To ensure Society websites that CFA Institute hosts are compliant with the privacy laws of the EU - the General Data Protection Regulation (GDPR) - we are implementing a pop-up that will allow users to either opt-in or opt-out of tracking.
Background on GDPR:
GDPR is the EU’s new framework for data protection laws which came into effect in May 2018. The goal is to give greater protection and rights to individuals, specifically over the personally identifiable information (PII) companies hold about them. This means that any website that an EU citizen visits must have clear indications that the website uses cookies or tracking, and the users must have a way to opt-out of that tracking. Other countries and states have similar regulations, such as the California Consumer Privacy Act (CCPA), Brazil’s Lei Geral de Proteçao de Dados (LGPD), Japan's Act on Protection of Personal Information, and South Korea's Personal Information Protection Act.
Current State:
The majority of society websites currently have Google Analytics web tracking added to their sites. Depending on how the Google Analytics account is set up, it could be tracking personally identifiable information (PII) and therefore non-compliant to GDPR and similar regulations. Some society websites also use other cookies such as Facebook Ads or Google AdWords, which also track PII.
The Plan:
Normally, you add a cookie to your website such as Google Analytics or Facebook Ads by manually adding the code for the cookie to the code of your website. This “fires” the cookie whenever someone loads your website. Google Tag Manager is a tool that allows you to add logic to the code of the cookie. Rather than the Facebook Ad cookie firing when your website is loaded, you can set up logic so that the cookie only fires once someone has consented to tracking and cookies.
On cfainstitute.org, we have implemented a pop-up that asks for user consent to tracking and cookies. Our plan is to transition all society websites to Google Tag Manager and add a pop-up asking for user consent to tracking. If a user uses the pop-up to consent to tracking, Google Tag Manager will fire all the cookies your society has set up, such as Google Analytics. If a user uses the pop-up to not allow tracking, Google Tag Manager will not fire any cookies that collect PII.
Next Steps:
Many society websites have already transitioned to Google Tag Manager. For those sites, we will begin to add the consent pop-up, prioritizing those societies in the EMEA region who are most vulnerable to GDPR. For societies who already use Google Tag Manager, you have the option to either move to the CFA Societies master Google Tag Manager account, or continue using your own account. If you decide on the latter, we will provide instructions for how to implement both the consent pop-up and the fire/don’t fire settings in Google Tag Manager.
For societies who are not currently using Google Tag Manager, we will be transitioning your site as a part of this process.
For societies whose websites CFA Institute does not host, we are happy to provide the code so you can also implement both the consent pop-up and Google Tag Manager on your site and mitigate the risk of GDPR non-compliance.
If you have any questions, please reach out to your society relations manager.
© 2019 CFA Institute. All rights reserved.
To download assets, please view the site on a desktop device