Google requirements for its customers in 2024, including the use of Consent Mode v2, introduces yet another layer to an already tall stack of user privacy requirements. This can be daunting for businesses that need tWhen a user visits a website, a cookie banner asks for consent to use cookies and basedo comply but don’t necessarily have a significant amount of time, money, or expertise to invest in doing so.
Fortunately, many of Google Consent Mode’s requirements overlap with those of the General Data Protection Regulation (GDPR), Digital Markets Act (DMA), and others, so meeting its criteria can move you toward privacy compliance with multiple regulations.
Adhering to the rules set requiring the use of Google Consent Mode will help ensure that you can still collect and use valuable customer data and retain access to all of the Google services features your business relies on, while operating with transparency and building trust with your users.
This in-depth guide will help you better understand what Google Consent Mode is, what Google’s requirements mean for your business, and how you can best meet those requirements in a way that enables your continued success.
What is Google Consent Mode v2?
The latest version of Google Consent Mode was designed to enable websites to communicate users’ cookie consent choices to various Google tags that help measure website and advertising performance.
The tool was initially used primarily for anonymized data tracking. However, its intent and use have evolved, and today Google Consent Mode v2 functions more as a signaling tool.
Read about consent for ads now
Following the latest updates, website operators can continue to meet compliance requirements, integrate systems, and respect users’ consent choices automatically with a consent management platform (CMP) like Usercentrics CMP, which comes with Consent Mode integrated, or directly with the global site tag (gtag.js) or Google Tag Manager (GTM).
A user’s consent choices, recorded in the CMP, determine whether Google collects and processes their full data or anonymized data that can’t personally identify them.
One of the primary reasons to use Google Consent Mode v2 is to achieve or maintain compliance with global data privacy regulations, including the General Data Protection Regulation (GDPR).
The Digital Markets Act (DMA) only requires designated “gatekeepers” like Alphabet (which owns Google) to comply, but in order to do so the company needs to require the business customers using their services, and collecting users’ personal data, to also meet compliance requirements.
User consent and online ads
User consent is a necessity for online advertising under many global privacy regulations, as it allows you to compliantly gather user data and use it to promote your product to customers who are already in your marketing funnel.
The data you collect enables you to deliver relevant, personalized ads to users to enhance their interactions with your brand and increase the effectiveness of your campaigns.
With the proper implementation of Google Consent Mode v2, you can ensure that your users have full control over their data and how it’s used across digital spaces. This will help you to build trust with your customers, making them more inclined to trust you with their data and personalization actions, while helping to enable compliance with data privacy regulations like the GDPR, DMA, and others.
What services does Google Consent Mode v2 support?
Google Consent Mode currently supports the following Google services:
- Google Analytics 4 (GA4)
- Google Ads (Google Ads conversion tracking and remarketing)
- Floodlight
- Conversion Linker
It’s a simple, convenient customization tool and another way to stay one step ahead of evolving legal and technology needs for data privacy compliance.
Why is Google Consent Mode valuable?
Google Consent Mode has a multitude of features that can bolster compliance efforts and enhance your business operations. Here are some of its key advantages:
- Establish a competitive advantage: Get an edge over competitors that are still grappling with outdated tracking methods and embrace Privacy-Led Marketing.
- Future-proof operations: Adapt to evolving data privacy regulations and business requirements and implement data- and consent-driven marketing strategies.
- Optimize consent rates: Collect data for advertising and gain conversion insights from all users — even those that don’t provide consent — to optimize operations.
- Build transparency and trust: Provide clear information about privacy law requirements and data usage to build and maintain user trust.
- Collect data dynamically: Move toward consent-based data collection to respect user privacy without affecting the efficacy of your advertising business model.
How does Google Consent Mode v2 work?
Google tags are loaded onto web pages before the cookie consent banner appears, so Google Consent Mode enables websites to dynamically adjust the behavior of these tags once a user allows or rejects cookies. Measurement tools will only be used for specifically determined purposes if the user has given consent.
Google Consent Mode features two tag settings to manage cookie behavior based on user consent choices:
- analytics_storage: determines how analytics services (e.g. GA4) behave
- ad_storage: determines how ad services (e.g. Google Ads) behave
Google Consent Mode v2 introduced two additional tag settings that are based on the same trigger as ad_storage:
- ad_user_data: controls whether personal data is sent to a Google service
- ad_personalization: controls whether data can be used for ads personalization (e.g. remarketing)
Website owners can also leverage conversion modeling to gather insights from anonymized data collected from users who reject cookies. This feature helps businesses gather essential data and marketing insights to fill in data gaps and understand user behavior without compromising on privacy.
A consent management platform can enable you to seamlessly collect user consent preferences and transmit them to Google services for further processing.
With Usercentrics CMP, you can automate detecting and categorizing all cookies and trackers in use on your site. Then with that information in the CMP user interface, users can accept all cookies, reject all (except strictly necessary cookies), or accept some cookies while rejecting others.
Users’ privacy preferences are maintained at every step, and companies still have access to sufficient information to maintain their ability to make data-driven decisions.
Find out how to meet Google’s EU privacy requirements
Basic vs advanced consent mode in v2
Google Consent Mode v2 introduces two levels of consent handling: Basic and Advanced. Each of these levels is designed to meet different operational needs and regulatory requirements.
Basic Consent Mode:
- Simplified implementation: Easier to set up with minimal integration, making it ideal for small businesses or those new to consent management
- Limited data: Supports essential data collection, focusing on enabling compliance with basic privacy regulation requirements
- Little customization: Provides standard options for user consent without extensive customization capabilities, which is ideal for businesses with simple data collection needs
Advanced Consent Mode:
- Comprehensive implementation: Requires more detailed setup and configuration, making it more suitable for larger businesses with complex data practices
- Detailed data: Supports more granular data collection and processing based on detailed user consent preferences for businesses that need more in-depth analytics
- High customization: Allows for tailored consent settings and greater control over data use that aligns with specific business needs and regulatory requirements, which is best for businesses that need to manage detailed consent scenarios
Google Analytics Consent Mode
Google Analytics Consent Mode for GA4 uses the analytics_storage tag to manage how GA4 cookies behave based on user consent.
When a user gives consent for analytics cookies, GA4 will collect full data from the user for statistical or analytical purposes.
Conversely, when a user rejects analytics cookies, GA4 limits the data it collects to information that can’t personally identify the user, including their browser or operating system and the referrer, or how the user came to the website.
Consent Mode for Google Ads
Google Consent Mode v2 uses the ad_storage tag to manage how Google Ads cookies behave based on user consent.
If a user gives consent for advertising cookies, Consent Mode for Google Ads will collect full data from the user for marketing or advertising purposes.
Where a user rejects cookies for advertising purposes, Google tags will not use advertising cookies and any Google Ads the user sees will not be targeted or personalized based on their data.
Read next: Google Ads, GA4 and consent management
What is conversion modeling?
Data from cookies is useful to help website owners track and identify users, study user behavior on their website and see the effectiveness of their ad campaigns and messaging in converting users to customers, among other things.
When users consent to cookies, gathering comprehensive data becomes straightforward and makes precise ad targeting and data analytics easier. When users reject cookies, these are a little harder to do so since the data collected is restricted and anonymized, causing gaps in the analytics.
Google uses Machine Learning to fill in the gaps with conversion modeling. It studies data and trends from users who consented to cookies and estimates the behavior of users who reject cookies with the help of this data.
Conversion modeling helps ensure that businesses using Google Analytics Consent Mode data can still gain valuable insights and optimize their marketing strategies, even when full consent data is unavailable.
How to implement Google Consent Mode
To maintain access to all of Google’s analytics and advertising services, you need to implement Google Consent Mode on your website if you’re doing business in the EU, UK, or Switzerland. There are two options for how you implement it.
The most straightforward solution is to use a CMP with Google Tag Manager. Another option is to have your tech team integrate it directly into your website with the Interactive Advertising Bureau’s (IAB) Transparency and Consent Framework (TCF 2.2).
Google Consent Mode and Google Tag Manager
Google Consent Mode can be integrated with Google Tag Manager in two ways, depending on whether the website owner uses a CMP.
- With a CMP: Use the CMP’s Tag Manager template, which is integrated with the Consent API. This can be done from within Google Tag Manager itself, requires minimal coding, and saves website owners time and effort.
- Without a CMP: Create a custom Tag Manager template, which requires coding knowledge and the help of a developer to build, implement, and update.
Once Google Consent Mode and Google Tag Manager are integrated, user consent choices in the CMP’s displayed consent banner are passed on to Google Tag Manager, which then governs how cookies behave for a user’s visit.
This integration helps ensure that all tags and tracking tools comply with user consent preferences to help businesses balance effective data collection and privacy compliance.
While integrating Google Consent Mode without a CMP allows for more flexibility, it demands more technical expertise and ongoing maintenance. Using Usercentrics CMP, on the other hand, simplifies this process by ensuring that user consent preferences are automatically communicated to Google.
Google Consent Mode v2 and the TCF 2.2
Google Consent Mode has been updated especially for websites where user consent is not obtained within the scope of the IAB Transparency and Consent Framework (TCF) with their CMP.
For companies actively using the IAB TCF 2.2, Google Tools will continue to read out and respect the IAB TC String. This means that all Google services, including Google Analytics and Google Ads, will honor the consent preferences specified in the String to help ensure that a user’s choices are applied across all integrated tools and services.
How to implement Google Consent Mode with the Usercentrics CMP
Implementing Google Consent Mode with the Usercentrics CMP solution as an alternative to prior blocking can be done in a single step. Existing customers and those with custom Data Processing Services should note the additional information below.
✔ Adjust the existing Google Tag Manager code by adding a few lines of code above your Google Tag Manager tag.
✔ If you are an existing customer, ensure the Google Consent Mode option is toggled ON in the Usercentrics Admin Interface.
✔ For new customers, Google Consent Mode is ON by default.
✔ If you have custom Data Processing Services, use the Usercentrics CMP events to signal the consent status via the Consent Mode API.
There is also a convenient feature that automates the process of enabling Google Consent Mode in Usercentrics CMP. Get it up and running in two easy steps.
Integrate Google Consent Mode v2 with Usercentrics CMP to collect valid user consent from EU/EEA users and adhere to Google’s user consent policy.
Why you need a consent management platform to be GDPR-compliant
Google Consent Mode does not replace a CMP; it serves as a link between the CMP and Google services. This has become increasingly important since enforcement of the Digital Markets Act (DMA) began in the EU in March 2024, and the gatekeepers have levied stricter requirements on their business customers.
With Google (via parent company Alphabet) designated one of the seven gatekeeper companies under the DMA, to ensure end to end privacy compliance in its business ecosystem, third-party customer companies using Google services will need to achieve valid privacy compliance and signal consent to tracking, particularly for advertising purposes.
Google Consent Mode is an integrated tool that enables Google services to run on websites based on the types of consent collected from website users, without requiring Google to have direct access to personal data or denying companies access to information they need to drive conversions.
However, obtaining user consent remains the website operator’s responsibility, and Consent Mode doesn’t work as a standalone. With the help of a CMP, you can collect granular user consent for all cookies and tracking technologies in use on the site in accordance with the GDPR and other data privacy laws.
By pairing the Consent Mode API with the Usercentrics CMP, websites can indicate if the user has given consent for cookie usage related to analytics, advertising, or both. The supported Google tags will respect this signal and adjust their behavior accordingly, only using cookies if consent was granted for the specific purposes.
For example, if the website user decides to reject the use of cookies or trackers for certain marketing technologies, Google Consent Mode will react based on this consent status and will only display purely context-based advertising to that person on the website, without any personalization. This enables companies to meet regulatory requirements while still respecting users’ privacy choices.
Why is consent needed for the processing of personal data?
Data privacy laws like the GDPR, Brazil’s LGPD, and more provide individuals online with protection and control over their personal data, who has access to it, and how it’s used. As technologies evolve, the average person creates more and more data online every day.
Laws like the GDPR require prior consent for access to and processing of that personal data, which can reveal a great deal about individuals — some of the information being quite sensitive. Without consent, people’s privacy could also be violated without their knowledge for the benefit of companies using their data.
This way, businesses can still obtain and use personal data, and in many cases do so to create better experiences for their customers, but only with individuals’ consent, and only within the parameters of what those people have agreed to or the law allows.
Learn more: 7 Criteria for GDPR-compliant consent
Consumers are also increasingly aware of the value of their data, their rights, and the collection and use of their data online by companies.
