• EN
    • DE
  • Login
Consent Management Platform
Consent Management Platform (CMP) Usercentrics
  • ProductsHolistic Consent Management Software
    • Website Consent Management
    • Mobile Consent Management
    • AMP Consent Management (BETA)
    • Smart Data Protector
    • Automatic Privacy Policy
  • Solutions
    • GDPR
    • CCPA
    • CMP for Publishers
  • Pricing
  • Resources
    • Developer Documentation
    • Videos
    • FAQ
    • Knowledge Hub
    • Whitepaper
    • Webinars
    • RFI Template
    • What’s new?
  • Partner
    • Find a partner
    • Become a partner
    • Tech Partner
    • Expert Partner
    • Reselling Partner
    • Referral Partner
  • Company
    • About us
    • Career
    • Press
    • Events
    • Contact
  • GET STARTED NOW
  • Menu
GDPR ComplianceGDPR Opt-in
July 26, 2019 | 3 min read

7 Criteria for a GDPR-compliant Consent

Resources
Knowledge Hub
7 Criteria for a GDPR-compliant Consent

Table of contents

Show more Show less

A legally binding and GDPR-compliant consent must fulfil numerous criteria, which must then also be applied to the usecase of websites and apps. The perspective of the user and what he can rationally expect and understand is always what is held as crucial-

In the following, we have outlined all criteria required for GDPR-compliant consent and clarify exactly what they mean.

Criteria for GDPR-compliant consent

Freely

“Accept” and “Reject” button

Consent is voluntary if the person has genuine freedom of choice in his or her decision. It is precisely this voluntary nature that is interpreted narrowly by the courts and the authorities in favour of consumers. Barring a user’s access for the website just because the user has not given his consent to marketing technologies is unlikely to exist in practice.

What does this mean for your cookie banner?

There must be an “Accept” and a “Reject” button. The user must have the possibility to refuse data processing and still use the service or website.

Informed

Who, what, why, how long?

Consent is given when the person affected is aware of all circumstances relating to the data processing and knowingly consents to them.

What does this mean for your cookie banner?

The following information should be directly visible to the website visitor:

  • Who receives my data?
  • What is the purpose of collecting my data (e.g. Analysis, Retargeting etc.)?
  • What data is being collected (z.B. IP-address, Cookie ID, etc.)?
  • What is the legal basis on which my data is collected?
  • How long is the data stored?
  • In which country is data collected?
  • Will the data be forwarded to third parties?
  • Where do I find the privacy policy of each tech provider?

Explicit

Yes, I want to!

The user must actively agree.Pre-checked boxes are therefore not enough. This means that an implicit consent “by further surfing”, which is often discussed, is not considered compliant if technologies are loaded immediately when visiting the website.

What does this mean for your cookie banner?

Make sure to include an “Accept Button” which will activate the cookies.

Granular

Consent for all?

The consent must be tag or cookie-specific. This means that the user must know at a granular level for which data record and for which third-party provider they are granting or withdrawing their consent.

What does this mean for your cookie banner?

General consent “I agree to cookies” does not fulfill this requirement.

In advance

No data to be collected before opt-in

Obviously, data may only be collected once consent has been given. So, there must be a technical link between the “cookie banner” and the cookies on the website. Otherwise, data will be processed without a valid legal basis which constitutes a breach according to Article 83 Paragraph. 5 lit. a) of the GDPR.

If the user does not give consent, it must be ensured that no data is collected or passed on from that point onward.

What does this mean for your cookie banner?

A dynamic loading of cookies must be implemented. That functionality has to be developed by inhouse engineers or solved by implementing a Consent Management Platform software.

Documented

Burden of proof in the case of an audit

According to Art. 7 paragraph. 1 GDPR all consents must be documented.

According to the GDPR , website operators are subject to burden of proof and, in the event of a warning or an audit by the data protection authority, must be able to provide the complete consent history.

What does this mean for your cookie banner?

In order for the consent to withstand an audit, various data points should be recorded, for example timestamp, user agent or the version of the consent texts. URL calls made should also be logged in order to prove that no cookies were played before the consent was obtained.

Easy-to-withdraw

Opt-out on the page

The user has the right to revoke the consent at any time and without justification. The revocation must be as simple as the granting of consent.

What does this mean for your cookie banner?

Applied to technologies, this means that the user must be able to view and revoke his consent to individual technologies at any time with just a few clicks. However, it cannot be expected that the user that he first has to search for the respective opt-out option in the data protection provisions and that he may be redirected to a third-party site for this purpose.

It cannot be expected that the user must search for the respective opt-out option in the data protection stipulations and potentially be redirected to a third-party website. A click-out in the data privacy statement which is linked to an opt-out on a third-party website is not technically sufficient in any case. The reason for this is that the further passing on of data from the website operator must be prevented should the user revoke their consent. Reading out the cookie ID – even for the purpose of establishing the opt-out – already represents an unauthorized transmission of data to third parties (in this case to the processor). The tag may no longer be activated after consent has been revoked. Consequently, this means that the combination of OK banner and opt-out notice in the data privacy statement does not satisfy the GDPR, neither legally nor technically.

Related Articles

The latest ePrivacy Regulation: when will it come, what will change, and how can companies get prepared?
February 24, 2021
6 min read
GDPR ComplianceMarketing & GDPR

The latest ePrivacy Regulation: when will it come, what will change, and how can companies get prepared?

Are you looking forward to the end of the ePrivacy Regulation? After all, the discussion about a Europe-wide, uniform...

Read more
Hello discounts, adieu data protection? – Black Friday and its effects on your Opt-in rates
December 10, 2020
1 min read
GDPR Opt-in

Hello discounts, adieu data protection? – Black Friday and its effects on your Opt-in rates

Black Friday Analysis: Do customers throw caution to the wind regarding their privacy with great offers? Are they more...

Read more
How to create a GDPR-compliant newsletter in 3 simple stepsNewsletter-3-steps
December 1, 2020
7 min read
GDPR ComplianceUsercentrics Best-Practices

How to create a GDPR-compliant newsletter in 3 simple steps

Download a whitepaper for free but only if you sign up for the newsletter – many websites offer this...

Read more

Next Steps

Scan your website

Scan your website

Check your privacy compliance
Request a demo

Request a demo

Schedule for free
Get started

Get started

See our pricing

Legal Update

Always up-to-date: With our legal update, we keep you up to date with the latest trends around data protection.

Products

  • Website Consent Management
  • CMP for Publishers
  • Mobile App Consent
  • Automatic Privacy Policy
  • Smart Data Protector
  • AMP Consent Management (closed beta)

Resources

  • Whitepaper
  • Case Study
  • On Demand Webinars
  • Live Webinars
  • Knowledge Hub
  • RFI Template
  • Videos
  • FAQ
  • Developer Documentation

About Us

  • Who we are
  • Career
  • Press
  • Events
  • Contact

Our Mission

Helping companies to achieve compliance in harmony with their marketing strategy.

Legal

  • Legal Notice
  • Privacy Policy
  • Terms and Conditions

Address

Usercentrics GmbH
Sendlinger Straße 7
80331 Munich
Germany

© Copyright 2021 Usercentrics

This website and all services provided by Usercentrics are not intended for users and companies outside of the European Union, U.K. or Switzerland.

Understanding the IAB Framework in 15 Minutes (or less!) iab europe Logo Are Cookies personal data Cookies & GDPR Checklist: Do’s & Don’ts
Scroll to top