Microsoft UET Consent Mode

Microsoft is making updates to the Microsoft Advertising Platform (MAP), to bring it into line with data protection laws. In particular, websites using MAP will need to obtain consent from their users about using both first and third-party cookies. This means that personal data will only be collected for advertising and tracking purposes through MAP if the website user has agreed to it.

If you are using MAP for your website, these updates are important for you.

This article will discuss what Microsoft UET Consent Mode is, how it works, and how you can set it up. Then, we'll look at who should use this mode, why consent is necessary, and how to obtain effective consent through a banner or pop-up notice.

How to Comply with the New Microsoft Advertising Platform Requirements

To comply with these new requirements, you'll need to set up Microsoft UET Consent Mode for MAP.

UET stands for Universal Event Tracking, and is a tool for monitoring user behavior on websites.

Another important part of this process is that you will need to set up a Consent Management Platform if you don't already have one. This is a type of software that creates a banner or pop-up on your website to ask users for consent.

Here's an email that Microsoft sends out that notes the requirements:

What is Microsoft UET Consent Mode?

UET is how advertisers track user behavior on a website. This information is used for advertising, targeting, and remarketing. UET is set up through a mechanism called a tag, which is applied site-wide. The tag is what monitors user activity, and then submits it to Microsoft Advertising. This user activity is tracked using first- and third-party cookies.

First-party cookies keep track of login details or language settings. First-party cookies are also created by Google Analytics. Third-party cookies are those which come from other websites, but are active on your website. This mostly relates to advertisers and remarketing cookies, i.e. cookies created by advertisers who track user behavior across multiple websites, to personalize ads.

Microsoft UET Consent Mode is the way that Microsoft's tracking and cookie capabilities check the consent status of end users, before tracking or cookies are set or stored for that user.

Consent Mode is essentially a privacy setting for UET. It compares what customers have consented to or not (e.g. first-party or third-party cookies), and then grants or denies permission for those cookies for that user, respectively. Microsoft UET Consent Mode is similar to Google's Consent Mode.

How Does Microsoft UET Consent Mode Work?

Microsoft UET Consent Mode works by applying different values to a particular property in UET called ad_storage. Depending on whether ad_storage is set to granted or denied, cookie consent access is altered.

Here's what the two different settings for ad_storage mean, according to Microsoft:

When you are setting up Microsoft UET Consent Mode, you need to first create a default setting for ad_storage. This setting should be done for every page on your website where you load the Microsoft / Bing code.

Microsoft recommends using the following code, which sets the ad_storage default as "denied":

Once you have your default setting, you need to include code on each page that updates the consent setting, depending on what the user has selected via a cookie consent notice banner. So, if the user has granted access to third-party cookies for advertising purposes, this would need to be updated.

Microsoft recommends the following code for updating the ad_storage property:

These scripts should be inserted into the <head> tags on your website pages.

It's important to note that in many countries, UET consent mode is set to "granted" by default. But, if you have customers in particular countries such as those in the EU, if your UET is set to "granted" by default, MAP will disable certain functionality so that tracking and advertising conversion can't occur.

Who Should Use Microsoft UET Consent Mode?

Anyone who has customers in the European Economic Area (EEA) should be using Microsoft UET Consent Mode, and setting the ad_storage property to "denied" by default. This means customers in the EU and Switzerland, and also includes customers in the United Kingdom, which this change will also soon be rolled out to.

Customers in these countries can still choose to grant consent for cookies, in which case the ad_storage property should then be changed to "granted" in UET Consent Mode.

Is Microsoft UET Consent Mode Compliant With Privacy Laws?

Microsoft UET Consent Mode helps websites to comply with privacy laws such as the General Data Protection Regulation (GDPR). The GDPR has strict rules about using personal data from EU residents, even if the company or website is not based in the EU.

The GDPR and other privacy laws define personal data as any information which is related to an identified or identifiable natural person and can be used to identify them. In many cases, cookies use and contain the personal data of individuals.

Personal data includes information such as:

• Name
• Address
• Email address
• IP address
• ID numbers
• Location data

It also includes information that can be combined to identify a person. We'll go into this below in the section on why you need consent to use cookies. Cookie IDs themselves are considered by the European Commission to be "personal data."

The GDPR includes consent as one of its legal bases for processing personal data. It expands on the definition of consent in Recital 32, giving some specifics about the qualities of the consent, and some examples of what you can do to get consent in an effective way:

You can see that the consent must be:

• A clear affirmative act
• Freely given, specific, informed, and unambiguous

It can be obtained through ticking a box, choosing technical settings, or other things that clearly indicate acceptance.

In addition, the ePrivacy Directive also has rules on using cookies. This is also known as the EU Cookie Law. Here's what the EU Cookie Law has to say about cookies:

In short, the EU Cookie Law means that you must:

• Provide users with clear and precise information about the purpose of cookies
• Give users an opportunity to refuse cookies
• Give this information in a user-friendly way

Microsoft UET Consent Mode helps websites to comply with both the GDPR and the EU Cookie Law, by ensuring that you have obtained consent to use cookies, i.e. personal data. Using UET Consent Mode also ensures that you are complying with the MAP requirements from Microsoft to continue to use their advertising platform.