This means that companies that want to build and retain user trust and develop long-term engagement must give users choices around whether or not to be tracked using transparent, user-friendly notices about their privacy compliance and data collection practices, as well as employing compliant consent mechanisms.
Proactively embracing consent-based marketing helps protect companies’ revenue and brand reputation while helping to future-proof growth and helping them to get ahead of their competitors.
The future of digital marketing includes a focus on driving revenue by optimally leveraging technologies that address companies’ responsibilities and serve users’ needs. In an era when consumers have more and more choices and the ability to leave companies that don’t provide great experiences, companies can no longer rely on dominant market positions or limited alternative options.
Companies can evolve their marketing efforts with smart, data-driven decisions by using tools like Google Consent Mode v2 and integrating them with a robust CMP to help ensure compliance and use data effectively.
Anonymous tracking via Google Analytics 4: Is it GDPR-compliant, even without consent?
According to Google, if a user doesn’t provide consent to tracking via G4A (analytics_storage: denied), all data will be anonymized. Google will not collect any personally identifiable information when a user has denied consent, so the data will be captured without a client ID and recorded in aggregated form.
Additionally, if the placement or reading out of advertising cookies is prevented (ad_storage: denied), the main processing purposes for which user consent is usually obtained will no longer be active. This helps to ensure that any data collected is not used for personalized advertising, in line with the GDPR’s requirements.
Can these technologies be used without user consent?
Anonymized data — like the information that Google tags collect when a user rejects tracking — is not considered to be personal data under the GDPR and therefore can be used without consent.
Here, it’s important that website operators ensure that users are able to easily reject tracking and also guarantee that data collected after this rejection:
- cannot be used to identify a user
- is not forwarded to third parties to be used for their own purposes
- is not forwarded to servers in third countries
Google Consent Mode v2 ensures that if a user denies consent, only non-identifiable information is collected. Data is anonymized and aggregated to provide a generalized view of user behavior rather than specifics. Plus, the tool prevents the transfer of data to third parties and countries, unless express consent is given.
These factors help to ensure that Google Consent Mode v2 complies with the provisions of the GDPR, enabling companies to collect data from anonymous users even without consent.
Learn why a Google-certified CMP like Usercentrics is essential for serving ads in the EU and EEA.
Strengthen the data privacy and marketing relationship with explicit consent
With valid consent collection from website users, advertisers can continue to optimize opt-ins, measure conversions, and retrieve analytics insights with Google Consent Mode v2 while achieving and maintaining GDPR compliance.
Google Consent Mode seamlessly combines the protection of users’ data with companies’ and the advertising industry’s interests, so you can collect customer data to enhance your marketing efforts while protecting user privacy.
The simplest way to obtain granular, GDPR-compliant user consent for the use of cookies and other tracking technologies is via a CMP.
Usercentrics CMP gives users granular control over their data privacy preferences via a brand-aligned consent notice, helping you to comply with major privacy regulations while building customer trust.
Overview
- Goes into effect September 1st, 2023, no grace period for compliance.
- Consent not required for data collection/processing under all circumstances.
- Applies to natural persons (no longer to legal persons) and commercial and noncommercial entities that process the data of Swiss citizens.
- Entities are responsible for compliant data processing even if they use third parties (like vendors) to do it.
- All processors must take reasonable organizational and technical measures to ensure data privacy and security.
- Applies to data in both physical and electronic files.
- Extraterritorial law, entities processing personal data do not have to be based in Switzerland.
- Prohibits transfers of personal data from Switzerland to countries with which they do not have an adequacy agreement unless explicit user consent has been obtained from data subjects.
Consent Requirements
Read about fadp vs gdpr now
Unlike the GDPR, the FADP allows entities to process personal data without a specific legal basis, unless the processing meets certain criteria. Consent is required for:
- processing of sensitive personal data
- processing used in high-risk profiling by a private person
- processing used for profiling by a federal body (government)
- data transfers to third countries where there is not adequate data protection
The FADP does allow for other legal bases for processing besides consent (like the law or overriding public interest), but fewer than the GDPR does. When consent is required, it must be obtained before or at the point of data collection. Like the GDPR, user consent under the FADP must be granular, informed, and voluntary.
A consent management platform enables compliant user notification, e.g. populating a privacy policy page, as well as collecting and storing compliant consent. Multiple configurations can be used with geolocation to ensure compliance with multiple regulations with different requirements, like the GDPR and FADP, depending on user location.
Notification Requirements
Data subjects must be informed at all times prior to data collection, even if consent is not required for the intended data processing.
Companies need to clearly communicate the following information to users, e.g. in a privacy policy page on the website. These are the same notification criteria required for consent to be valid:
- identity of the data controller, whether the company or a third-party
- contact details for the data controller
- identity of the data recipient and any other parties involved with the data file
- recipient country if the data will be transferred cross-border
- purpose(s) of data collection and use
- what categories of data are collected, if relevant
- means of data collection, if relevant
- the legal basis for processing, if needed
- users’ rights regarding their personal data under the FADP, including the right to refuse or withdraw consent
Data subjects’ rights
Data subjects have the following rights under the FADP:
- request to know if data about them is or has been processed (cannot waive the right to information in advance)
- request access to their collected data
- receive their data in physical format (printed or photocopied) free of charge
- request that their personal data be corrected if inaccurate or incomplete (can be restricted, refused, or deferred, including in matters of security, to protect criminal investigations, or to protect the interests of overriding third parties)
Checklist for FADP compliance
- Create privacy statements, like a privacy policy page on the website, or update existing ones and ensure they are customized for your business, users, processing purposes, and the data you process.
- Data subjects must always be notified re. processing even when consent is not required.
- A consent management platform enables customizing and populating your privacy policy, as well as keeping it updated.
- Ensure notification information includes with which countries personal data is shared.
- If there is no adequacy agreement with those countries, make that clear and get explicit consent for data sharing.
- Obtain and securely store user consent when required, e.g. for sensitive personal data processing.
- Create or update internal data processing guidelines and ensure they are well communicated.
- Set up and maintain an internal registry of data processing activities.
- Implement a process to enable efficient receipt, acknowledgment, and response to data subjects exercising their rights, e.g. requests for copies of personal data or for correction or deletion.
- Ensure data is portable in an accessible format, e.g. printout or common electronic format.
- Implement a data protection impact assessment, especially if the organization extensively processes sensitive data.
- Implement a process for data breaches, including prompt notification of the FDPIC and data subjects if needed. Include third parties that access or process data as well.
- Review and update contracts with third parties (like vendors) to ensure reasonable requirements for security and data privacy are met. (Though legal responsibility lies with the first party.)
- Maintain data only for as long as necessary under the stated notification and for the stated purpose of processing. Delete or anonymize it as soon as it is no longer required for that purpose.
- Appoint a data protection officer who liaises with users and the FDPIC, and administers policies and processes.
- Consult with qualified legal counsel regarding your organization’s responsibilities under the FADP and how to fulfill them. Update them regularly. Usercentrics does not provide legal advice but only information for educational purposes.
The DMA came into force in November 2022 and has been applicable since May 2023. Designated gatekeepers have until March 6, 2024 to comply with the Act’s requirements. This means that the companies that do business in the EU/EEA and UK and use the gatekeepers’ platforms and services also need to comply. Gatekeepers in violation of the DMA can be fined up to 10% of annual global turnover, or up to 20% for repeated infringements.
The DMA’s requirements are similar in many respects to those of the GDPR, but are broader in some ways, addressing additional access to and uses of end users’ personal data. The DMA aims to help ensure healthy competition from smaller, non-gatekeeper companies, and more open digital markets.
Read on to learn about:
- designated gatekeepers
- core platform services (CPS)
- whether your company needs to comply with the DMA
- how the DMA impacts user privacy and consent
- how to obtain and store valid consent
- how to implement a CMP to be ready for the DMA
- and more…
Read about wordpress cookie consent now
1) What companies have been designated as gatekeepers under the Digital Markets Act?
Under the DMA, the European Commission (EC) has designated seven “gatekeeper” organizations: Alphabet, Amazon, Apple, Booking.com, ByteDance, Meta and Microsoft.
The gatekeepers have to ensure that their platforms comply with the DMA by March 6, 2024, else they risk substantial fines. By extension, these requirements also mean that the many companies that use the core platform services from these entities must comply if they want to keep using the platforms and services.
This includes companies that collect and process user data for their own operations, or access data collected by the gatekeepers.
Companies that collect and use the personal data of users in the European Union must ensure they obtain valid prior consent (opt-in) from online users of these platforms and services. This includes gatekeepers and third parties that use their platforms, services, and data. If your organization is one of these, e.g. advertising on one or more of the platforms, you need to comply with the DMA. Companies operating in the EU may also need to comply with additional data privacy regulations, like the GDPR.
That means you need a consent management solution to ensure that you are obtaining valid consent from users on these platforms before collecting and/or processing their personal data.
2) What are the gatekeepers’ core platform services?
The gatekeepers provide 23 identified core platform services (CPS) that are required to comply with the DMA due to their enormous reach, audience, and data generated:
- 3 operating systems (Google Android, iOS, Windows PC OS)
- 2 web browsers (Chrome and Safari)
- 1 search engine (Google)
- 4 social networks (Facebook, Instagram, LinkedIn, TikTok)
- 1 video sharing platform (YouTube)
- 3 online advertising services (Amazon, Google, and Meta)
- 2 large communication services (Facebook Messenger and WhatsApp)
- 6 intermediation platforms (Amazon Marketplace, Google Maps, Google Play, Google Shopping, iOS App Store, Meta Marketplace)
- 1 online travel agency
Third parties that use these CPS also need to comply with the DMA or risk losing access to gatekeepers, their platforms and services, and the data and revenue they generate.
3) How does the Digital Markets Act impact user privacy and consent?
User privacy and consent under the DMA follow the same requirements as the General Data Protection Regulation (GDPR) and ePrivacy Directive (ePD). Consent must be freely given, specific, informed, unambiguous, and obtained before any personal data is collected.
Users must also be able to change their consent preferences or withdraw consent at any time, and companies must be able to prove consent in the event of an audit by data protection authorities.
To achieve this, a consent management platform (CMP) enables companies to notify users about the collection and use of their data, provide consent options, and store this information securely. Companies using Google services must also support the most up-to-date version of Google Consent Mode.
The DMA requires the gatekeepers, and by extension those companies using the CPS, to obtain prior user consent if they:
- process personal data for providing advertising services using CPS
- combine personal data from CPS with data from other CPS or services provided by the gatekeepers
- cross-use personal data from CPS in other services provided by the gatekeeper or CPSand/or
- sign end users in to other services in order to combine personal data
4) What are third-party companies’ rights under the Digital Markets Act?
In addition to the DMA’s requirements regarding the rights and protections afforded to end users, there are a number of requirements that the gatekeepers must meet regarding third-party companies that use their CPS.
Some of the key requirements are:
- allow the use of third-party apps on gatekeepers’ operating system(s)
- allow access to data generated on CPS
- do not allow gatekeepers’ services to be more favorably ranked
- do not track end users outside of the gatekeepers’ CPS for the purpose of targeted advertising without obtaining consent
- enable pre-installed apps to be uninstalled
- enable settings to be changed on operating systems or browsers that lead to the gatekeepers’ products and services
- allow business users to offer their products and services on third-party platforms or their own platform for the same price as on the gatekeepers’ platforms and services
- provide advertisers and publishers information about advertisements placed, remuneration and fees, and metrics free of charge
See the EC’s published list of “do’s and don’ts” for gatekeepers
5) How can companies obtain and store valid consent under the Digital Markets Act?
Per the DMA’s requirements, conditions for valid consent are:
Explicit: Active acceptance required, e.g. ticking a box or clicking a link.
Informed: Who wants to collect what data, why, for how long, and who will it be shared with, etc.?
Documented: You have the burden of proof of consent in the case of an audit.
In advance: No data can be collected before consent is obtained, e.g. cookies cannot be set on your website before the user has consented to them.
Granular: Individual consent for individual purposes, i.e. consent cannot be bundled with other purposes or activities. The second layer of a CMP can display all cookies/tracking technologies in use and their purposes to enable highly granular consent choices.
Freely given: Equally accessible and easy to use “Accept” and “Deny” options, e.g. buttons all on the first layer of the CMP. Do not manipulate users’ choices via design.
Easy to withdraw: Changing consent or opting out is as easy to do as opting in, e.g. available on the same layer of the CMP.
