to the user (that will use a Java Script event to say “the user has agreed to the use of cookies”)
The cookie bar for Impact Stack “new standard themes”
Impact Stack offers a simple solution through a cookie bar that is provided with all new standard themes. This cookie bar blocks non-essential Impact Stack cookies from being saved until the user agrees. This can also include information held in 'session storage' if you wish - see below.
If you're using Google Tag Manager, the cookie bar can be set to block it until consent is given, preventing it from setting any cookies.
If you're using Google Analytics and/or Facebook Pixel without Google Tag Manager we can also set your cookie bar to block these cookies until consent is given: contact the support team.
If you wish to extend the functionality of the cookie bar to work with other analytics services or to block additional scripts without the use of Google Tag Manager, this may require custom integration work: please contact the support team.
For more granular control over cookies and consent and complete consent management we would recommend you use a specialised “consent management” service.
Complete control: use an external service
Services such as cookiebot or usercentrics can be used to manage cookies on your pages. You’ll need to set up a (paid for) subscription with the service, and we can enable it for you on your forms as a support task.
These tools also provide the user with more granular options which cookies are accepted and which ones are not. You can use this solution to manage consent across different platforms, such as your website and the Impact Stack landing pages. This way the user doesn’t have to provide consent multiple times.
However, these solutions also require some form of integration with the services you are using. Typically these solutions work best when using them in combination with Google Tag Manager or a similar tag manager solution.
Does Impact Stack use tracking cookies?
Impact Stack uses “session storage”, which is a similar technology to cookies, to temporarily save data that has been submitted to forms in the user’s browser. This method is also used for pre-filling of forms.
If you choose to classify this functionality as tracking you can allow the cookie bar to block it. Strictly speaking it is intended as a feature to improve usability rather than tracking. But the legal interpretation of this classification is, as explained above, the responsibility of the client.
Comments