It's time to talk about one of the most impactful tasks, both for the company and for the visitors of your websites: tag categorization. But why is it so impactful? What is the relevance of this configuration and how can it affect us? It is precisely because of these common questions we receive from our clients that we have written this article on best practices in tag categorization.

To start off on the right foot, let's clarify some basic concepts that will help situate each one of you at AdOpt and in the market as a whole.

In a straightforward manner: 1 Tag = Trigger for 1 or more Cookies.

What does that mean?

Basically, most Tags or pixels – as they are also known – when installed in the HTML of a website, are responsible for triggering cookies for each visitor on that specific page. A Tag can perform various functions such as tracking button clicks, page scrolling, collecting text fields, always associating these behaviors with that specific visiting browser.

Once this is possible, the way the Tag stores the data generated by the visitor is:

• Sending it to their server (the service provider's server that created the Tag) and; -It can also record all the information in cookies that it generates and stores on your machine.

For example, when we visit an e-commerce website and it recognizes that we are returning after a previous visit, showing products that are of interest to us, it happens thanks to cookies and tags doing their job. In summary, 1 Tag can trigger N cookies and perform N functions.

Ultimately, the Tag itself is not inherently good or bad; it all depends on its application.

Categorization involves the work of the Data Protection Officer (DPO) in organizing all the tags installed on the website(s) under their responsibility into specific categories that represent their purpose and reason for being there.

Since GDPR, which was the pioneer in this regard, the market has created "standard categories." These categories are:

• Essential / Necessary: Without them, your business model or website does not function, or you are required to use them by law or regulations.

• Marketing / Advertising: With them, you can trigger re-marketing, populate ad pixels, automate email sequences, etc.

• Statistics / Analytics: With them, you have an analysis of what visitors do, where they come from, and how they behave on your website.

• Performance: Tags that maintain website functionality, ensuring its operation and response speed. For example, they can prevent DDoS attacks.

• Functional: Tags that handle functional aspects, such as remembering preferences or recognizing that you are already logged into the system, chatbots.

In other words, each company may have a group of tags installed on its website, with their purpose described and detailed in the Privacy Policy (or cookie policy). This purpose should be replicated in communication with visitors - the cookie banners - as well as in all processes that use this data.

Many companies use cookie banners that do not organize tags or cookies into specific categories, forcing visitors to accept all tags without distinction.

This poses a significant risk of fines for your operation since various regulations require that consent be specific and detailed for a particular purpose. In the LGPD, for example, Article 5, Item XII is clear:

Info

XII - consent: the free, informed, and unequivocal expression by which the data subject agrees to the processing of their personal data for a specific purpose.

This is one of the reasons why AdOpt has always worked with a design that prioritizes freedom for all visitors to navigate through categories and their respective tags.

Certainly, the market already anticipates some purposes and their respective categories. However, it is worth noting that this step often involves areas of the company that go beyond those apparent on the website. A collection made through cookies can be the operational basis for an entire department and all processes within a company.

This means that, although the market already provides a standard for the category of each tag, especially the most popular ones, data controllers must adjust this difference within the company's operation, ensuring the reality of the situation and primarily supporting such choices with the chosen legal bases.

Therefore, even though there is a standard, companies are free to adjust the facts and must be prepared to respond to them with complete clarity to individuals.

That's why at AdOpt, when tags are scanned, some of them already come with a pre-classification. However, this does not prevent the data controller of a specific company from adjusting this categorization according to their Cookie and Privacy Policy.

As a platform, AdOpt cannot enforce a specific configuration or principle. However, it values freedom within its environments so that the responsibilities of the data controller are respected at all times.

Privacy regulations do not delve into this "micro" analysis of tag categories. It would be impractical for national authorities to issue a classification opinion for every new tag that emerges in the market.

Thus, it is up to companies to ensure that communication is clear, objective, and respects the aspects of freedom and purpose already mentioned. Naturally, the market adjusts and creates standards and even specific terms for each of them.

For example, the terms "Essential" or "Necessary" are not determined by law. However, these terms help in quickly understanding their purpose, which is why the market has adopted them. The less confusion in this regard, the better. After all, subjectivity exists in all places and contexts. If we can avoid these points with a certain "standard," we minimize these variables.

As mentioned earlier, the categorization of tags is an organization that should reflect the operational purpose of using that data. Therefore, before a conceptual application, it should have a practical use that mirrors this classification.

However, it is worth noting that this classification is often explained or expanded upon in official company documents such as the Privacy Policy and Cookie Policy.

In addition, a crucial aspect directly related to tag categorization is the configuration of blocking third-party tags according to the visitor's choice. In other words, the cookie banner only allows a certain tag to be executed after the visitor's consent.

What does that mean?

Each visitor is free to choose whether or not to consent to that group of tags declared by the company. Therefore, their will is respected when cookies are only stored upon "free, informed, and unambiguous" consent (without ambiguity, clear, without equivocation).

That's why AdOpt advises all users of the tool, without exception, to configure the blocking of third-party tags. Only with this configuration in place will the banner be complete and properly installed.

Here's a tutorial for configuring the blocking of third-party tags on your website.

It is not up to AdOpt to judge why a particular site, and even its clients, have chosen not to implement this configuration, even though it is constantly reinforced in our communication and classified as "essential."

Certainly, such a decision harms the image of both the company and even AdOpt. However, it is important to remember that prior to this setup, each tag has a unique function within each company, in its unique environment and context. Imposing a technological mechanism by AdOpt would go against the freedom of choice for its clients in the interpretation and application of the law that applies to everyone.

Keeping in mind the necessary proportions and equivalences, let's consider an example. It would be like holding vehicle manufacturers responsible for cars that have the capability to exceed the speed limit. The automaker can install alerts, reinforce communication in various ways. But they can never impose that a citizen does not drive according to their freedom of choice.

Always align the Actual Use of data with Processes, Documentation, and Communication.

**Process: **The data collection declared for a specific purpose should indeed have the same destination and use of data within your company.

Documentation: Official documents should always be up to date and truly reflect the practices within the company.

Communication: The tag classified as Necessary or other classifications should indeed be necessary. The tag should not be classified as "essential" just because visitors cannot block it. This would be an attempt to bypass the freedom of individuals accessing your website.

The same market that creates classification standards for certain tags is also capable of judging the truthfulness of intentions and facts declared by your cookie banner on your website.

Always remember that people come before companies. The LGPD (General Data Protection Law) was created precisely to better balance the relationship between companies and citizens. After all, privacy is a universal right and should not only have value when it is lost.

Did you feel that something was missing or need further explanation? Let us know at hey@goadopt.io, and we'll be happy to discuss the topic further with you!