On websites, in apps, and on other connected platforms, the GDPR requires consent to be obtained for the use of cookies and other tracking technologies. This has made cookie banners or similar consent management tools a common sight. But many companies with EU users are still not compliant with the GDPR. This also means they won’t be compliant with the Digital Markets Act, and risk access to the gatekeepers’ platforms and services, including advertising with Google.
A consent management platform can be implemented on websites, apps, and other platforms in minutes, and customized for your company branding, the cookies and other tracking technologies you use, and more.
Usercentrics has Europe’s leading CMP that enables stringent regulatory compliance, including with the Digital Markets Act, right out of the box. It’s built on state-of-the-art technology that scans deeper for cookies and has automated functionality to help you maintain compliance without having to dedicate a lot of tech or legal resources. It also enables companies to meet consent management requirements to maintain access to the gatekeepers’ platforms and services without disruption.
6) Why do you need a CMP that is ready for Digital Markets Act compliance?
European authorities have shown they are serious about data privacy compliance and regulatory enforcement, and the DMA will extend that commitment. The European Commission can impose fines for Digital Markets Act violations on gatekeepers of up to 10% of the company’s annual global turnover, 20% in cases of repeated infringement. The Commission can also require violating gatekeepers to sell parts or all of a business, or ban them from acquisitions that would be related to violating activities.
Third-party companies using gatekeepers’ services can lose access to the platforms, data, customers, and revenue if they are found to be noncompliant with the Digital Markets Act. Additionally, Digital Markets Act violations would also quite possibly violate other privacy laws, like the GDPR, which come with a whole additional set of penalties. The likely result would be a serious hit to brand reputation and customer trust, which would negatively affect revenues and future growth.
7) How do you implement a CMP that’s ready for the Digital Markets Act?
Your implementation will depend on your platform, CMS, and tools used, e.g. GTAG, Google Tag Manager, etc. However, Usercentrics CMP integrates into all the leading web and app platforms, like WordPress, Magento, Wix, Squarespace, Shopify, Prestashop, and more.
Read about wix cookie banner now
Read about shopify cookie banner now
- Select a flexible, reliable consent management platform that can be customized to your needs and will be easy to maintain by technical or non-technical staff
- Implement the CMP according to your website setup—via direct integration, head tag, Google Tag Manager, etc.—and the tools you have integrated, including those of the designated gatekeepers under the Digital Markets Act
- Customize the CMP for your branding, messaging, relevant regulations, and cookies or other tracking technologies in use (or use an out-of-the-box template and only do the basics)
- Activate Google Consent Mode signaling
- Ensure that you set up the CMP to block all third-party trackers (unless consent is obtained)
- Start collecting Digital Markets Act-compliant consent from users
Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.
The General Data Protection Regulation (GDPR) has been in effect in the European Union since May 2018. Any organization that handles the consumer data of EU residents needs to take GDPR compliance seriously.
GDPR compliance is also valuable for those doing business in the United States, among other countries that have since introduced data privacy laws. California, for example, borrowed heavily from the GDPR when drafting its data privacy regulations. This has since influenced data privacy legislation drafted by other states.
Achieving GDPR compliance puts U.S. companies ahead of the game in ensuring state-by-state compliance at home. By adopting its more stringent best practices, you’re set up to avoid future disruptions as more regulations are passed in the U.S. and other countries.
The following information will help clarify your company’s GDPR compliance requirements. Please note that due to differences in implementation and enforcement among EU countries, we strongly recommend that you consult with a lawyer specializing in data protection and privacy.
GDPR in the U.S.: Does your company need to be compliant?
One of the first questions asked by U.S. companies is, “Does the GDPR apply to us?” If your company does business in the EU that involves collecting and processing user data, then yes, you do need to be GDPR-compliant.
This can mean you sell products or services in the EU, work with partners or customers there, or receive web traffic from visitors located there.
Note that the GDPR is extraterritorial. This means it applies to organizations that process EU residents’ personal data whether or not those entities are actually located in the EU. It only matters that the personal data being used belongs to people in the EU.
In July 2023, the EU-U.S. Data Privacy Framework introduced a new adequacy agreement between the two regions, which had been without one since the Schrems II decision struck down the previous EU–U.S. Privacy Shield framework in 2020.
The EU-U.S. Data Privacy Framework does not apply GDPR requirements to the U.S., though it is a legal agreement and does apply certain standards to data protection and international transfers. The framework also outlines data subjects’ rights, responsibilities and requirements for certified companies, redress mechanisms for complaints, and requirements and restrictions on US intelligence services.
GDPR requirements for U.S. companies
The GDPR’s requirements differ from data privacy regulations in the U.S., so you need to understand the distinctions. These include the following.
Scope of jurisdiction
Data privacy laws passed to date in the U.S. are all at the state level, each one only applies in the state where it was enacted. The U.S. does not yet have a federal data privacy regulation, so companies need to check if there’s a law for each state where they do business, and what its requirements are.
Scope of protection
Privacy laws in the U.S., like the California Consumer Privacy Act (CCPA), are centered around consumer protection, whereas the GDPR regulates data protection more comprehensively. That includes the B2C and B2B sectors.
Dedicated roles
In many instances, the GDPR requires organizations to appoint a data protection officer. This isn’t the case under the majority of U.S. state-level laws passed to date.
Opting in and opting out
Under the GDPR, individuals must provide explicit opt-in consent prior to having their personal data collected and processed. The U.S. uses an opt-out model in all privacy laws passed to date, meaning you can collect and use data in many cases without obtaining consent (with the common exception of children’s data or that categorized as “sensitive”), You do have to provide a way for people to opt out of data collection and/or processing for various purposes (these vary by state law).
Terms and definitions
While the GDPR refers to “personal data,” the term “personally identifiable information” (PII) is more common in the U.S. The specific requirements for data to be “sensitive” also vary. We explain these differences in depth: Personally Identifiable Information (PII) vs. Personal Data — What’s the difference?
Under the GDPR, you need a legal reason that can be proven to collect and process customer data. Valid consent is one of the six legal bases listed in Art. 6 GDPR. The conditions for consent to be valid are outlined in Art. 7 GDPR.
You need to document and clearly communicate to site visitors, customers, app users, etc. what personal data you want to collect, for what purpose(s), who may have access to it, and several other requirements. If the purpose for processing user data changes, you must obtain new consent from users.
Data controllers (e.g. companies collecting data from visitors to its website), can use any of the legal bases for data processing if they can prove the necessity of doing so. You can’t simply choose or change a legal basis because a business need a change or one method (like obtaining valid consent) is more work.
U.S. GDPR compliance checklist
✅ Keep data privacy and protection top of mind in all aspects of your business, especially the customer-facing parts. It’s cheaper, more efficient, and less resource-intensive to build compliance into your system from the beginning using a privacy by design approach, rather than retrofitting it. Especially when considering the risks of violations if efforts are not comprehensive enough.
✅ Create an internal security policy for employees, partners, and contractors to ensure security measures are adequate, and keep it updated. Ensure it’s clear and covers all operations and specific roles within the organization where accessing personal data is necessary.
✅ Know what a data protection impact assessment is and have a process to carry it out. These are legally required under some regulations, but a good idea regardless.
✅ Wherever possible, when personal data is collected, anonymize, pseudonymize, and encrypt it.
✅ In the event of a data breach, have a process in place to notify data subjects and the correct authorities within the required time frame. Where possible, act as quickly and thoroughly as possible to provide information, cooperate with authorities, protect affected users, and mitigate and repair damage from the breach.
Data subjects’ privacy rights
It must be clear and easy for customers, users, and visitors to:
✅ object to collection and/or processing of their personal data
✅ request and receive all the data you have about them in a timely manner
✅ request a correction or update to inaccurate or incomplete data
✅ request that their personal data be deleted in a timely manner (with some exceptions)
✅ have you stop collecting and processing their data if they withdraw previous consent
✅ receive a copy of all of their personal data to be transferred to another entity
✅ have processes and policies in place (and user access to them) to protect their rights if you make decisions about them based on automated decision-making processes
Operations
Requirement | Key actions | Details |
---|---|---|
Conduct an information audit to learn and document:
|
Organizations with 250+ employees, or that conduct higher-risk data processing, must keep an up to date and detailed list of their processing activities, which can be shown to regulators on request.
Companies with fewer than 250 employees should still do these audits and maintain this information. |
|
|
Legal basis is determined based on the six conditions under Art. 6. There are additional provisions relating to children and special categories of personal data in Arts. 7–11.Be aware of the extra obligations if consent is your chosen legal basis. |
|
|
The internal data protection officer needs to be able to understand the needs of ongoing compliance, work on drafting, reviewing, implementing and enforcing the policies.
EU member states require a representative in each country who can communicate on your behalf with data protection authorities. A data protection officer is needed if the organization:
|
|
Any third parties that process data on your behalf need to sign a data processing agreement that clearly outlines how data is to be transferred, stored, protected, used, and erased. | This can include email hosting, cloud services, advertising or marketing partnerships, analytics software, etc.
Ensure the rights and obligations of both parties are clear. Reputable services should have a data processing agreement for review on their websites. |
Users and customers
Requirement | Key actions | Details |
---|---|---|
Provide clear notification that you are using cookies or other tracking technologies on your website.
Explain what the tracking technologies are doing and why, and what data they collect. Include this information in a Privacy Policy that’s easy to find, read, and understand. Review and update the Privacy Policy at least every 12 months. |
Include the following information in the Privacy Policy:
|
|
Obtain individuals’ informed and explicit consent to use tracking technologies and to store cookies on their device(s). | Consent must be:
Exception: These rules don’t apply to strictly necessary cookies (aka essential cookies), but there are restrictions regarding which kinds of cookies can be categorized as essential. |
|
Collect and process personal data via cookies only with valid consent. | Loading: Ensure cookies are not loaded until the person has given consent
User refusal: If someone rejects cookies, no cookies can be set. But the user must still be able to use your website/access your service as much as possible without the cookie use. |
|
Document and store consents received from users whose data you’re processing. | Data protection authority (DPA) audit: Comply with documentation obligations and store evidence of consent in case of an audit by data protection authorities or a data subject access request in accordance with users’ legal rights. | |
Rejecting the use of cookies or other tracking technologies must be as easy to access and use as consenting. | Easy access: It must be as easy for individuals to withdraw their consent — at any time — as it is for them to give it.
External links: Linking to a separate page for opt-out is not sufficient. After opt-out: Ensure no further data is collected, processed, or forwarded from the moment the consent request is rejected or rescinded, i.e. the opt-out must also be technically linked to the cookie and, ideally, documented. |
Ensuring consent is GDPR-compliant
For an individual’s consent to be GDPR-compliant, you need to meet seven criteria. See our article 7 criteria for GDPR-compliant consent for detailed information on those criteria and what that means for consent banners on your website.
Data protection and regulation of children’s data
Under the GDPR, you’re generally only able to process personal data for children aged 16 and older. Parental or guardian consent must be obtained for data processing requests for children under 16.
Some EU member states reduce the age limit to 13, but not all of them do. As confirming an individual’s age can be ambiguous on some websites, we recommend obtaining explicit consent from all users.
Kickstart GDPR compliance with a data privacy audit
As mentioned, the precise implementations and interpretations of GDPR vary among member states. But you’ll need to complete a full data audit before you’ll know exactly how GDPR requirements apply to your organization and customers.
Start with Usercentrics’ free data privacy audit that detects the cookies and trackers in use on your website, and can help you to see where your website might fall short of GDPR compliance.
While this audit will support your compliance efforts, it does not replace legal advice. To ensure your company’s GDPR compliance efforts are robust and compliant, we strongly recommend working with legal counsel that specializes in data protection and privacy, and appointing a Data Protection Officer.
If your company has customers in South Africa or plans expansion there, and you collect or process personal data, you need to comply with the Protection of Personal Information Act (POPIA).
POPIA received Presidential assent in November 2013. Sections of POPIA coming into effect have been staggered in the years since, with key remaining sections coming into effect on July 1st, 2020. Organizations had 12 months from that date to enact POPIA compliance requirements, and enforcement began on July 1st, 2021.
Data privacy regulations are complex.
Many businesses like yours, that have struggled with POPIA compliance, are finding out that working with us answers questions, relieves stress, and increases advertising revenue.
The good news is that if you are already compliant with the GDPR or LGPD, you have already done much of the work necessary to comply with POPIA.
To help you achieve POPIA compliance, follow these steps:
Step 1: Identify if your organization needs to comply
- Your business processes the personal data of people in South Africa, regardless of where your business is located.
