In this blog post, we'll cover:
Microsoft Consent Mode, also known as the UET Consent Mode (Universal Event Tracking Consent Mode), was introduced by Microsoft in July 2023. It allows businesses and advertisers to carry out privacy-compliant tracking and advertising measures without violating key data protection regulations. We’ve had a look at what this might mean for organisations like yours and here’s what we found.
What are the data privacy implications of Microsoft Consent Mode?
With the introduction of the Microsoft Consent Mode, you now have a new way to manage consent for data collection and processing in compliance with the Digital Markets Act (DMA) and the General Data Protection Regulation (GDPR).
The Consent Mode provides an option to request user consent to process tracking and analytics data generated by website use.
Microsoft also offers the ability to configure the consent solution so that, when consent is not granted, data is processed in a pseudonymised form. Pseudonymisation replaces personal identifiers (like names and email addresses) with codes or numbers. However, pseudonymised data is still considered personal data under GDPR, meaning it should only be processed with explicit consent to avoid non-compliance.
Microsoft Consent Mode and the Digital Markets Act
The European Union’s Digital Markets Act (DMA) aims to create a fairer digital market and regulate large tech companies. A key requirement of the DMA is to protect user data and ensure that its collection and processing meet legal standards. The Microsoft Consent Mode was developed to help companies comply with these requirements while still leveraging valuable data.
Secure your success.
Subscribe for actionable expert advice!
Join 3,000+ business leaders who stay ahead of the curve with our monthly information security newsletter.
What are the key features of Microsoft’s UET Consent Mode
Introduced as part of Universal Event Tracking (UET), Microsoft Consent Mode allows you to manage data collection on your website based on user consent. UET enables advertisers to track user behaviour on a website.
This information is used for advertising, targeting and remarketing purposes. UET is set up via a mechanism called a tag, which is applied across the entire website. This tag monitors user activity and sends the data to Microsoft Advertising. This activity is tracked using first-party and third-party cookies.
Related: Read the complete guide to Consent & Preference management for business leaders
What are the practical applications of Microsoft Consent Mode?
The Microsoft UET Consent Mode is aimed at companies looking for a simple and quick solution for complying with data protection regulations. It provides you with basic settings to enable the collection of user consent for data processing without requiring deep customisations.
The Microsoft Consent Mode is structured in a similar way to Google’s Consent Mode v2. If a visitor on your site doesn’t want cookies placed on their device, non-consent can prevent Microsoft from processing personal data.
For website engineers, it’s possible to configure the Consent Mode so that third-party cookie tracking continues even if users do not consent.
What are the Data Protection challenges with Microsoft Consent Mode?
Here are three data protection issues to consider with Microsoft Consent Mode.
“Shadow Tracking”: Even if users don't grant consent, UET Consent Mode may still place tracking tags on user devices. This can result in the processing of some data, such as pseudonymised information. Without careful oversight, this could potentially lead to privacy violations, as users might not be fully aware of what data you are collecting or how you are using it.
Transparency obligations: Website operators are required to transparently inform users about what data is collected by UET tags, the purpose of data usage, and how long it will be stored. However, one of the challenges is the lack of transparency from Microsoft about how exactly data is handled. This creates a grey area for businesses when informing users about what data is collected. For full compliance, ask yourself: ‘What data might still be collected, even when consent is withheld, and can I effectively mitigate this risk?’ You may need to conduct further assessments of how Microsoft’s tracking tools interact with your website’s infrastructure to ensure full transparency for users.
Increased requirements for consent management: As consent mode enables more detailed recording of consent, companies must ensure that they manage and document user consent correctly and comprehensively.
Related: Learn how this business achieved success with Consent & Preference Management
What should you consider when implementing Microsoft UET Consent Mode?
The implementation of Microsoft UET Consent Mode depends on your company’s specific needs and resources. The Consent Mode is designed to be simple to implement and contribute to basic data protection compliance. We are happy to assist you with the implementation of Microsoft UET Consent Mode.
To ensure compliance, you should consider reviewing your existing consent management strategies. Start by auditing your current use of cookies and tracking tools, and then map out a plan to configure Microsoft Consent Mode in alignment with GDPR. Ensure that your privacy policy clearly explains how Microsoft’s tags collect and process data. We recommend taking the following steps:
- Audit your current tracking setup to see how you are using third-party cookies Implement Consent Mode in a way that respects user preferences, local regulations and as required by Articles 13 & 14 of the GDPR
- Regularly review and update your privacy policies to reflect any changes in tracking behaviour
These steps will help you better manage compliance risks and keep your tracking processes transparent. Need help? Contact your DataGuard consultant or get in touch with our team to learn more.
We recommend configuring your website so that it doesn’t place tags without user consent. It’s unclear whether Microsoft offers website operators enough flexibility to make such configurations.
From a data protection perspective, users should always have the right to object to the processing of their data. As a website operator, you must ensure that users can disable tracking.
Conclusion: stay up to date and in the know about Microsoft Consent Mode
Microsoft says that UET Consent Mode is intended to ensure greater data protection compliance. But we want to point out when using UET Consent Mode, there’s a high probability that pseudonymised data can be processed even without consent.
According to the GDPR, pseudonymised data is considered personal data and may only be processed with an appropriate legal basis. In the case of using cookies, this means that either consent or legitimate interest must be present. Processing such data without consent constitutes unlawful processing and would result in a breach of the GDPR, which can be penalised with a fine of up to 4% of annual turnover.
In addition, there’s currently no transparency in the conversion and pseudonymisation process of user data on Microsoft's part.
To date, there are no specific court decisions or detailed statements from data protection supervisory authorities that explicitly deal with Microsoft Consent Mode. There’s also no deadline for a latest date when organisations must implement Microsoft Content Mode. Microsoft is expected to provide more information on this soon, and we’ll update you when we learn more.
Want to know more about Microsoft Consent Mode? We can help...
Navigating the complexities of Microsoft Consent Mode can be challenging. Our expert consultants can advise you on how to configure the tool to meet your specific needs and help you stay compliant with GDPR. From performing cookie audits to managing pseudonymised data, we’re here to help you avoid the compliance pitfalls that can result in heavy fines. Get in touch to talk discuss ways to keep your website secure, transparent, and compliant with the latest regulations.
