Consent Experiences
Transcend Consent Management includes the ability to define consent experiences. Consent experiences are a mapping of consent banners and consent purposes based on a site visitor's location. In this way, consent experiences let you select the consent banner and consent purposes for relevant privacy regimes, and map them to geographical regions. This allows for flexibility to decide which consent rights to give site visitors in different locations.
Consent experiences can be thought of as a way to group, define and configure a set of privacy rights a website user should have. Consent experiences are often synonymous with privacy regimes, like GDPR, CPRA, etc., where the experience groups display, banner and consent choices accordingly and can be mapped to desired geographical regions.
It's worth noting that while consent experiences commonly represent a legal privacy regime, that's not the only use case. For example, it's also possible to define the experience for users that don't fall under any legal privacy regime, or don't have any legal consent rights. Consent experiences are extensible and flexible to meet a variety of use cases.
Consent Regional Experiences include many configuration options. The table below explains each setting and how it contributes to the experience.
Experience Attribute | Description | Example Use Case |
---|---|---|
Name | The name of the Consent Experience. This is required. | A common use is to define consent experiences for each legal privacy regime that should be supported. Naming consent experiences GDPR and CPRA are common examples. |
In/Not In | The In/Not In setting applies for the regions, languages, and timezones settings. The setting is used to denote whether the defined region(s), language and timezone should be included or excluded for the consent experience. This is required. | As an example, this setting set to Not in with a region California would mean the consent experience would apply to website visitors that are not in California. |
Region | The geographical locations this experience applies to. A user's geographical location is inferred by their IP address. This is required. | As an example, let's take a Consent Experience called CPRA . The region could be set to include California, as well as any other regions where users should have a CPRA-experience. |
Languages | The browser languages this experience applies for. When left empty, the site visitor's browser language will not factor in when resolving which consent experience to show. This is optional. | This is a helpful setting for GDPR-like experiences where there may be an obligation to give EU residents the GDPR experience, even when they are not physically in Europe. In the case where an EU resident is traveling abroad, their timezone and IP address will not show them to be in the EU. Including the browser language can help to ensure EU residents are appropriately identified even when they are not in the EU. |
Timezones | The time zones this experience applies for. The timezone is retrieved from the browser. This is optional. | Use the Timezone setting to further identify which consent experience to show a user. |
UI View State | The UI View State is the consent banner that will display to users for this experience. Select one of the out of the box banners according to the regime and desired experience. Use the Hidden option when no consent banner should be displayed automatically to users. This is required. | Different view states are designed for compliance in different regimes and according to different levels of risk tolerance. As an example, the Notice and Do Not Sell banner is designed for CPRA compliance. |
Applicable Consent Purposes | The consent purposes that are included for this experience. A site user will be given the option to opt-in or opt-out of the consent purposes listed here. Users will not be able to make a consent choice for purposes not included here. | As an example, if the only purpose listed is SaleOfInfo , users will only be able to opt-out or in to Sale of Info. This is an example use case for CCPA-like experiences. |
Default Disallowed Consent Purposes | This setting defines which consent purposes a user will be opted-out of by default. Consent purposes set in the Applicable consent purposes setting that are not included here will be treated as opt-in by default. | Some legal privacy regimes require that a user give consent (opt-in) to applicable consent purposes before associated data flows and trackers are allowed to run on the site. This most notably applies for GDPR-like experiences. |
Display Priority | This setting allows to define the priority of how similar experiences will display to users. If the user matches multiple experiences, the experience with the lower number will take precedence. This is required. | A consent experience with a display priority of 1 will display over one with 2 , given that both experiences apply for the user. |
Consent Expiry | The time in months after which a user's opt-in consent should be considered expired. Set to 0 to disable consent expiration. | A consent experience with a consent expiry of 1 will consider collected consent expired after 1 month, at which point we will apply the configured Consent Expiry Behaviour (see below). |
Consent Expiry Behavior | What happens when the user's consent expires. | Prompt will only trigger existing auto-prompt banners to show again, but will not change any consent preferences. Reset Opt-Ins only resets the consent preferences for aplicable purposes that were opted in. |
A website user's location is inferred from their IP address, and optionally their browser language and browser timezone. The IP address is used to identify if the user falls in one of the regions mapped to a consent experience. Browser language and timezone settings are optional, but can be used to further identify when to show someone a consent experience. Transcend supports these additional options beyond IP address to locate someone for compliance with privacy laws that give consent rights to users beyond their current physical location. For example, under GDPR law, you may be required to provide the same consent experience to EU users even when they are not physically in the EU. Relying only on IP address to identify the user's location could leave compliance gaps in this example, but incorporating the user's browser language can help identify when EU users are not in the EU.