Step 2: Create a comprehensive Privacy Policy.
- Ensure it is easy to find, read, and understand for the average user.
- Inform about who has access to personal data collected (e.g. from cookies).
- Implementation: make the information and consent preferences about data processing available in a Privacy Banner when users visit your site. A Consent Management Platform ensures that you can include all necessary information and obtain the required consents.
Step 3: Inform users about their rights.
- Inform users about the nine fundamental rights that data subjects have under Section 5 of POPIA e.g. right to erasure, right to be informed, and right to object.
Step 4: Inform users that you use cookies or other tracking technologies.
- Ensure that you inform users of your intentions at or before the point you start collecting data.
- Particularly inform users about:
- The specific purpose of the processing;
- The type and duration of the processing;
- The identity of the responsible party and their contact information;
- The shared use of data by the responsible party, and the purpose;
- The responsibilities of the agents that will carry out the processing;
- The data subject’s rights, with explicit mention of the rights listed in Section 5 of POPIA.
- Include this information in your Privacy Policy.
Step 5: Explain in the first layer of the privacy banner what your cookies or other web technologies are doing and why.
- Inform users about the purpose of each cookie or web technology separately to ensure you obtain specific and granular consent for each cookie objective. Users must have the option to grant or withdraw consent for each purpose.
- It should be stated in the first layer of the Privacy Banner.
Step 6: Obtain users’ voluntary and informed consent to store cookies on their device(s) and enable refusal of consent or adjustment of preferences in the future.
- Necessary where cookies involve the collection and processing of personal data from users (e.g. if the information can be linked to a particular individual’s identity).
- Consent must be freely given: Equal presentation and accessibility of “Accept” and “Reject” buttons. Refusing consent must be an equally accessible option.
- Consent must be easy to withdraw: in the second layer users have to have the option to withdraw their consent.
- Documented: You have the burden of proof of consent in the case of an audit.
Step 7: Collect and process data only after obtaining valid consent.
- Ensure that no cookies are loaded until users have given consent.
- Once valid consent has been obtained, you can collect and process personal data for the purposes for which you informed users (i.e. using the web technologies to which they consented).
Step 8: Document and store consent received from users.
- Comply with documentation obligations to ensure you can verify users’ consent in case of complaint or audit by South African data protection authorities.
Step 9: After opt out, ensure that no further data is collected or forwarded
- Ensure that from the moment of the objection on, no further data is collected or forwarded. This includes declined consent for new users or updated consent preferences for existing users.
POPIA Cookie Requirements
Cookies covered by POPIA
Identifiable data is protected by POPIA. Thus, cookies and other tracking web technologies – that collect data that can be associated with a natural person – are subject to privacy compliance obligations under the law. E.g. the information is linked or linkable to a particular user, IP address, device or other specific identifier.
The exception is anonymized or permanently de-identified data under Section 6, which is not considered personal data under POPIA.
Lawful Processing
Section 4 of POPIA outlines provisions for the parameters of restrictions on personal data collection and processing, how the Act applies to different population groups, and who is responsible for monitoring and enforcement.
For violations, POPIA has provisions for both monetary and carceral penalties. The maximum fine is ZAR 10 million (approx. EUR 500,000) and the maximum prison sentence is 10 years for certain responsible individuals and certain violations.
Requirements for POPIA (South Africa) | Is Usercentrics compliant? |
---|---|
Freely given and informed consent is necessary | |
The purpose has to be provided (first layer of the privacy banner) | |
The recipient has to be named (second layer of the privacy banner) | |
Withdrawal of consent has to be possible (second layer of the privacy banner) | |
Options to grant or decline consent must be equal | |
Proof that consent has been given must be stored | |
The option to give or withdraw granular consent for each data processing purpose has to be provided |
DISCLAIMER
These statements do not constitute legal advice. They merely serve to support and inform you about the current legal situation. Please consult a qualified lawyer should you have any legal questions.
Protecting your customer data is more than just good business practice, it’s a legal requirement under the General Data Protection Regulation (GDPR).
This regulation applies to all businesses with websites and applications that collect personal data from visitors who are based in the European Union (EU), regardless of the business’ location. It exists to protect those individuals’ privacy rights and mitigate the misuse of their data.
Simply adding a cookie consent banner to your website won’t automatically equal compliance. You’ll also need to implement specific technical and organizational measures to meet the GDPR’s stringent requirements.
Read about wordpress cookie consent now
Fortunately, there are a number of GDPR compliance software options that will help you to do just this. We’ll take a look at some of the best solutions out there.
Our top picks for GDPR compliance software:
GDPR compliance software options
Software | Key feature | Recommended for | Price* |
---|---|---|---|
Usercentrics | Extensive database of legal templates: Over 2,200 templates to help enable compliance and save time and resources | Businesses of all sizes | From USD 60/month after 30-day free trial |
Osano | “No Fines, No Penalties” Pledge: Receive compensation of up to USD 200,000 if you receive a fine related to data privacy while using Osano | Medium-sized businesses | Custom pricing, available on request |
OneTrust | Data intelligence: Identify sensitive data and understand data risks | Large corporations | Custom pricing, available on request |
Didomi | Site scanner: Obtain a Health Score for your website to determine GDPR compliance level | Multinational companies | Custom pricing, available on request |
Cookie Information | Website and app consent management: Collect user consent across different platforms | Small businesses | From EUR 15/month |
CookieYes | Cookie Policy Generator: Create a custom cookie policy in a few minutes | Freelancers | From USD 0/month |
Borlabs Cookie | Dashboard statistics: See the past 10,000 cookie consents on your website in one place | Agencies | From EUR 49/month |
*As of July 2024
Why GDPR compliance software is a must in 2024
Failing to comply with the GDPR’s requirements will expose your business to significant risks, including hefty fines and reputational damage. Robust GDPR compliance software can help you streamline a variety of privacy compliance operations.
- Effectively handle sensitive data: ensure the proper collection, management, and protection of personal data.
- Manage data processing activities: integrates with the tools in your marketing stack to ensure consent information is obtained and communicated to control tag firing and cookie use that collects personal data.
- Support your data protection officer: Aid your data protection officer (DPO) in executing their responsibilities, with mechanisms for granular consent management, detailed consent logs, automated updates, and more.
- Map customer data: Provide clear visualizations of data flow and storage locations.
- Clearly communicate with visitors: Automate collection of information like which cookies are in use, and provide it on the consent banner and your privacy policy. All data privacy laws, including the GDPR, require companies to provide clear, comprehensive information about the data they collect, for what purposes, who may access it, and more.
Our picks of the 7 best GDPR compliance software platforms
Meeting GDPR requirements is crucial for businesses that want to protect personal data to avoid penalties, develop their privacy-led marketing operations, and build trust with their customers.
We highlight the top 7 GDPR compliance software platforms to help your business continually meet the regulation’s requirements.
1. Usercentrics

Usercentrics offers market-leading compliance software that helps enable businesses to comply with the GDPR and other data privacy regulations. Organizations in 195 countries have relied on Usercentrics to effectively manage user consent requirements since 2012.
Usercentrics is available as an out of the box solution. However, it also enables extensive customization of visual elements, data processing services, and regulatory coverage for websites, apps, and other connected platforms.
Although mastering this consent management platform’s (CMP) advanced tools may involve a bit of a learning curve, say G2 users, the end result is invaluable for building trust with users.
Key features
- Dynamic consent notices: Display banners and other notices in more than 60 languages, covering relevant regulations, to help enable compliance with local regulations (like the GDPR), based on the user’s location.
- DPS database: Over 2,200 legal templates are available to help you categorize and describe your data processing services, saving time and resources.
- EU servers: Store consent records on servers in European data centers to comply with regulatory requirements and alleviate international data transfer concerns. (Usercentrics is headquartered in the EU.)
- Granular consent management: Give website visitors and app users complete control over the data they share, which can be easily changed or revoked at any time.
- Consent storage: Document consent records over time in the event of regulatory inquiries, or to provide user consent history in the event of a data access request by a user.
Pricing
- Free trial: 30 days’ access to the Starter package.
- Starter: USD 60/month for up to 50,000 sessions with one configuration on one domain.
- Advanced: USD 175–1,150/month for 50,000+ sessions, with no limit to configurations and domains.
- Premium: Custom pricing for all Advanced features, plus premium support.
Provides compliance notices in 60+ languages | Analytics data only available for 90 days |
2,200+ legal templates | |
Detailed analytics and reporting |

2. Osano
Osano software advertises numerous features that help enable GDPR compliance, including the option to use Osano as a third-party, EU-based DPO, and to assess vendor privacy risk.
Osano also offers a bold pledge to pay any fine or penalty — up to USD 200,000 — that a business incurs due to noncompliance with data privacy regulations while using its CMP. However, this only applies to customers on Premium plans or higher who have implemented products in line with Osano’s documentation.
Key features
- Data mapping: Identify potential data management risks and opportunities with an interactive map of your data.
- Data protection officers: Meet GDPR requirements with a third-party DPO based in the EU. (Osano is headquartered in the US.)
- Regulatory notifications: Get updates about upcoming regulatory and legislative changes.
Pricing
Contact Osano for a custom quote.
Free, self-service cookie consent available | No A/B testing |
Provides dynamically generated policies based on the location of each user | |
Easy to set up (G2 users report) |
3. OneTrust
OneTrust comes with an extensive set of data privacy management tools for websites and apps, including cookie scanners, functionality for cookie consent management, and autoblocking functionality.
OneTrust also touts that it works with a network of lawyers and legal experts to provide relevant updates via the platform, to help enable and maintain GDPR compliance.
Key features
- Data intelligence: Identify sensitive data and understand data risks.
- Streamlined workflows: Automate repetitive tasks to save time and reduce errors in processes such as DSAR fulfillment.
- Vendor risk management: Identify and manage risks associated with vendors.
Pricing
OneTrust uses custom pricing based on user needs. Contact OneTrust for a quote.
In-depth support and documentation via the Knowledge Base (G2 user reviews) | Non-transparent pricing |
Includes incident and breach management | |
A system for automating compliance assessments |
4. Didomi
Didomi provides a cloud-based CMP that offers data privacy tools, including cross-device consent management, supporting over 50 languages. While it does support multiple data privacy laws and regulations, there are no self-serve solutions, and customers must go through a consultation process. Nonetheless, G2 users praise Didomi’s customer support.
Key features
- Site scanner: Obtain a Health Score for your website to determine GDPR compliance.
- Powerful integrations: Can be easily added to your existing tech stack.
- Language support: Display banners and policies in 50+ languages.
Pricing
Pricing only available on request.
Based in the EU | No self-serve solution |
Robust integration framework | |
Customer support via live chat and email |
5. Cookie Information
Cookie Information enables businesses to deploy cookie banners that comply with the GDPR, Digital Markets Act (DMA), and the California Consumer Privacy Act (CCPA). Although the platform provides its customers with cookie policies and banners that can meet the latest regulatory requirements, it lacks features such as A/B testing.
Key features
- Website and app consent management: Collect user consent across different platforms.
- Data Discovery: Find and categorize data collected and stored across your tech stack.
- Compliance check: Run a free compliance check of your website to assess compliance with the GDPR and ePrivacy Directive.
Pricing
- Essential: From EUR 15/month
- Professional: From EUR 34/month
Google-certified CMP partner | No geotargeting |
Personal account manager | |
Free 30-day trial |
6. CookieYes
CookieYes aims to simplify the consent management process with a claim of “foolproof consent management” and a cookie banner that can be launched in just a few minutes. G2 users praise the platform’s intuitive interface that makes it easy to set up and manage consent banners. However, advanced features such as geotargeting are only available on the two most expensive paid plans.
Key features
- Cookie Policy Generator: Create a custom cookie policy in a few minutes.
- Cookie Scanner: Identify and categorize all cookies on your website.
- CSS customization: Use CSS coding to tailor the appearance of your cookie banner.
Pricing
- Free: USD 0
- Basic: USD 10/month or USD 100/year
- Pro: USD 20/month or USD 200/year
- Ultimate: USD 40/month or USD 400/year
Banners available in 30+ languages | Geotargeting only available on two most expensive plans |
Available as a WordPress plugin | |
Responsive support team (G2 user reviews) |
7. Borlabs Cookie
A quarter of a million websites use Borlabs Cookie to display GDPR- and ePrivacy-compliant cookie banners. The platform comes with an extensive library of templates for popular services and compatibility patches for plugins, as well as automatic translation, and geotargeting. However, as a WordPress plugin, this tool does not provide cross-platform consent management.
