Almost every website has cookies, but not all cookies have the same privacy implications. With recent regulations requiring affirmative consent, automated marketing solutions need to keep up. Discover how Full Fabric handles cookies and safeguards the privacy of your users! πͺ πͺ
Along with this article, you might want to have a look at our General Data Protection Regulation (GDPR) Glossary and our article on What is the General Data Protection Regulation (GDPR)?
What are cookies and why must cookie consent be obtained?
Cookies are small text files that are placed on a user's computer or mobile device through the user's web browser when the user lands on a website. These files contain data that allows the website to recognise and remember the user's actions or preferences over time. Cookies serve various purposes, such as enabling website functionality, improving the user experience, analysing website performance, and delivering targeted advertising. They can be either session-based (temporary and deleted when the user closes the browser) or persistent (remain on the device until manually deleted or expired). Cookies are specific to the browser and device combination used, meaning that if a user accesses the same website from different browsers or devices, separate cookies will be created and stored for each one.
While cookies play a critical role in enhancing website usability and personalisation, they also pose security threats. Stored in a designated folder for browser data on a computer's hard drive and in the device's storage on mobile devices, compromised devices could grant hackers access to cookies, potentially exposing sensitive information about the user's online presence.
In light of this, the GDPR made it a legal requirement in 2018 to solicit cookie consent. Quoting from GDPR's Recital 30: "Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them."
Put simply, whenever cookies can identify an individual, they're considered personal data, and most cookies do collect such personal data. It is thus indispensable to explain the purpose of the cookies employed in your application portal and provide users with the option to opt in or opt out.
In summary:
Users must have the choice to agree to all cookies.
User consent needs to be explicit and be a clear affirmative action.
Users should be able to easily revoke or change their consent.
β οΈ Important: Non-compliance with GDPR regulations can lead to heavy fines and other severe penalties.
When and how is the cookie policy displayed to users? Updated
Full Fabric acts as your Consent Management Platform (CMP), collecting and recording cookie consent directly within your portal in line with the IAB Europe Transparency & Consent Framework (TCF) v2.3. Consent is gathered through a two-layer experience.
First layer: the consent banner
When a user visits your portal for the first time, Full Fabric displays a consent banner. You can choose to show it as a footer bar or as a modal (pop-up). It will keep appearing until the user submits their preferences. The banner can appear on any portal page β an application form, offer form, form landing page, event landing page, or the user settings page.
To comply with TCF v2.3, the banner always includes:
A statement that information is stored or accessed on the user's device.
A description of personal data processing, with at least one concrete example (e.g. "unique identifiers, browsing data").
The number of third-party vendors configured on your portal, with a link to view the full list.
The Purposes and Special Features for which consent is being requested, using standard TCF names.
The scope of consent β whether it applies to your portal only or to a group of services.
Instructions on how to withdraw consent, with a link to reopen the consent UI at any time.
Second layer: granular controls
When users click through from the banner, they reach the detailed consent UI where they can make granular choices. Full Fabric surfaces all controls required by TCF v2.3:
Individual toggles per Purpose and per vendor for consent-based processing.
Separate opt-in controls for each Special Feature.
Clear disclosure of vendors that use legitimate interest as their legal basis, with the ability to object per Purpose and per vendor individually.
Full vendor details: privacy policy link, data retention period, data categories processed, and a legitimate interest explanation link where applicable.
Vendor counts per Purpose, for both consent and legitimate interest bases.
Any non-IAB-registered vendors shown in a clearly separate section from TCF-registered vendors.
βΉοΈ Always accurate: All Purpose and vendor names in the consent UI are pulled live from the IAB Global Vendor List (GVL). Full Fabric automatically refreshes the GVL within the required 7-day window, so users always see up-to-date information.
Once a user submits their preferences, the banner will no longer appear. Even if they log out, their browser remembers their choices for future visits β unless they switch to a different browser, clear their cookies, or use private browsing.
We provide standard consent texts in English that are ready to use out of the box, but they are fully customisable to reflect your institution's own voice. π¬
Where do I configure the cookie policy?
Full Fabric gives you two complementary tools: the consent banner / pop-up that users see when they first arrive, and a cookie policy page with full details about the cookies in use, linked from the banner. Both must be published for consent to be sought.
To access cookie policy settings:
Click the gear icon in the upper right-hand corner and choose General Settings.
Go to the Policies tab.
Select Cookie policy.
From here you can edit the consent banner text, choose between footer or modal display and configure the detailed cookie policy page.
Full Fabric automatically detects the vendors integrated and displays the relevant information.
How can users change their cookie preferences?
Users can update their preferences at any time by going to Settings β Manage my cookie preferences OR by clicking the cookie icon displayed on the bottom left. When preferences change, Full Fabric generates a new TC string and updates the stored consent record. Processing stops immediately for any purpose the user withdraws consent from.
Strictly necessary cookies cannot be turned off, as their absence would cause sessions to fail. Functional cookies and Analytical cookies can be disabled (see cookie types below).
Staff cannot modify the cookie settings of applicants or students β and if they could, it would be futile, as the preferences stored in a user's browser automatically override any staff-inputted settings the moment they sign in.
Who is asked for consent?
Everyone except staff users and lecturers. Their professional link to the institution already implies an agreement to basic tracking and data processing needed to perform their work duties and use the portal. Even if staff reject functional and/or analytical cookies while signed out, the system will automatically override this when they log in.
Which types of cookies can be tracked in Full Fabric? Updated
Four types of cookies are available in Full Fabric:
Strictly necessary cookies
Strictly necessary cookies are essential for the portal to function. They support core features such as session management, user authentication, and language preferences β without collecting private information. They are exempt from the need for user consent under GDPR and cannot be opted out of.
Functional cookies
Functional cookies enhance the performance of specific features and enable a higher level of personalisation. Although not essential for general navigation, disabling them may restrict certain non-essential functionality. Currently none of Full Fabric's features rely on functional cookies, but proactive consent is still sought to accommodate future developments.
Analytical cookies
When a user accepts analytical cookies, Full Fabric fires your Google Tag Manager container and sets the analytics_storage consent type to granted.
Please read this article for more information on tracking through Google Tag Manager.
Advertising cookies
When a user accepts advertising cookies, Full Fabric fires your Google Tag Manager container and sets the ad_storage, ad_user_data, and ad_personalization consent types to granted.
βΉοΈ TCF and vendor consent: For third-party vendors operating under the IAB TCF, consent for their specific Purposes is managed separately through the granular vendor controls in the second-layer consent UI β not through the cookie type toggles above. The cookie type toggles control Google Tag Manager consent mode signals only.
Sending personally identifiable information to Google Tag Manager
Full Fabric only sends personally identifiable information to your Google Tag Manager account if you have explicitly enabled the relevant setting in your General Settings. This setting is off by default.
How can I track users across my institution's main website and Full Fabric?
In order to use cookies between different website domains β such as your institution's main website and your Full Fabric portal β cross-domain cookie tracking is required. This is not currently supported in Full Fabric.