Obtaining user consent: these five tricks are not GDPR-compliant

Consent is the new gold in online marketing because data without consent will be worthless in the future. But not all that glitters is gold! A simple look at the most popular banner solutions of today shows that user consent is not obtained in accordance with the GDPR in all cases.

We have looked at the most popular (unfortunately not GDPR-compliant!) tricks and explain why they are actually not allowed, even though they are popularly used.

Here are the 5 no-gos when obtaining user consent:

bbg fotografia/shutterstock.com

Informing website visitors via a banner that they consent to data processing by continuing to use the website is not compliant with the GDPR. This is because continuing to scroll or otherwise use the website cannot in any way be interpreted as consent to the gathering and processing of data. This is also the case when users have not interacted with the cookie banner although they had the opportunity to do so e.g. by clicking on an accept or reject button.

The loading of any technologies whose sole purpose is not for the website to function (technically essential cookies) is generally prohibited until user consent in the form of an active opt-in has been obtained (Recital 32, GDPR). Processing data without a valid legal basis represents a legal breach as stipulated in Art. 6 Paragraph 1 GDPR.

User consent must always be given in the form of a clear affirmative action  (Art. 4 No.11 GDPR). “Implicit”consent does not represent a valid legal basis in the spirit of  Art. 6 I 1 a GDPR). The fact that there is no way around explicit consent (opt-in) was confirmed in the ruling from the ECJ (01.10.19 Az. C‑673/17). 

Many other European data protection authorities have also already given statements on “implicit consent”. This includes the European Data Protection Board in its “Guidelines on Consent” from 4th May 2020. The concept of “implicit consent” is a violation of the “notion of consent”, states the ruling, because the user has no choice of rejecting the use of cookies and other tracking technologies if he or she wishes to access the website. This method is also not GDPR-compliant because no opt-out option exists with “implicit consent”, that is the user is not given any possibility to revoke consent in the same way it was given.

Furthermore, obtaining consent by scrolling further breaches the requirement for a “clear affirmative action” according to the EDPB. This means: those responsible for data processing should avoid ambiguity and ensure that the action through which consent is given can be differentiated from other actions.

Previously the British data protection authority ICO (UK Information Commissioner’s Office) had spoken against the practice of “implied consent” in its Cookie Guidelines from 3rd July 2019, as had the French data protection authority CNIL in a recommendation draft from 14th January 2020. 

The popular variant of not presenting the user any opportunity to opt out at the cookie banner’s first level is not GDPR-compliant. Not even the combination of “Accept” button and opt-out notice in the privacy statement satisfies the legal and technical requirements of the GDPR.

According to Art. 7 GDPR revocation of user consent (opt-out) must be just as easy as opting in. Revocation must therefore be possible just as quickly (e.g. with the same number of clicks) as the “Accept” button. 

Requiring the user to look for the appropriate opt-out option in the privacy statement and, as the case may be, direct them to a third party website is not acceptable. Furthermore, a “click out” of this kind in the privacy statement which links to the opt-out on a third-party website is technically insufficient, because the forwarding of data to third parties must be prevented, should a revocation occur.

The user has the right to revoke previously granted consent at any time and without needing to provide a reason. This revocation must be just as easy to complete as providing the initial consent. 

Hiding website content behind so-called cookie walls and making it accessible only once the user has provided consent is not GDPR-compliant.

If accessing the website’s content is dependent on the users consenting to have their data processed, this breaches the notion of “voluntary nature” as stipulated in Art. 7 Paragraph 4 GDPR. Consent is only valid according to this provision if it can be provided without any pressure or coercion. 

Users may not be subjected to any disadvantages should they deny or revoke consent to data processing (Recital 42 GDPR). In precise terms this means that users must be able to access the website’s content in its entirety, even without opting in.

The European Data Protection Board (EDPB) has strengthened this stipulation once again in its “Guidelines on Consent” from 4th May 2020 and also clarified that valid consent may not be obtained through the use of cookie walls.

Exempt from this rule, however, are cookie walls when a comparable service is offered without tracking, for example as a paid subscription service to published media. This practice was regarded as acceptable in the past by the Austrian and Dutch data protection supervisory boards (DSB). 

The deliberate influencing of users to provide consent through so-called “nudging” i.e. through a specific banner design, is not GDPR-compliant. This includes the colouring of certain elements (e.g. green for the accept button) or visually hiding other elements (e.g. a drab grey for the opt-out option) and also the misdirection of users through a crafty preselection of options.

Nudging breaches the requirements of the GDPR for valid consent in two criteria. Since users are unconsciously influenced in their decisions, consent can neither be voluntary or informed (see also ECJ ruling for Planet 49).  

The Danish and Irish data protection authorities have also already issued statements regarding “correct banner design” and are unanimous that “nudging” breaches the notion of transparency (Art. 5 Paragraph 2 lit. GDPR). This means that it must be just as easy to reject consent to the processing of personal data as it is to provide consent.

Most website operators ask for consent to use specific technologies using boxes which can be ticked or a toggle which can be flipped either way. The website visitor can then provide consent to the use of specific technologies such as tracking tools by ticking a box or actively flipping or moving a toggle. Pre-ticked boxes or activated switches are, however, only legally allowed for technically essential cookies. An active opt-in from the user must be given for all other cookies e.g. for marketing purposes. That is, boxes must be unchecked at first. The popular variant of requiring an active opt-out from the user, i.e. getting them to remove a previously placed tick from a box, is not legally correct.

The website visitor’s data may be only be gathered when explicit consent to do so has been obtained (Recital 32 GDPR, ECJ ruling Planet49). Any company gathering or processing data before the user has provided consent does so without a valid legal basis and is in breach of Art. 83 Paragraph 5 lit. a) in the GDPR.

Building a database for targeted online marketing strategies is an excellent idea – but please do it cleanly, i.e. with GDPR compliant user consent! 

We would be very pleased to advise you on how this is achieved and how a Consent Management Platform (CMP) can help optimise your opt-in rate.

DISCLAIMER

The decision to implement a data protection-compliant CMP is ultimately at the discretion of the data protection officer and/or the legal department.

These statements do not constitute legal advice. They merely serve to support and inform you about the current legal situation with respect to the implementation of a CMP solution. Please consult a qualified lawyer should you have any legal questions.