Key features
- Statistics: See the past 10,000 cookie consents on your website in one place.
- Cookie Box: Customize the layout and components of your cookie consent banner using 150+ templates.
- Powerful scanner: Scan your site, then install features from an extensive library based on your compliance requirements.
Pricing
All Borlabs Cookie plans are priced per annum and come with one year of Borlabs Service (the license needed to use the library, geotargeting, IAB TCF, scanner, translation service), free updates and free support.
- Personal: EUR 49 for 1 website
- Business – Medium: EUR 109 for 5 websites
- Agency – Small: EUR 229 for 25 websites
- Agency: EUR 499 for 99 websites
Includes auto-blocking | WordPress-only plugin |
Geotargeting | |
Flexible pricing based on number of websites |
Must-have features for GDPR compliance management software
To ensure your business is able to meet data privacy requirements — and help the person or team who is responsible for GDPR compliance to execute their duties effectively — your software must:
- Simplify the collection and management of user consent
- Enable granular consent collection
- Signal consent information to third-party partners, such as Google
- Provide robust data and account protection protocols for security
- Help with the identification and mitigation of compliance risks
- Meet GDPR data storage requirements
Maintain GDPR compliance with a top software solution
Understanding the capabilities of these GDPR compliance software solutions will help you to choose a platform that suits your budget and business needs and get you on a path to GDPR compliance.
Each platform that we’ve outlined in this article will help you to fulfill at least some of the GDPR’s requirements. However, if you’re looking for an all-in-one solution that helps streamline achieving and maintaining GDPR compliance, consider Usercentrics.
Trusted on over 2.2 million websites and apps by businesses in 195 countries, Usercentrics is a market-leading CMP that enables businesses to gain access to the data insights they need to bolster their marketing performance while staying on the right side of privacy law and building user trust.
The information presented in this article is provided for educational purposes only. Engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations when evaluating solutions is always recommended. This information is accurate based on these publicly available sources as of the date of publication. Details about products, features, pricing, etc. may change over time.
EU-WIDE REGULATIONS AND GUIDELINES
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) protects the personal data of residents of the European Union and European Economic Area. The law is extraterritorial, so it applies to organizations even if they are not located in the EU. Privacy regulation requirements for the GDPR must be applied in addition to country-specific requirements, such as for data subjects’ consent (i.e. online user, customer, visitor, gamer, etc.)
Who needs to comply with the GDPR?
Any organization (not just commercial enterprises) that collects and processes the personal data of residents of the EU/EEA. Unlike the United States, there are no thresholds for GDPR compliance, like company revenue or number of people whose data is processed in a year. There are some exceptions to GDPR compliance, like for journalists or law enforcement, but overall, there are few exceptions for companies and other organizations that need user data.
Legal bases for personal data processing under the GDPR
The GDPR provides six options for legal bases for processing of personal data. Consent is one of the options.
- the data subject has given prior consent to the processing of his or her personal data for one or more specific purposes
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
- processing is necessary for compliance with a legal obligation to which the controller is subject
- processing is necessary in order to protect the vital interests of the data subject or of another natural person
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child
Organizations must be able to prove the necessity and validity of their choice of legal basis. A company cannot just choose legitimate interest to avoid the resource investment required to implement consent management, for example.
However, organizations that need to obtain consent must do so in a way that complies with the GDPR’s requirements, e.g. making consent choices clear and equal. They must also be able to prove — to data protection authorities or in the event of a data subject access request — that valid consent was obtained from users, including when and for what, and recording any changes to consent information over time.
Conditions for valid consent under the GDPR
Art. 7 GDPR outlines the conditions for legally valid consent. These requirements have been influential around the world on data privacy legislation and privacy guidelines.
In short: “Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data.”
ePrivacy Directive (ePD)
The ePrivacy Directive is considered the precursor to the ePrivacy Regulation. Passing of the latter continues to be delayed, though the ePD was significantly updated in 2009.
Colloquially known as the “cookie law”, the ePD influenced the adoption of consent banners. It addresses data privacy and protection in electronic communications and has several mandates:
- prioritizing confidentiality of communications over public networks
- requiring user consent for use of cookies and other tracking technologies
- setting guidelines for the security of electronic communication services
- regulating direct marketing practices
The ePrivacy Directive requires incorporation into national laws of EU member states, as a result enforcement across EU member countries has varied.
The conditions for valid consent under the ePrivacy Directive (and eventual ePrivacy Regulation), and who is required to comply are the same as those for the GDPR.
Digital Markets Act (DMA)
The Digital Markets Act came into force in late 2022 as part of the Digital Services Act Package of regulations. Its goals are to promote fair and competitive digital markets in the EU, and to enhance privacy and protections for consumers’ personal data.
The DMA directly targets six large and influential tech companies, designated “gatekeepers”. However, for those companies to meet regulatory compliance requirements, they need to set their own compliance requirements for all the third-party organizations that rely on their platforms, e.g. for data, audience access, ecommerce, advertising, and more.
Importantly, that includes the requirement of obtaining valid user consent for collection and processing of personal data, and also signaling that consent information to the platform or service, e.g. for Google Ads or Analytics. To comply with this requirement, companies need to implement a consent management platform (CMP) that collects user consent, and then signals that information to the platforms. In Google’s case, it requires implementing a Google-certified CMP integrated with the latest version of Google Consent Mode.
DMA compliance requirements for obtaining consent align with the requirements of the GDPR and ePrivacy Directive, which are also required in the EU.
EU-WIDE FRAMEWORKS AND POLICIES
IAB Europe Transparency & Consent Framework v2.2
Publishers serving ads on websites or in apps in the EU/EEA or UK are now required to have the latest version of the IAB’s Transparency & Consent Framework (TCF) implemented via integration with a consent management platform (CMP).
The TCF originally set industry standards to ensure transparency with users online regarding the collection of data for targeted advertising, as well as provide them control and enable valid consent mechanisms. The framework also standardizes working with vendors, reduces data privacy risks and enables compliance with regulations like the GDPR and ePrivacy Directive.
The update to the TCF v2.2 in late 2023 addresses criticisms and is designed to better meet the needs of regulators and users. Updates include:
- only consent can be selected as a legal basis for advertising and content personalization – legitimate interest can no longer be selected
- information about purposes and features has been made more user-friendly and less “legalese”
- vendor disclosures have been standardized and expanded to include categories of data collected, retention periods, and whether legitimate interest applies
- total number of vendors used by a publisher should be displayed on the first layer of the CMP UI
- consent management platform redesign is mandatory so that users have the ability to opt out of consent
Google EU user consent policy
Google’s EU user consent policy was introduced in 2015 and is a key component in their data privacy requirements for third parties using their platforms and services for marketing, analytics, etc. The policy aligns with the requirements of the GDPR (it was significantly updated when the law came into force) and ePrivacy Directive.
Google’s EU user consent policy applies to companies that operate websites and/or apps meeting the following criteria:
- use cookies or other local storage where legally required
- collect, share, and use personal data for ad personalization
Websites or apps that serve non-personalized ads that only use contextual information are still subject to the policy if they use cookies or mobile identifiers where legally required. Organizations using third parties to collect and/or process data must also employ “commercially reasonable efforts” to ensure they comply with the policy.
The policy has four main criteria pertaining to consent. Companies must:
- obtain legally valid consent (aligned with the GDPR’s requirements)
- retain consent records
- enable revocation of consent (with clear instructions)
- identify each party involved in data handling
Noncompliance with the policy can result in suspension of access to Google’s services, or contract termination. Additionally, noncompliance with EU regulatory requirements for user consent can result in fines and other penalties.
EU COUNTRY-SPECIFIC CONSENT LAWS AND GUIDELINES
All regulations and guidelines included are currently in effect in the countries listed.
Andorra data privacy laws and consent requirements
Protected groups: Website users (or equivalent)
Relevant cookie use: All cookies and similar tracking technologies used on websites and in apps, as well as smart devices like TVs, video game consoles, voice assistants, network-connected vehicles, etc.
Consent definition: Any specific, informed and unambiguous expression of free will by which the data subject consents, by means of a statement or a clear affirmative action, to the processing of personal data concerning him or her.
Prior consent: Yes, in most cases, though that explicit wording is not used.
Consent withdrawal: Yes, users can withdraw consent any time, and it must be as easy to do so as to give consent.
Cookie duration:
- session-based cookies – deleted at the end of a session (closing the browser window)
- permanent cookies – most have an expiry date for automatic deletion, the guideline does not provide a specific duration
- third-party cookies – duration depends on the party using the third-party cookie, they are also responsible to fulfill requirements on their own website
- maximum storage: twenty-five (25) months is the maximum recommended time
Consent solution requirements in Andorra
- must include an opt out button on the first layer
- clear and complete information provided prior to requesting/receiving consent
- users must receive equal information about all available consent options
- pre-checked boxes in the second layer where users can make granular selections violate valid consent
- consent must be obtained through a clear, explicit, positive action, passive actions like continuing to scroll do not constitute valid consent
- use of manipulative design or other dark patterns may invalidate consent (e.g. confusing colors or interactive elements)
- there must be a simple, persistent element available for withdrawal of consent
- legitimate interest is not a valid legal basis for processing personal data collected via cookies
Austria data privacy laws and consent requirements
Protected groups: Website users
Relevant cookie use: All cookies and similar tracking technologies used on websites that collect personal data. Website operators using cookies or other tracking technologies are responsible for data privacy compliance with the use of those data processing services (with some exceptions) in accordance with Arts. 4 (7) and 26 GDPR.
Consent definition: Follows GDPR consent requirements, and consent must be obtained prior to setting all “technically unnecessary” cookies. Data collected by cookies should not be qualified as personal or non-personal by default and definitions will depend on each case.
Prior consent: Yes, in most cases.
Consent withdrawal: Yes, users can withdraw consent any time, and it must be as easy to do so as to give consent.
Cookie duration: No explicit guidelines.
Consent solution requirements in Austria
- cookies can be grouped based on duration (e.g. session and persistent cookies) or by the domain to which they belong (e.g. first-party and third-party cookies)
- website operators can design to their preference, but consent requirements of Art. 4 (11) and Art. 7 GDPR must be followed for privacy compliance
- must be clear to data subjects that they are giving consent, hidden consent buttons, confusing colors or other elements, etc. that are hard to find or that could be selected accidentally, or other manipulative design
- mechanisms (“nudging” or “dark patterns”) do not constitute valid consent
- passive actions like continuing to scroll do not constitute valid consent, the consent action must be explicit and positive
- pre-checked boxes or other elements are not permitted in the banner
- consent must be voluntary and not coerced, there cannot be the threat of discrimination or disadvantage to data subjects who do not give consent, e.g. denial of access to the website
- the banner must clearly and precisely describe where and how consent can be revoked, and doing so must be as simple as giving consent
- it must be as easy to decline consent as it is to give it
- clear and complete information provided prior to requesting/receiving consent
- paying for access to a website (e.g. “pay or ok”) can be a viable alternative to consent (the current data protection authority view as there is no case law from the CJEU yet) if:
- all data privacy compliance requirements are met
- the price is reasonable and not prohibitively high
- if the user accesses the website via the payment method, no personal data can be collected or used for advertising purposes
- website operator is not an authority or public body
- website owner does not have a monopoly position in the market
- no content or service exclusivity that non-consenting users cannot access
Belgium data privacy laws and consent requirements
Protected groups: Focuses on privacy in device use, so not explicitly user-focused, but all users of devices from which data can be tracked/collected.
Relevant cookie use: All cookies and similar tracking technologies used on devices, so all companies doing tracking via devices
Consent definition: Follows GDPR and ePrivacy Directive consent requirements for prior consent for use of all but strictly necessary cookies (includes cookies which are absolutely necessary to provide a service that the user has expressly requested and/or to send a communication via an electronic communications network)
Prior consent: Yes, in most cases.
Consent withdrawal: Yes, users can withdraw consent at any time, and it must be as easy as giving consent. Users should also be informed about the ability to withdraw when initially requested to provide consent.
Cookie duration: Cookies cannot be kept beyond the time necessary to fulfill the expressed purpose. No cookies can have an indefinite retention period. Cookies exempt from requiring consent must have a duration directly related to the expressed purpose for use and be configured to expire as soon as no longer needed for that purpose.
