CFAA's Consent Management

For the current Friday series, I closed the previous post, Adsense and CFAA's CMP (September 2023; CMP = Google's Consent Management Platform), in a holding pattern:-

After adding the logo, my GDPR message was accepted. As I was preparing this post for publishing, the message still wasn't showing on my pages, so maybe I did something wrong. I'll come back to it for next Friday's post.

I had indeed done something wrong. I was watching the top level page for my domain which doesn't display an ad. The Adsense code to display an ad is the trigger for the consent message. When I accessed a page with an ad, I saw the following popup message.

The message is the tip of an iceberg. The text reads like this:-

mark-weeks.com asks for your consent to use your personal data to:

* Personalised ads and content, ad and content measurement, audience insights and product development devices [sic; the phrase needs verbs]
* Store and/or access information on a device

Learn more

Your personal data will be processed and information from your device (cookies, unique identifiers, and other device data) may be stored by, accessed by and shared with third party vendors, or used specifically by this site or app.

Some vendors may process your personal data on the basis of legitimate interest, which you can object to by managing your options below. Look for a link at the bottom of this page or in our privacy policy where you can withdraw consent.

[Do not consent] [Consent]

Manage options

I looked at all of the hidden text and discovered a few important points.

• 'Learn more' expands to a series of four questions. The first question is 'How can I change my choice?'. The answer says, 'View our privacy policy to learn more' and points to my page World Chess Championship : Site map. The first section there is a 'Privacy Statement', but this is the first I learned that this page has to explain 'How can I change my choice?'. I need to address that.

The answers to two other questions discuss 'legitimate interest', which seems to be some sort of legal override of the whole consent process. Back to the popup message:-

• The mention of 'third party vendors' expands to a single question: 'What third party vendors can access my data?'. The answer is a list of (currently) 203 vendors. By any reckoning, that's a lot of vendors.

The last line of the popup message is the most important.

• 'Manage options' opens another section of the popup that starts, 'You can choose your data preferences. This site or app wants your permission to do the following: [...]'. The first 16 consents are for 'TCF vendors' (referring to 'the IAB Europe Transparency and Consent Framework') followed by a single consent for the 'Site or app' (that means my site). This is followed by 'Vendor preferences', where each of the 203 vendors presents a cookie policy, a link to its privacy policy, and perhaps a statement of 'legitimate interest'.

What happens if a visitor to my site doesn't grant consent? No ad is shown. Since I routinely use two different devices, I'll grant consent on one and withhold it on the other. That way I'll be able to monitor both sides of Google's consent management.

What's next? I need to improve my own privacy policy to answer the questions that Google says I'm answering. To do that, I'll summarize the current series and point to that summary.