Autorola was established in 2001 and is the largest online wholesale remarketing company for vehicles outside of the U.S. They operate in 17 European countries, including Turkey, Australia, Brazil, Mexico, and the U.S.
Challenge: Managing GDPR Compliance on Hundreds of Vendor Sites
With over 70,000 registered dealers internationally, Autorola found it challenging to keep track of GDPR compliance for its hundreds of new and expiring vendor sites. It has several internal actors who can add scripts and cookies to sites, and its vendors have the autonomy to host their own websites with their own branding, but it is Autorola’s responsibility to ensure GDPR compliance. The complexity of this architecture made it nearly impossible for Autorola to handle internally.
Martin Verner, information security officer at Autorola, wanted to automate cookie management but couldn’t find a vendor capable of supporting its complex ecosystem. Within a day of implementing one solution and putting it into production, the provider admitted their software was unable to handle the number of domains and URLs Autorola had, particularly because sites are automatically added and removed on a regular basis. “We had to do something to make sure all of our domains are compliant,” he says. “We have vendors from all over the world with different domains, URLs, legislation, and languages. It was clear we needed a flexible, scalable solution built for companies of all sizes.”
Solution: Implement Osano’s Automated Consent Manager
GDPR went into effect on May 25, 2018, and with one solution already failing to provide the necessary coverage, Autorola didn’t want to waste any more time getting a cookie consent product in place. They had already seen other companies penalized for non-compliance and wanted to reduce their risk.
The Osano software works in multiple steps: Listener, Permissive, and Strict. The Listener mode is the discovery mode that intelligently gathers script and cookie information so it can be categorized based on its purpose - essential, marketing, analytics, or personalization. Osano rapidly scanned Autorola’s and its vendors’ sites and collected more than 1,000 cookies and scripts. Verner and his team then determined which cookies were their own before categorizing them.
After a few days in the Listening mode and categorization complete, the software then set up the appropriate scripts and cookies and changed the code to Permissive/Strict mode. Without any additional coding, Autorola sites now show cookie pop-ups, and scripts and cookies will be automatically allowed or blocked based on their classification and end-users’ preferences.
Results: Peace of Mind Cookie Consent Obligation Is Met Across All Domains
Autorola has appreciated the benefits of Osano Consent Manager since becoming an active user. Because Osano is easy to use across all of their sites using one configuration, the company no longer has to worry whether their vendors are putting them at risk with poor consent management practices.
“There’s always a learning curve with new software, but Osano was quick to respond to any issues and build features we needed for our unique environment,” says Verner. “The software automatically manages which kind of consent we need for each user and allows us to focus on other aspects of GDPR, knowing the cookie consent portion is taken care of.”
As far as what’s next, Autorola is honing its procedures on how to manage data subject rights. They are leveraging automation wherever possible and utilizing Osano as one of its tools in its GDPR toolbox.
“The categorization part is still somewhat uncertain and it’s not always easy to determine if a cookie is necessary or not per GDPR, but Osano has put us in a much better position than before and we are getting smarter with time,” says Verner. “All companies are having similar issues because GDPR isn’t precise or prescriptive. There is so much to consider when you talk about GDPR, but we have peace of mind knowing Osano has 40 lawyers on staff keeping track of changes within GDPR and adjusting the software configuration to ensure we stay compliant with user consents.”