Consent solution requirements in Belgium
- the data protection authority recommends providing the ability to select granular-level consent as best practice; this ability is also a legal requirement
- cookies should be categorized according to purpose, e.g. audience measurement, statistical, etc.
- consent must be obtained through a clear, explicit, positive action, having been fully informed prior to the consent request
- passive actions like continuing to scroll do not constitute valid consent
- pre-checked boxes or other elements are not permitted
- use of browser settings to indicate consent is not valid
- cookie walls that block access to the website are not valid as they prevent consent from being freely given
Czechia data privacy laws and consent requirements
Protected groups: Data subjects, e.g. website users
Relevant cookie use: All cookies and similar tracking technologies used on websites.
Consent definition: “Consent should above all be free, specific, informed, and unequivocal. The data subject must have the simple option of not giving consent, without this implying harm for him (e.g. unavailability of website content).”
Prior consent: Yes, in most cases, though that explicit wording is not used. Consent is not required for the use of technical cookies, but that exception only applies to the storage and reading of cookies in the user’s browser.
Consent withdrawal: Data subjects can revoke consent to personal data processing at any time, and doing so must be as easy as giving consent. If consent is granted via a consent banner, for example, requiring withdrawal of consent via a different format, e.g. sending an email cannot be required. Ideally, changing or withdrawing consent should be accessible via an easy to find and use button or link.
Read about email marketing laws now
“Consent to the processing of personal data can be revoked by the data subject at any time, and the withdrawal of consent must be as easy as giving it. In the case of granting consent via the cookie bar, it cannot be accepted that the withdrawal of consent is only possible, for example, by telephone. Ideally, there should be an easily accessible button or link on the website with which consent can be withdrawn.”
Cookie duration: The data protection authority considers a lifespan of six months to be reasonable in principle. That period can be shorter if one or more processing purposes significantly change or the website operator can no longer monitor previous consent (or rejection) preferences, e.g., due to the user deleting cookies on their device.
Consent solution requirements in Czechia
- appearance and colors of buttons must enable consent to be freely given (no manipulative design)
- cookie walls are not acceptable as they make access to functions or services conditional
- active user action is required for valid consent, e.g. clicking an “Accept” button, or closing the banner is not valid consent
- pre-ticked boxes cannot be used for valid consent
- user must be able to grant informed consent for individual purposes to individual administrators in the browser, so a list of individual cookies with their purposes needs to be clear and easily accessible to the user, e.g. via clicking a “more information” link
- third-party tags cannot be loaded until consent is given, so must be integrated into the CMP
- processing personal data with legitimate interest as the legal basis is allowed in some cases, but if the user does not consent to the storage and reading of cookies, no further processing of personal data can take place.
Denmark data privacy laws and consent requirements
Protected groups: End users of devices and technologies, including smartphones, computers, tablets, apps, SDKs, smart devices, and third-party content; children aged 15 and older can consent on their own behalf.
Relevant cookie use: All cookies and similar tracking technologies used on the listed types of devices and via relevant technologies.
Consent definition: “A freely given, specific, informed and unambiguous indication of the data subject’s wishes by which the data subject signifies his or her agreement to personal data relating to him or her being processed.”
Prior consent: Yes, in most cases. “Consent of the data subject(s) must be obtained before the controller starts processing the data to which the consent relates”. Only necessary cookies, e.g. those required for the website to function (e.g. shopping cart) can be set without consent.
Consent withdrawal: Yes, consent can be withdrawn at any time and it must be as easy as giving it, and once consent is withdrawn, data processing must cease immediately.
Cookie duration: Not addressed, though users must be provided information about when each cookie expires.
Consent solution requirements in Denmark
- With the 2025 update, there are detailed rules for designs and interfaces to ensure that users are provided with real choice regarding consent, e.g. buttons must be equal, no dark patterns, and there is required first-layer information:
- Who: controllers and partners
- What: data types
- Why: purposes
- If third parties are involved
- How to withdraw consent
- Users must have equal consent and rejection options in the banner, so if there is only an “Accept” button and not a “Reject” one, consent is not valid; also, granularity in consent choices is now required and “Accept all” is not compliant
- Transparency and granularity are required for consent to be considered voluntary, so sufficient information about data collected via which cookies, for which purposes, by whom, when they expire, etc. must be clear and accessible
- Pre-ticked boxes cannot be used for valid consent
- A click-through (consent is assumed if the user continues to use the website without actually interacting with the consent banner, for example) is not considered valid consent
- “Nudging” or other manipulative design tactics/dark patterns cannot be used for consent to be considered “freely given” and valid
- It must be as easy to reject consent as to give it, and it must be possible to opt out of all data processing/cookie use.
- If a company wants to use a cookie wall, but a user does not want to consent to the processing of their data (to get access to the website), the company must provide a reasonable alternative to the user, such as access for a moderate fee (that still enables real choice) or access to similar functions or services
- If offering the choice between consent to data processing and an alternative, the necessity of the consent request (the data and use purposes) must be demonstrable (so that it is reasonable for those not to be included if the user chooses the alternative)
- If the user chooses not to consent to data use, but to access the functions or services account creation is needed, the company can process the personal data that is necessary to manage the user profile and provide the service in question, but no more
Finland data privacy laws and consent requirements
Protected groups: End users, e.g. for websites and apps
Relevant cookie use: This applies to cookies and similar technologies used by service providers when creating and operating websites or other electronic communications services, like mobile apps.
Consent definition: “Any voluntary, individualized, informed and unambiguous expression of will by which the data subject accepts the processing of his personal data by giving a statement expressing consent or by taking an action clearly expressing consent.” The conditions for valid consent are the same as for the GDPR.
Prior consent: Yes, in most cases. Consent is not required for “essential” cookies, but it’s recommended to include information about them and their use. Essential uses for cookies include:
- enabling the website to function correctly, e.g. shopping cart
- if the sole purpose of storing or using the data is to carry out the transmission of a message in communication networks
- storing and using the data is necessary for the service provider to provide a service that the subscriber or service user has specifically requested
- if analytics cookies are categorized as strictly necessary for the provision of the service in question, the service provider must be able to provide clear justification for the procedure and ensure that the user’s privacy
- is protected, e.g. ensuring data collected through analytics is not shared with third parties or that individual visitors cannot be identified
Consent withdrawal: Changing or withdrawing consent (or refusing it in the first place) must be as easy to do as giving it.
Cookie duration:
- Session-specific cookies – stored on the user’s device only during the use of the site or service, removed when the browser is closed. Can enable ecommerce, for example, wherein the site can “remember” user activity for a short time.
- Permanent cookies – stored on the user’s device until the time specified for each cookie or until the user manually deletes them. Can “remember” user preferences for the site, like language or login credentials for a longer period of time.
Consent solution requirements in Finland
- Cookies may not be set on the user’s device, e.g. browser, until the user has given valid consent. Consent via browser settings is not considered valid as they may not be configured or configurable to the user’s preference.
- Consent must be an active expression of will, so it is not valid if you silence it, ignore consent requests/options, or do not take action.
- Consent must be freely given, so pre-ticked boxes, activated sliders, etc. cannot be used.
- Service providers must clearly inform users about the cookies or similar tracking technologies they use, the types, purposes of use, and duration of operation, and ask for your consent to store and use the information.
- The service provider is responsible for requesting consent and doing so in a compliant way. The consent request mechanism should include at least the following information:
- clear and thorough explanation of what cookies and other tracking technologies are in use and what data they collect
- clear and thorough information about the purpose of the cookies in use and their period of duration
- whether any third parties may process cookie data (and who those parties are and what the purposes are)
- access to more detailed information, e.g. privacy policy
France data privacy laws and consent requirements
Protected groups: Focuses on privacy re. end user devices, so any computer, phone, etc. users on which companies use trackers.
Relevant cookie use: All cookies and trackers used on devices, e.g. websites, apps, etc.
Consent definition:
- Uses the GDPR definition.
- While lack of explicit action cannot be construed as consent, silence can be construed as explicit denial of consent.
- Pre-ticked boxes cannot be construed as valid consent.
- Cookie walls cannot likely be used to obtain valid consent due to the likelihood of infringing on the user’s consent freedom, but they are not universally prohibited.
- Companies need to be able to prove valid consent at any time.
Prior consent:
- Yes, “before any action aimed at storing information or accessing information stored in the equipment terminal of a subscriber or user, apart from the applicable exceptions”
- References the GDPR and ePrivacy Directive regarding valid consent and the requirement to clearly and comprehensively notify users prior to collecting data.
- Essential cookies/trackers do not require consent, but use must be strictly limited; they include audience and performance measurement, navigation detection issues, technical optimization, etc.
- Consent withdrawal: Yes, consent can be withdrawn at any time and it must be as easy to do so as it was to give it. It also must be as easy to deny consent initially (e.g. same action or number of steps) as to give consent.
Cookie duration:
- CNIL recommends consent renewal every six months for publishers.
- CNIL recommends that the lifetime of the trackers should be limited to a duration allowing a relevant comparison of audiences over time, as is the case for a 13-month period.
- Tracker duration should not be automatically extended for new visits.
- Information collected through trackers should be kept for a maximum period of 25 months.
Consent solution requirements in France
- Clearly and accessibly include all purposes with short descriptions, categorized, including for personalized advertising, geo-specific advertising, sharing on other social platforms, etc.
- Recommended to provide accept and reject buttons on the first layer of the consent banner.
- Dark patterns cannot be used to manipulate user actions.
Germany data privacy laws and consent requirements
Protected groups: Focuses on privacy regarding end user devices, so any computer, phone, etc. users on which companies use trackers.
Relevant cookie use: All cookies and trackers used on devices, e.g. websites, apps, etc.
Consent definition:
- Uses the GDPR definition.
- If personal data is not processed, the GDPR does not apply, but the TTDSG still does.
Prior consent: Yes, in most cases, with conditions.
- GDPR and TTDSG consent can be “bundled” with a single button click (accept or reject). However, for consent to be valid (e.g. device access and data processing for marketing purposes) users must be informed about the two distinct consent requests: access (under the TTDPA) and processing (under the GDPR).
- There are two options for accessing data without consent. Art. 6 para. 1 lit. f GDPR is not enough for the TTDSG. Consent is not required if a message is transmitted via a public telecommunications network or if the user desires the service.
Consent withdrawal: Required, and should be as easy to withdraw as it is to give consent.
Cookie duration: Not explicitly stated, but cookie duration must be part of the information communicated to users, and consent renewal every 6 to 12 months is recommended.
Consent solution requirements in Germany
- Bundled consent for the GDPR and TTDSG is acceptable, but the user must be informed about both distinct consent requests.
- The legal basis for data collection/processing must be communicated to users.
- If the banner’s “accept” option is placed on the first layer, all data collection/processing purposes must also be stated in the first layer. However, granular consent choices do not have to be provided in the first layer.
- It must be as prominent, accessible, and easy to deny or opt out of consent as to give consent, i.e., in the banner. Browser settings changes are not enough, and dark patterns cannot be used to obtain consent.
- Cookie walls are not explicitly prohibited, but the “deny/reject” option requirements must be met.
Greece data privacy laws and consent requirements
Protected groups: Focuses on privacy re. end user devices, so any computer, phone, etc. users on which companies use trackers.
Relevant cookie use: All cookies and trackers used on devices, e.g. websites, apps, etc., even if personal data is not collected.
Consent definition: Uses GDPR definition.
Prior consent: Yes, in most cases.
- Consent is not required for trackers that are necessary for the website to function, or if it’s a service explicitly requested by the user, for example:
- identifying and/or maintaining content or user-provided information for the duration of the session (e.g. shopping cart)
- connection to services that require prior authentication
- security
- load balancing
- user preferences for website appearance and experience, e.g. language, search history, etc.
- Browser settings that allow the use of cookies are not considered consent.
- If the user does not make a choice, no non-essential cookies should be used.
Consent withdrawal: Yes, consent can be withdrawn at any time, and it must be as easy to do so as to give it. It also must be as easy to deny consent initially (e.g., the same action or number of steps) as to give consent.
Cookie duration: Not explicitly stated, but cookie duration must be part of the information communicated to users, and consent renewal every 6 to 12 months is recommended.
Consent solution requirements in Greece
- Accepting or rejecting the use of non-essential cookies or trackers must require the same amount of effort or number of clicks (e.g., you can’t enable accepting on the first layer of the banner but rejecting only on the second layer). Not giving users a reject option is not valid consent.
- Cookie walls are not explicitly prohibited, but the “deny/reject” option requirements must be met.
- Users who deny consent cannot be penalized in their website experience.