The Region setting defined for a consent experience uses the website visitor's IP address to determine a match. If the consent experience includes settings for browser language and Timezone, only one of three has to be matched for a user to be shown the consent experience. For example, if a consent experience has these settings and the user is identified as:
Region (Based on IP) | Browser Language | Timezone | |
---|---|---|---|
Consent Experience | EU | French, German, etc. | N/A |
User | US:California | French | Pacific Standard Time (Los Angeles) |
Then the user will be shown this consent experience, as they match at least one of the region/language/timezone settings.
Transcend Consent’s default UI includes ready to use, compliant regional experiences. The table below shows the default experiences.
Experience | Region | Browser Language | Timezones | View State (Consent Banner) | Applicable Consent Purposes | Default Disallowed Consent Purposes |
---|---|---|---|---|---|---|
Unknown | none | none | none | Hidden | none | none |
CPRA | United States: California | none | none | Hidden | Sale/Sharing of Personal Information | none |
GDPR | European Union, United Kingdom, Norway, Iceland, Liechtenstein | Bulgarian (Bulgaria), Croatian (Croatia), Czech (Czech Republic), Danish (Denmark), Dutch (Belgium), Dutch (Netherlands), English (Ireland), Estonian (Estonia), Finnish (Finland), French (Belgium), French (France), French (Luxembourg), German (Austria), German (Germany), German (Liechtenstein), German (Luxembourg), Greek (Greece), Hungarian (Hungary), Icelandic (Iceland), Irish (Ireland), Italian (Italy), Latvian (Latvia), Lithuanian (Lithuania), Maltese (Malta), Norwegian (Norway), Norwegian Bokmål (Norway), Norwegian Nynorsk (Norway), Polish (Poland), Portuguese (Portugal), Romanian (Romania), Slovak (Slovakia), Slovenian (Slovenia), Spanish (España), Swedish (Finland), Swedish (Finland), Swedish (Sweden) | none | Quick Options | Advertising, Analytics, Functional | Advertising, Analytics, Functional |
LGPD | Brazil | Portuguese (Brazil) | none | Quick Options | Advertising, Analytics, Functional | Advertising, Analytics, Functional |
CDPA | United States: Virginia | none | none | Hidden | Sale/Sharing of Personal Information | none |
CPA | United States: Colorado | none | none | Hidden | Sale/Sharing of Personal Information | none |
NEVADA_SB220 | United States: Nevada | none | none | Hidden | Sale/Sharing of Personal Information | none |
nFADP | Switzerland | German (Switzerland), French (Switzerland), Italian (Switzerland), English (Switzerland), Portuguese (Switzerland), Swiss German (Switzerland) | none | Quick Options | Advertising, Analytics, Functional | Advertising, Analytics, Functional |
US_DNSS | United States: California, United States: Virginia, United States: Colorado, United States: Nevada, United States: Texas, United States: Connecticut, United States: Oregon, United States: Montana, United States: Utah, United States: Iowa, United States: Delaware, United States: New Hampshire, United States: Nebraska, United States: New Jersey | none | none | Hidden | Sale/Sharing of Personal Information | none |
The following default experiences are available out of the box: GDPR
, LGPD
, nFADP
, US_DNSS
and Unknown
. The U.S. state specific experiences, CPRA
, CDPA
, CPA
and NEVADA_SB220
are also available, but are not automatically enabled given their overlap with U.S. Do Not Sell/Share (US_DNSS
). These experiences can be enabled in the Transcend Dashboard Consent Management > Regional Experiences > Add Experience Form via Experience Presets.
The default consent experience represents refers to the case when no defined consent experience applies for a user. This typically applies where no applicable privacy legal regime is detected for a user. This is also referred to as the "Unknown" consent experience. It's worth noting that unknown doesn't mean that the user's location is unknown. In this case no Consent UI is shown by default. This is reflected in the table above for the “Unknown” experience.
The default experiences can be customized and further configured from the out of the box settings. The consent experience attributes for default experiences can be adjusted directly in the Transcend Dashboard. The available view state options (consent banners) are available for preview here. New consent experiences can also be created to fit additional use cases in the Dashboard.
To create a new regional consent experience, navigate to the Regional Consent Experiences page in the Transcend Dashboard and select + Add Experience and configure the experience attributes as desired.
Consent experiences can be edited in-line from the dashboard.