A legally binding and GDPR-compliant consent must fulfil numerous criteria, which must then also be applied to the usecase of websites and apps. The perspective of the user and what he can rationally expect and understand is always what is held as crucial-
In the following, we have outlined all criteria required for GDPR-compliant consent and clarify exactly what they mean.
“Accept” and “Reject” button
Consent is voluntary if the person has genuine freedom of choice in his or her decision. It is precisely this voluntary nature that is interpreted narrowly by the courts and the authorities in favour of consumers. Barring a user’s access for the website just because the user has not given his consent to marketing technologies is unlikely to exist in practice.
There must be an “Accept” and a “Reject” button. The user must have the possibility to refuse data processing and still use the service or website.
Who, what, why, how long?
Consent is given when the person affected is aware of all circumstances relating to the data processing and knowingly consents to them.
The following information should be directly visible to the website visitor:
- Who receives my data?
- What is the purpose of collecting my data (e.g. Analysis, Retargeting etc.)?
- What data is being collected (z.B. IP-address, Cookie ID, etc.)?
- What is the legal basis on which my data is collected?
- How long is the data stored?
- In which country is data collected?
- Will the data be forwarded to third parties?
Yes, I want to!
The user must actively agree.Pre-checked boxes are therefore not enough. This means that an implicit consent “by further surfing”, which is often discussed, is not considered compliant if technologies are loaded immediately when visiting the website.
Make sure to include an “Accept Button” which will activate the cookies.
Consent for all?
The consent must be tag or cookie-specific. This means that the user must know at a granular level for which data record and for which third-party provider they are granting or withdrawing their consent.
General consent “I agree to cookies” does not fulfill this requirement.
No data to be collected before opt-in
Obviously, data may only be collected once consent has been given. So, there must be a technical link between the “cookie banner” and the cookies on the website. Otherwise, data will be processed without a valid legal basis which constitutes a breach according to Article 83 Paragraph. 5 lit. a) of the GDPR.
If the user does not give consent, it must be ensured that no data is collected or passed on from that point onward.
A dynamic loading of cookies must be implemented. That functionality has to be developed by inhouse engineers or solved by implementing a Consent Management Platform software.
Burden of proof in the case of an audit
According to Art. 7 paragraph. 1 GDPR all consents must be documented.
According to the GDPR , website operators are subject to burden of proof and, in the event of a warning or an audit by the data protection authority, must be able to provide the complete consent history.
In order for the consent to withstand an audit, various data points should be recorded, for example timestamp, user agent or the version of the consent texts. URL calls made should also be logged in order to prove that no cookies were played before the consent was obtained.
Opt-out on the page
The user has the right to revoke the consent at any time and without justification. The revocation must be as simple as the granting of consent.
Applied to technologies, this means that the user must be able to view and revoke his consent to individual technologies at any time with just a few clicks. However, it cannot be expected that the user that he first has to search for the respective opt-out option in the data protection provisions and that he may be redirected to a third-party site for this purpose.
It cannot be expected that the user must search for the respective opt-out option in the data protection stipulations and potentially be redirected to a third-party website. A click-out in the data privacy statement which is linked to an opt-out on a third-party website is not technically sufficient in any case. The reason for this is that the further passing on of data from the website operator must be prevented should the user revoke their consent. Reading out the cookie ID – even for the purpose of establishing the opt-out – already represents an unauthorized transmission of data to third parties (in this case to the processor). The tag may no longer be activated after consent has been revoked. Consequently, this means that the combination of OK banner and opt-out notice in the data privacy statement does not satisfy the GDPR, neither legally nor technically.