- Dark patterns/nudging are prohibited.
- The consent banner should reappear after the same period of time, regardless if the user consented or rejected it, e.g. if users who do consent see the banner again to renew consent after 12 months, then users who reject consent can also only see the banner again after 12 months, and not sooner.
Ireland data privacy laws and consent requirements
Protected groups: Focuses on privacy re. end user devices, so any computer, phone, etc. users on which companies use trackers.
Relevant cookie use: All cookies and trackers used on devices, e.g. websites, apps, etc.
Consent definition: Uses GDPR definition, and also ePrivacy Directive definition: “The law applies to any storage of information on a user’s device or equipment, as well as to access to any information already stored on the equipment – this means through the use of browser cookies or other technologies such as device fingerprinting or the use of pixels or similar devices. It is irrelevant whether the information stored or accessed consists of, or contains, personal data. The ePrivacy Regulations apply when any information is stored on or accessed from the device.”
Prior consent: Yes, in most cases, and its requirement for cookie use is explicit.
Consent withdrawal: Required, users must be informed how they can withdraw consent, and should be as easy to withdraw as it is to give consent. Also cannot be bundled, e.g. with terms and conditions.
Cookie duration: Six months for cookie use requiring consent. For other cookies, lifespan should be proportional to their purpose and no longer than necessary to fulfill the purpose.
Consent solution requirements in Ireland
- As the six-month expiry requirement for some cookies is shorter than the common 12-month default, the configuration in the CMP needs to be updated.
- It must be as prominent, accessible, and easy to deny or opt out of consent as to give consent, i.e. in the banner. Browser settings changes are not enough. Dark patterns/nudging to obtain consent cannot be used, nor can pre-checked boxes, etc.
- A banner that only displays an “Accept” option does not enable valid consent.
- A “Manage cookies” button, for example, could be used with an “Accept” button if the “Manage cookies” button immediately takes the user to a layer (of the banner) where they can directly accept or reject granular cookie category usage).
- Users must be provided with information to reject non-essential cookies and/or request information about cookie use. The banner’s second layer must include information about the types and purposes of cookies used and third parties that will have access to/process the information the cookies collect.
- Users must have easy access to the privacy notice or policy, which cannot be obscured, so without having to provide consent choices before accessing that information.
- Implementing accessibility best practices in the design and implementation of the consent banner is recommended.
- Having a specific cookie policy is recommended, while not explicitly required.
Italy data privacy laws and consent requirements
Protected groups: Focuses on privacy re. end user devices, so any computer, phone, etc. users on which companies use trackers.
Relevant cookie use: “all the entities providing their users with publicly accessible online services through electronic communications networks or else operating websites that rely on cookies and/or other tracking tools”
Consent definition: Uses GDPR definition.
Prior consent: Yes, in most cases, and its requirement for cookie use is explicit.
Consent withdrawal: Required, or modifying consent choices or providing consent after rejecting it. It must be provided in a simple, easy, and user-friendly way accessible via the website footer, and that is as easy as giving consent.
Cookie duration: Not explicitly referenced, recommended to err on as short a period of time as is necessary to fulfill the purpose of the specific cookie type and/or processing operations.
Consent solution requirements in Italy
- ”Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them.”
- Users should be able to close the banner (i.e. via clicking the “X” at the top right of the banner UI) to maintain default settings and not provide additional consent. As a result, this should enable only essential cookies and does not provide consent for use of any others.
- Users must be notified about the use of cookies, including those that can be used without consent (i.e. “technical” ones).
- A link to the privacy policy must be easily accessible, or it should be included in the second layer of the banner.
- Users must be able to select the cookie functions and/or third parties with access to their data at a granular level. These services and vendors in use must be kept up to date.
- Use of pre-checked boxes is not allowed.
- Use of cookie walls is not allowed as the requirement to accept all cookie use or not gain access to the website is not valid consent.
- Continued scrolling by the user (e.g. ignoring the consent banner) does not constitute valid consent.
- New consent must be obtained from users if the purposes for requesting consent change or if previous consent choices cannot be detected when the user revisits the website (e.g., they cleared their settings).
Latvia data privacy laws and consent requirements
Protected groups: Users who use services and whose data is collected on websites, etc.
Relevant cookie use: All cookies and trackers used on devices, e.g. websites, apps, etc.
Consent definition: Uses GDPR definition.
Prior consent: Yes, in most cases, and its requirement for cookie use is explicit.
Consent withdrawal: This is required. Users must be informed how they can withdraw consent, and it should be as easy to withdraw as it is to give consent.
Cookie duration: “There is no specific time limit for how long consent is valid. The length of time consent is valid depends on the context, the scope of the original consent and what the data subject expects. If the processing activities change or evolve significantly, the original consent will no longer be valid. In that case, a new consent must be obtained. If the processing activities change or evolve significantly, the original consent will no longer be valid. In that case, a new consent must be obtained.”
Consent solution requirements in Latvia
- The first layer of the banner should include:
- name of the controller (unless provided in other areas of the website like the “About” section or Contact Us page, etc.)
- purposes of cookies used on the website
- whether cookies in use are first-party only (controller) or third-party
- types of data collected and used
- where user profiling is carried out (e.g. analytical cookie use)
- how users can accept, reject, or change consent for the use of cookies
- a clearly visible link to the second layer, which contains more detailed information
- Users must be provided with granular information and options re. cookie use purposes (so not necessarily for each specific cookie)
- There can be no risk of negative consequences if users decline cookie use.
- Users must have granular ability to accept or reject all cookies or use at a granular level, and must have easy access to comprehensive information about the cookies in use, their purposes, etc., as well as easy access to the cookie and privacy policy.
- User-facing language must be clear and simple.
- All options must be visually equal and accessible, nudging and dark patterns are prohibited.
- Ignoring, scrolling, or closing the consent banner without making a consent choice cannot be construed as accepting cookie use, and no cookies except strictly necessary ones can be used.
- Browser settings are not considered valid consent (per GDPR guidelines).
Netherlands data privacy laws and consent requirements
Protected groups: Users of websites, or equivalent, e.g. apps, etc.
Relevant cookie use: All cookies and trackers used on devices, e.g. websites, apps, etc.
Consent definition: Uses GDPR definition.
Prior consent: Yes, in most cases. Consent can be provided in writing, by ticking a box, clicking a button or link, filling out an electronic form, sending an email, providing an electronic signature or scanned document with a signature, or verbal consent.
Consent withdrawal: Yes, and it has to be as easy to withdraw consent as it was to give consent.
Cookie duration: No explicit time period is provided, but users must be notified about the duration of all cookies set.
Consent solution requirements in the Netherlands
- The guidelines divide cookie types into Functional, Analytical, and Tracking. Users must be provided with information about the use of cookies in these categories.
- Pre-checked boxes, use of cookie walls, and manipulating users into consenting (e.g. dark patterns, nudging, etc.) are all prohibited.
- Ignoring the consent banner and continuing to scroll/browse or closing the banner without making a consent selection cannot be construed as having given consent.
- Conditional consent is prohibited, e.g. users cannot be required to sign up for a newsletter in order to be able to provide or reject consent.
- Website operators must maintain consent records and be able to prove consent was obtained, when, how, and what information they received before making consent choices, etc.
Spain data privacy laws and consent requirements
Protected groups: Users of websites, mobile applications, or other platforms. (Contractual agreements are also required with third parties.)
Relevant cookie use: All cookies and trackers used on devices, e.g. websites, apps, etc.
Consent definition: Uses GDPR definition.
Prior consent: Yes, in most cases. Cookies used for the purpose of obtaining traffic or performance statistics may be exempt from consent requirements under specific conditions:
- use is limited to what is strictly necessary for the provision of the service
- processing must be carried out exclusively on behalf of the publisher and used only to produce anonymous statistical data
- use of these cookies/trackers must not result in data being matched with other processing operations or transmitted to third parties
- aggregate tracking of the navigation of the person using different applications or browsing different websites is prohibited
Consent withdrawal: Required, at any time, as easily as it is to give consent, and users must be provided with information on how to do so.
Cookie duration:
- Duration or lifetime of cookies or similar technologies must be limited to a period that allows meaningful comparison of audiences over time, e.g. 13 months. Duration cannot automatically be extended if users make new visits to the site.
- Information collected via cookies or other tracking technologies will not be retained for more than 25 months. (Best practices state no more than 24 months.)
- Lifetime and retention periods will be subject to periodic review to limit it to what is strictly necessary.
Consent solution requirements in Spain
- Consent options must be presented equally, at the same time, in the same place, e.g. on the same level of the consent banner.
- Ignoring or closing the consent banner, scrolling, taking no action, or any other non-explicit action is prohibited from being construed as valid consent.
- Use of pre-checked boxes, other default opt-ins, or cookie walls that block access to the website unless the user consents are prohibited.
- Users must be able to consent at a granular level to cookie purposes. If a cookie is used for two purposes but the user only consents to one, the cookie can only be used for the consented purpose.
- Users must be provided with information about the use of cookies and similar technologies – purpose, duration, third parties with access to the data, etc.
- The first layer of the consent banner must present essential information and be displayed when users access the page or application:
- identify the managing website editor/name of the publisher
- purpose of the cookies in use
- if cookies are owned by the website provider (or comparable) or are set by third parties
- types of cookies and types of data that will be collected and used
- options to accept, set up/configure, or reject cookie use
- link to a second information layer to access more detailed information
- The second layer must contain more detailed information:
- more specific information about the cookies in use, purposes, third-party access, etc.
- control panel or settings panel with info about how to save the selection
- If cookies in use, purposes, or other factors affecting consent change, the user must be given the opportunity to provide or reject new consent.
- Language must be simple and clear.
- Dark patterns/nudging are prohibited.
Sweden data privacy laws and consent requirements
Protected groups: Users of websites, mobile applications, etc.
Relevant cookie use: All cookies and trackers used on devices, e.g. websites, apps, etc.
Consent definition: Uses GDPR definition, and granular consent options for specific purposes are required.
Prior consent: Yes, with no exceptions for necessary cookies.
Consent withdrawal: Yes, and it must be as easy as giving consent. Users must also be provided clear information on how to withdraw consent or otherwise change preferences. Revoking consent cannot have negative consequences for users, e.g., no longer being able to access the website.
Cookie duration: No explicit time period provided.
Consent solution requirements in Sweden
- Conditional consent is prohibited, e.g. users cannot be required to sign up for a newsletter in order to be able to provide or reject consent.
- Consent language must be clear and explicit, e.g. “I understand” is not the same as “I accept”.
- New consent options must be provided to users if the purposes for cookie usage change.
- Users must be provided with clear information about cookies in use, purposes, duration, third-party access to data, etc.
- The use of pre-checked boxes is prohibited.
- Cookie walls that block or restrict access to a site unless the user gives consent are prohibited.
- Scrolling, browsing, ignoring the consent banner or closing it cannot be construed as valid consent.
NON-EU COUNTRY-SPECIFIC CONSENT LAWS AND GUIDELINES
Norway data privacy laws and consent requirements
Protected groups: Website users.
Relevant cookie use: All cookies and similar tracking technologies used on websites that collect personal data.
Consent definition: Follows GDPR definition and requirements. Storage and processing of information is not permitted unless the user is informed about, and has consented to, which information is processed, the purpose(s) of the processing, and who processes the information.
Prior consent: Yes, in most cases.
Consent withdrawal: Yes, at any time.
Cookie duration:
- Session-based cookies: deleted after the end of the session, i.e. when the user closes the browser.
- Persistent cookies: not deleted after the end of the session and often contain information about authentication, language settings, and menu selections. Most permanent cookies have an expiry date when they are automatically deleted after a certain period. However, the guidelines do not set a specific expiration date.
- Third-party cookies: can be session-based or persistent, but they’re set by someone other than the website operator. Their duration is dependent on the third-party vendor, who is also responsible for providing relevant information about their cookies’ use, their identity, duration, etc.
Consent solution requirements in Norway
- Users must be informed about and be able to consent to cookie use at a granular level.
- A consent banner or other consent solution must be clearly accessible on the site and clear about what it’s for.
- Pre-checked boxes are prohibited. No guidelines on the use of cookie walls.
- Scrolling, ignoring, or closing the consent banner without making a consent action cannot be construed as the user has given consent.
- Browser settings to accept cookies are considered valid consent.
Switzerland data privacy laws and consent requirements
Protected groups: Swiss citizens.
Relevant cookie use: Yes, in some cases when personal data is collected and processed, and also if data is transferred across international borders.
