Expanded configuration options for privacy consent available on Hub sites

Summary of update

Today we are releasing a key update to privacy consent configuration for all ArcGIS Hub sites, functionality offered in this update include:

1. Ability to "Require consent" from site visitors to view the site; no tracking mechanisms will be loaded onto the visitor's browser or enabled within the application until the user provides affirmative consent.
2. Ability for site visitor to accept none, some, or all configured tracking mechanisms. If a visitor changes their affirmative consent during their session, then all tracking mechanisms enabled via the site's domain will be purged and the page reloaded.
3. Integration with the Esri User Experience Improvement program (EUEI). When disabled for a member's organization will ensure their browsing activity is never tracked, regardless of the site's enabled tracking mechanisms.

This update is a critical step forward in enabling increased regulatory compliance for our customers and their audiences. Customers will notice changes to their site's privacy consent notice immediately (if configured to display) and can access the expanded configuration options from their site's settings in the layout editor.

Updated look of the privacy consent notice

As referenced above, privacy consent notices now have two display options. In this section, we'll touch on both options and what you should consider before updating your configuration. All display configurations share a secondary state where visitors can review configured tracking categories, including a general description of those categories and the ability to toggle them on/off non-necessary individually. This secondary state can be reached by selecting "Review settings" on the privacy consent notice.

Consent optional

By default all notices are non-interruptive to the visitor, meaning they will be displayed in the lower right corner of the screen and not prevent the visitor from interacting with the site. This is how our existing consent notices function today, the only change you'll observe is the increased in size and more explicit options available to visitors in the notice. We've also retired "Black & White" theme mode for notices due to limited usage.

Please note that all tracking mechanisms will be immediately loaded upon the visitor's session start. If you want visitors to provide affirmative/negative consent to tracking upon arrival, then you should enable the "Require consent" option.

Consent required

Site managers can optionally configure privacy consent notices to be interruptive to a visitor's session. When enabled the notice will block interaction with the site entirely, requiring visitors to accept none, some, or all tracking configured before usage of the site is enabled.

As noted above, no tracking mechanism will be loaded onto the browser or within the application until the visitor explicitly accepts that mechanism's category. Additionally, a visitor can revoke their consent at any time resulting in a refresh of the page and a purge of all enabled tracking mechanisms from the browser.

Tracking categories

You have likely observed categorizations of "Strictly necessary", "Performance", "Functional", and/or "Targeting" in your browsing of different web applications. These categories represent different bundles of tracking mechanisms which operate similarly; as an example, "Targeting" mechanisms may gather demographic detail during a user's session to form a profile for future marketing needs.

ArcGIS Hub enables customers to enable/disable our out-of-the-box anonymous usage analytics and configure third-party tools such as Google Analytics, SiteImprove, and Adobe Analytics. We have no way of confirming what settings are enabled in these third-party providers, including whether they have targeting-like functionality enabled. For this reason, ArcGIS Hub will display up to 3 categories:

1. Strictly necessary: core functionality that enables the application to function, such as authentication, which cannot be disabled by a visitor.
2. Anonymous usage analytics: first-party anonymized tracking which registers stats such as "number of downloads", can be disabled by a visitor at any time.
3. Third-party tracking: configured providers (ex. Google Analytics) which may or may not have additional targeting functionality enabled, can be disabled by a visitor at any time.

These categories will display automatically in the "Review settings" state of the privacy consent notice depending on the site's configuration. Customers cannot override their availability or display by design.

In the future, we plan to introduce "Functional" as another category which will enable new workflows such as your browse history being accessible for quick navigation. If you have ideas for enhancements, then please add them to the Ideas board or submit them as an ENH require through Esri Support Services. Thank you!