We are occasionally asked by customers which consent tool we think is particularly recommendable - especially when our DSGVO scanner decareto has found a misconfigured consent tool on a website, which often happens.
So far, I've been reluctant to make recommendations because I can't answer the question. I know one tool well from my own projects (Usercentrics), but am blank on the rest.
Therefore, in order to be better informed in the future (and also out of my own interest), I will be testing a number of Consent tools over the next few weeks. The spectrum should range from enterprise-ready products like Usercentrics or OneTrust to OpenSource tools, and I will not only present the final results, but also describe the process of implementation and configuration.
I created a mini website as a "test setup" for the tools so that all test candidates compete under comparable conditions:
- The website consists of a few pages
- Google Analytics should be installed on all pages as an example of a service that requires consent.
- Also included will be a rather unknown product that is probably not in the mainstream databases - I will be using the Squeaky heatmap service for that. Squeaky does not require consent and would be an example of an essential tool.
- An important use case is the use of content (requiring consent) on individual pages, namely on the test site Youtube and Google Maps.
The website in a non-GDPR-compliant version - i.e. completely without protection by a consent tool - can be accessed here, use at your own risk:
https://demos.decareto.com/noconsent/
If you call them up, you can see the calls to the domains of the integrated services very nicely with the Chrome Developer tools...
... as well as the set cookies. The two framed cookies come from Google Analytics.
test criteria
I have provided the following points as criteria for evaluating the consent tool:
- Can the above requirements be implemented?
- License price price or price-performance ratio
- Ease of use and implementation
- Operation possible in the EU (cloud) or locally on the server?
- Is there a database for services so that information does not have to be entered completely by yourself? And is it even possible to display information about individual tools?
- Can services or cookies be managed in groups?
- Can consent for services be individually selected and deselected?
- Are visitor consents logged? ( Personally, I also think this function is of little relevance - was there ever a case in which you had to prove that consent was really given and that this was done via such a function? I'm skeptical ... )
- How customizable is the interface, also in terms of content?
- Is there a multilingual interface?
- Can consent be subsequently withdrawn?
But enough of the introductory words, let's start right away with the first consent tool, namely
Cookie Consent by Osano
This tool caught my eye because it is very often installed on the websites scanned by decareto. This is open source software: https://www.osano.com/cookieconsent
According to the producer Osano, it is the most widespread cookie banner in the world and has delivered over 100 billion cookie consents since 2016 (a steep thesis, because delivered consents are not tracked in the cloud, so questionable how Osano knows that). It is not to be confused with the commercial variant Osano Consent Manager, which follows a completely different technical approach.
The software comes across quite comfortable at first when downloaded, on the website a setup wizard helps to configure the software. The result is an HTML snippet that can be integrated into your website, and which displays the Consent banner.
The code references two external files for CSS stylesheets and javascript, but these can be easily downloaded and copied to the server. After that, a consent banner is actually displayed:
Apart from an introductory text, a link to the data protection declaration and buttons for agreeing and rejecting, no user elements are provided, in particular there is no distinction between necessary and non-essential cookies. But OK.
Unfortunately, from here the initially good impression wears off. In the next step, the website would have to be configured in such a way that scripts are blocked if no consent has been given. The very superficial documentationrefers to a Javascript API, but does not provide a single example. After some web research and quite a bit of trial and error, I managed to assemble the necessary Javascript code - unfortunately, you actually have to program central functions yourself that analyze Osano's own cookie with the consent and then block or release scripts. Maybe I was just too stupid and overlooked something relevant (please let me know if that's the case), but apparently many website operators feel the same as me: almost all websites that use this consent banner and are scanned by decareto , simply let all cookies through, regardless of whether you agree or decline.
But at least the Google Analytics tag is now displayed using Osano and additional Javascript code depending on the consent, the result can be seen here: https://demos.decareto.com/osano_cookieconsent/
Conclusion and evaluation
I didn't bother to block YouTube and Google Maps as intended, even if you could build the necessary functions yourself with a lot of effort. For me, Cookie Consent by Osano is not a serious solution anyway , because even with technical knowledge, the effort involved in installing it on a website is still too high - at least it doesn't seem sensible to me to have to invent the wheel yourself. I also give myself the detailed evaluation based on my test criteria.