Other laws such as the California Consumer Privacy Act (CCPA/CPRA) are slightly different.

Cookies are considered to be "unique identifiers" under the CCPA, but it doesn't require consent in the same way as the GDPR and the EU Cookie Law. It only requires consent for the sale of cookies to third-parties, and to inform users that cookies are being used on the website.

Microsoft UET Consent Mode can still help your website to comply with the CCPA in relation to third-party cookies.

Why is Consent Necessary for Tracking and Cookies?

To comply with privacy laws such as the GDPR and EU Cookie Law, you must obtain consent under certain circumstances when your website is using personal data.

Some cookies are required for the website to work. These are known as essential cookies.

Other cookies are non-essential, and are used for advertising. These tracking and advertising cookies need user information about habits, preferences, age, sex, location, language, and web-browsing data. This information is either "personal data" on its own, or it can be combined (in the form of the cookie ID) to identify a person, and is also therefore personal data.

Because non-essential cookies use personal data and are not required for website functionality, you have to ask your users first before you use them. Essential cookies do not require consent.

Regardless, all details of the information that you use should be outlined in your Privacy Policy or Cookie Policy.

As the EU Cookie Law explains, this information needs to be "clear and precise." The GDPR also requires that information provided in your Privacy Policy or Cookie Policy must be "concise, transparent, intelligible and easily accessible". It should also be written in "clear and plain language."

Here's one example from Apple's Privacy Policy that explains how Apple uses cookies:

You can see that the company uses bold text, as well as bullet points, to make it clear and easy to read. This is one example of how you can make your Privacy Policy explanations of cookies effective from a legal perspective.

In addition, Apple explains what cookies do, and breaks it down into categories. There is no rule on which cookie categories should be outlined in a disclosure, but many tools and products use the following in their policies:

• Necessary cookies (also called "Functional" or "Essential" cookies): These are cookies which do things like keep users logged in, maintain interface settings, and remember what's in your shopping basket on an ecommerce website. These are the ones that do not require consent.
• Analytics cookies: These are cookies which track how users move through the website, and their engagement with content or offers. They do require consent.
• Advertising cookies: These are cookies which track user preferences and behavior to deliver personalized ads. They may be used only on your website, or may track a user across multiple websites. Like analytics cookies, these require consent.

Your Privacy Policy or Cookie Policy should explain all cookies that your website uses, so that users have "clear and precise" information written in "clear and plain" language, as the EU Cookie Law and GDPR require.

You must also make sure that your users have consented effectively to your Privacy Policy or Cookie Policy, and the use of cookies that you describe there. This "granting" of consent (or the denial of it) will then be transmitted to Microsoft UET Consent Mode, which will update MAP.

Now let's take a look at how to obtain consent directly from users on your website.

How to Obtain Consent For Cookies on Your Website

To get consent for using tracking or advertising cookies on your website, you need to set up some way of asking your users. As noted above, this must be free, unambiguous, informed, and specific consent.

Most websites use a banner that asks customers to accept or decline cookie functionality. This can be done with a Consent Management Platform.

Consent Management Platforms use what is called a Transparency and Consent Framework (TCF) string. This string looks at what consent users selected (i.e. accept or deny), and then transmits this to MAP. The UET tags then change what they track (or not), depending on user consent or the lack of it.

Whatever tool you use to set it up, the banner should be obvious and easy to read, and users should be able to select or decline cookies before they begin using the website.

Here's one example of a cookie consent banner from Penguin Random House:

You can see that the company explains that cookies are used, and what those cookies are for.

There is also a clear button to decline all cookies, and a link to learn more is provided.

Here's another example from Simon & Schuster:

Here you can see they have a clear link to their Privacy Policy, as well as a link to their Cookie Settings that can be adjusted individually. They also provide a button to reject only non-essential cookies, so that users can continue to use all website functionality, but without advertising or remarketing cookies being applied.

Other websites use a pop-up that obscures the website until the user has either accepted or declined the use of cookies. This stops the user from continuing until the website has received notification of the user's preference.

Here's an example from Harrods, the British department store:

This notification pops up in the middle of the Harrods screen, preventing the user from continuing without selecting an option.

You can see that the company provides information about what technologies are used (including cookies), what the cookies are used for, as well as a link to see which third parties will also use this technology. It provides an "Agree" button, a "Disagree" button, and a link to learn more about cookies and privacy through the Privacy Policy.

This is a good example of a clear, concise, and plain language pop-up, that gains clear and active consent from a website user.

Combining approaches like this with UET Consent Mode will make sure that your website is compliant.

Summary

Microsoft UET Consent Mode is a setting that can be used with MAP to allow you to change cookie settings depending on whether or not a user has given consent. It needs to be set up on all of your website pages if you have customers in the EU, Switzerland, or the United Kingdom.

You can set up Microsoft UET Consent Mode by adding code to the header of each of your website pages, to switch first- and third-party cookies on or off. Add a banner on your website with a Consent Management Platform to ask users if they consent to the use of cookies. This is necessary to know what your users have selected, and for the consent to be valid.

By taking steps such as setting up a clear, obvious, and active consent button on a banner, and linking this to the Microsoft UET Consent Mode for MAP, you'll be compliant with MAP requirements, as well as privacy laws such as the GDPR and CCPA.