Luckily, there are open source projects built on top of Osano that provide support for the shortcomings I've noticed, such as the following:
DP Cookie Consent
The developer Dirk Persky has expanded the Osano tool in such a way that it is much more convenient to use. It is available as a plugin for the popular content management system Typo3 , but you can also integrate it directly into websites. You can download it here: https://github.com/DirkPersky/npm-dp_cookieconsent
Since the tool is aimed at developers who are willing to do some work in the code anyway, there is no website wizard. For the integration into a website, two libraries for stylesheets and javascript are downloaded and linked in the website. Afterwards the configuration of the banner is done by creating a javascript object with appropriate values (which are described in the documentation):
This makes the banner look acceptable right away, and as you can see, it even has several individually selectable categories:
By inserting three more script tags according to the documentation, the banner itself, the block with the categories, and the element to reopen the banner can be additionally styled and configured. I used this to translate the names of the categories:
Configuring scripts that should only be loaded after consent is also very easy to do with Dirk Persky's extensions. The screenshot shows the loading of Google's "Global Site Tags" with and without blocks by the Consent Tool:
The magic comes from the additional attribute data-cookieconsent, which contains the value of the consent category or the checkbox in the banner (required, statistics, marketing) for which the script is to be played.
It is also possible to block content such as YouTube or Maps. These are usually built into the website via an iFrame, and for this too only a few new attributes have to be added:
Without your consent, the YouTube video will then appear as follows:
Conclusion and evaluation
The table below shows my assessment of DP Cookie Consent.
criteria | comment |
---|---|
coverage of requirements | Depending on the consent given, it is possible to play out and block services of different types; in particular, it is also easy to obtain consent for content on individual pages. The services and cookies are then reliably blocked. The basic requirements are therefore met. |
Price, or value for money | The tool is distributed under a free open source license. The scope of performance seems to me to be good for an OS tool, but I still don't have a comparison with other tools at the moment, so I might adjust my rating again in the future. |
Simplicity in implementation | As far as the look and feel of the banner itself is concerned, the effort involved in setting it up is medium. Configuring a cloud product via an interface is certainly more convenient. If there are special requirements for the look, you would have to develop your own CSS, but this is no different with cloud products. The implementation of individual services or scripts happened quickly, and here the effort is comparable with other tools that I know, because even in the case of cloud tools, the code of the website has to be intervened. Content on individual pages (such as Youtube or Maps) is often maintained via content management systems in productive operation, so it is crucial here how DP Cookie Consent can be integrated into the CMS. A Typo3 integration already exists. If you were using a different CMS, you would probably use a different tool for which there is already an integration. |
operation | Since it is not a cloud tool, it is operated in the same country as the website itself. |
Consent for Individual Services | No, services can be divided into exactly three groups (necessary, statistics, marketing). The user can then consent to these groups. |
database for services | No, but there is no way to provide information about individual services anyway, except in the body text of the banner. |
Grouping for Services | Yes, but not self-selectable. There are three groups "necessary, statistics, marketing". |
logging of consents | No, the consent is stored in a cookie on the user's computer. |
Customization of the interface | Yes, the interface can be largely customized through configuration and especially through style sheets - as long as you have the appropriate technical knowledge. |
multilingualism | No, the banner can only manage texts in one language. |
Withdrawing Consent | Yes, there is an always-visible button (fingerprint) that reopens the consent banner. |
The plugin is well suited if website owners do not have the requirement to be able to easily make changes to the interface on the fly, or if they use Typo3 anyway. The configuration of the services used is easy to perform, and the reliable blocking of external content on individual pages struck me positively, because that is by no means a matter of course for content tools. I myself would probably use it for individually developed websites, where a lot of code has to be programmed anyway.
I'm excited to see how DP Cookie Consent compares to other open source tools that will be tested in the coming weeks!
Author: Eckhard Schneider