Consent definition: Uses GDPR requirements.
Prior consent:
- Yes, in some cases. However, it is not always necessary to obtain consent from users before collecting or processing personal data. Though there are other legal bases, it is always necessary to inform them about the controller and processing.
- Prior consent is always required for processing:
- of sensitive data
- for high-risk profiling by a private person
- for profiling by a federal body (government)
- with data transfers to third countries where there is not adequate data protection
Consent withdrawal: Yes, at any time.
Cookie duration: There are no explicit guidelines, but data must be deleted or anonymized when the processing purpose has been fulfilled.
Consent solution requirements in Switzerland
- Uses the principles of “privacy by design” and “privacy by default” by law, requiring companies to take data processing principles into account in the planning and design states of websites and applications (and not just seek to secure and protect data retroactively).
- Default browser settings and similar mechanisms are not considered valid for consent for more processing than is absolutely necessary.
- Consent must involve an explicit action, e.g. checking a box.
- Consent banners are not legally required, but clear user notification is required about whether a legal basis is required for data collecting and processing, and about the parties involved, as is a user-friendly consent mechanism where data processing requiring consent takes place.
United Kingdom data privacy laws and consent requirements
Protected groups: Individuals whose personal data is processed.
Relevant cookie use: The cookie rules apply to the subscriber or user’s “terminal equipment” e.g. computer or mobile phone. The subscriber is the person who pays the bill for the use of an online service, and the user is the person who uses a device to access an online service.
Consent definition: Uses GDPR definition and requirements.
Prior consent: Yes, in most cases.
Consent withdrawal: Yes, users must be able to withdraw consent at any time as easily as they gave it, and receive information about how consent can be withdrawn, and how cookies already set can be removed.
Cookie duration: There are no explicit guidelines, but it will depend on the service and the purpose of the processing for the data the cookie collects (and for which user consent is required). It should be limited to the minimum time necessary to fulfill the purpose of processing. Cookie duration may also affect exemptions in Regulation 6(4).
Consent solution requirements in the UK
- Users must be given clear and equal access to all consent choices. Dark patterns or nudging are prohibited (as is denying the option to reject cookies entirely).
- Users should have access to information about cookie use and the opportunity to make consent choices as soon as they arrive on the website.
- The privacy policy or notice must include full details about data collection and processing, third-party access, and other relevant details. It should be easily accessible via a prominent link in the site’s header or footer.
- Use of pre-checked boxes is prohibited.
- Inactivity, scrolling, ignoring, or closing the consent banner cannot be construed as valid user consent.
- Users cannot be penalized for rejecting consent, e.g. lack of access to the website or features.
- Browser settings do not constitute valid consent.
- Consent cannot be bundled into terms and conditions or other documentation.
- Cookie walls are not prohibited, but they must comply with GDPR standards. For example, users cannot be blocked from the site unless or until they give consent.
The Transparency and Consent Framework (TCF) version 2.0 of the Interactive Advertising Bureau (IAB Europe) has been officially in force since 15 August.
The TCF 2.0 was intended to finally introduce a technical market standard that defines the retrieval and transmission of a user’s consent signals between publishers and third parties who have joined the framework (such as Google, Criteo, or Taboola).
While some players in the digital advertising industry are celebrating the framework as a long-awaited standard to harmonize a heterogeneous market, critical voices are gradually becoming louder. But what exactly has happened?
According to the Belgian data protection authority, TCF 2.0 violates the GDPR
Only recently, the Belgian data protection authority (APD-GBA) published the preliminary results of a study on TCF 2.0 with a knock-on effect. The central message was that, in their opinion, TCF 2.0 violates several points of the General Data Protection Regulation (GDPR). The report states:
The accusation that the TCF 2.0 makes the processing of especially sensitive data such as health data, information regarding sexual orientation etc. technically possible for advertisers in Real Time Bidding (RTB), with or without the user’s permission, weighs particularly heavily.
What does the IAB Europe say?
In response to the report, IAB Europe has already published a statement challenging the Belgian data protection authority. IAB Europe points out that these are only preliminary findings without any legal effect.
IAB Europe also noted that although TCF 2.0 is a voluntary standard, it was developed in cooperation with European data protection authorities.
Source IAB: https://iabeurope.eu/all-news/iab-europe-comments-on-belgian-dpa-report/
To summarize, there is currently a lot of discussion on which TCF 2.0 CMP implementations are compliant and which aren’t. As the market is currently very dynamic, it remains to be seen what standards will prevail.
End-user License Agreements (EULAs) are among the most frequently accepted yet least-read contracts in the digital world. These agreements play a crucial role in defining the terms and conditions under which users can access and use software. Yet, despite their importance, many users skim through them or accept them without a thorough understanding.
We demystify EULAs, explaining what they are, why they are essential, and how they can protect both software developers and users.
Understanding EULAs is essential for both consumers and software providers. For users, it’s about knowing their rights and obligations when using a piece of software. For developers, it’s about safeguarding their intellectual property and minimizing legal risks.
What is a EULA?
EULA stands for End-user License Agreement, and it’s a legally binding contract between a software provider and the end user that gives the individual or company the right to use a piece of software in a specific manner.
However, EULAs do not grant ownership rights to the software. The creator retains control and ownership rights, as the software is their intellectual property.
In the physical world, this type of license is akin to the use of a state or national park. These spaces are created and protected by governments. People pay a fee to use them for hiking or camping purposes and agree to abide by the rules. If people break those rules, they lose access to the park and may be fined for damages.
Is a EULA the same as “Terms of Use” or “Terms of Service” (ToS)?
A EULA is not the same as Terms of Use or Terms of Service (TOS), although both are legal agreements between providers and users.
EULAs specifically pertain to software usage, focusing on licensing terms, intellectual property rights, and usage restrictions. They typically apply to software that individuals or companies install or access on their devices.
In contrast, terms of use or terms of service are broader agreements covering a wide range of online services, including websites and platforms. ToS outline general rules for service usage, user behavior, privacy policies, and dispute resolution.
While EULAs are software-centric, ToS apply to various online interactions and services. Both documents serve important legal purposes but differ significantly in their scope, content, and application contexts.
What is the difference between a SLA and a EULA?
Although they might seem similar as they are both contracts related to software usage, EULAs and Software License Agreements (SLAs) serve different purposes and audiences.
EULAs are designed for individual users, focusing on software usage guidelines and protecting the vendor’s interests. They typically involve simple click-through acceptance, and the vendor retains full ownership.
SLAs typically cater to businesses, covering broader terms including deployment, maintenance, and support. They often involve negotiations, formal signatures, and may allow for more flexible ownership arrangements.
Ultimately, EULAs are generally simpler and standardized, while SLAs tend to be more detailed and customized, often including performance metrics and specific business terms.
Who needs a EULA?
A EULA is not necessary for all companies. Typically, the creator or licensor of a software product should implement a EULA if they want to:
- retain control over their technology
- be protected from possible misuse of the product
- make money from licensing the software
This could apply to either individual, though in many cases it’s a company looking to cover their legal bases.
A EULA can help protect the software creator on two fronts. Primarily in their agreement with the end user, but also in relationships with third parties, like app platforms, through which the software is accessed. It protects your ownership rights, licenses your software effectively, restricts undesirable use, limits your liability, and safeguards your intellectual property.
Evolution of EULAs
Previously, EULAs were “shrink-wrap” licenses, requiring consumers to purchase and open software packaging to access the EULA. This posed legal issues, as consumers couldn’t read the EULA before purchasing software.
Today, software is typically downloaded or used online, with consumers required to agree to the EULA before installation by clicking an “agree” button. Often, a link to the EULA is provided, and completing the transaction implies consent. In some cases, the user is required to scroll down to the bottom of the page before the “agree” button is enabled, slightly raising the odds that they read the contents of the agreement.
With software moving online, the EULA is now called a “click-wrap” license. If consumers do not agree, they cannot use the software or complete the purchase.
Is a EULA required by law?
A EULA is not legally required. No law mandates software developers or publishers to provide an End-user License Agreement.
However, while not legally mandatory, having a EULA is highly recommended because it protects the ownership rights of your software, provides legal protection, limits your liability, and helps prevent copyright infringement.
This is because a EULA is a legally enforceable contract between you and the end user and can protect your intellectual property and copyright. Once the user gives consent, it’s as if they are entering into a contract with a software vendor.
Advantages of using a EULA
EULAs are essential tools for software developers and publishers, offering a range of benefits that protect their interests while setting clear expectations for users. Some key advantages of using a EULA are:
- protects intellectual property rights by defining ownership and usage terms
- limits liability for the developer or publisher in case of software issues or damages
- clarifies the relationship between developer and user, outlining their rights and obligations
- enables developers to set usage restrictions and enforce licensing compliance
- provides legal clarity, reducing misunderstandings and disputes
- gives users a clear understanding of the software’s terms and conditions before use
- protects against unauthorized copying, modification, or distribution of the software
- enable developers to specify update and maintenance terms
When should you use a EULA?
To put it plainly, if your software is made available for public use, you should use a EULA to protect your company and define user responsibilities.
However, generally speaking, there are a few specific instances you should implement a EULA:
- To limit infringement: A EULA restricts users from replicating, reverse engineering, or distributing your software, thereby protecting your intellectual property.
- To limit liabilities: It limits your liability for any damages or issues arising from the use of your software, which is crucial for new products that may have
- undiscovered bugs.
- To provide control: A EULA enables you to set specific terms for software usage, such as personal or commercial use, and geographic restrictions. It also gives you the power to revoke the license if terms are violated.
- For legal protection: It establishes a legally binding contract that can be enforced in court, ensuring that users are aware of and agree to the terms before using the software.
- To manage user expectations: By including disclaimers and warranties, a EULA helps manage user expectations regarding software performance and limits your responsibility for any issues.
What components should be included in a EULA?
The main goals of EULAs are for the creator/licensor to retain full ownership of their product, and to prevent legal issues from arising. To make this a reality, a EULA must include certain core components, and then it can have additional elements depending on the software or product.
Core components of a EULA
Definitions: This section provides clear explanations of important terms used throughout the agreement to ensure both parties understand the terminology.
License grant: The license grant specifies the scope of the license, including whether it is personal, commercial, perpetual, or time-limited, and outlines the usage rights and restrictions for the end user.
- User obligations: User obligations outline acceptable use policies and prohibited activities, ensuring that the end user understands what is and isn’t allowed when using the software.
- Warranty and liability: The warranty and liability section includes limitations of liability, an “as is” clause, and a disclaimer of warranties, clarifying that the software is provided without guarantees and limiting the licensor’s responsibility for any issues.
- Termination clauses: Termination clauses specify the conditions under which the license can be terminated and the consequences of such termination, including the end-user’s obligations upon termination.
- Governing law: This identifies the laws of the jurisdiction that will govern the agreement, providing clarity on the legal framework applicable to the EULA.
Additional elements of a EULA
- Privacy policy: The privacy policy section details the data collection, usage, and storage practices, informing the end user about how their personal information will be handled.
- Updates and support: This outlines the policy on software updates and maintenance, including whether updates are mandatory and what support services are available to the end user.
- Site licenses: Site licenses enable users to purchase licenses for multiple installations, typically within a single organization, and specify the terms for such arrangements.
- Infringement acknowledgment: Address copyright infringement, stating that the end user acknowledges the licensor’s rights and agrees not to infringe upon them.
- Software information: This section provides detailed identification of the licensed software, including version numbers and any specific features or modules covered by the license.
- Start date: The start date specifies when the license becomes effective, ensuring both parties know the exact commencement of the agreement.
- Separation of components: Separation of components clauses address the use of individual software components, clarifying whether they can be used independently or only as part of the whole software package.
- Miscellaneous provisions: These include additional clauses such as severability and entire agreement statements.
By including these core components and relevant additional elements, a EULA can provide a comprehensive legal framework for software usage, protecting both the licensor’s and the licensee’s interests.
How to create a EULA?
Creating a EULA for your software or application can be approached in several ways. The easiest and fastest method is to use a EULA generator. These tools enable you to create a customized EULA by answering questions about your app and business and are often backed by legal teams to help ensure comprehensive coverage of necessary clauses.
Another option is to use a template as a starting point. This method can be suitable for simple apps that only require a basic EULA. However, be cautious to ensure that all necessary elements are included and that the language is appropriate for your particular software and jurisdiction.
For those with legal knowledge or who want full control over the content, writing your own EULA is an option. But this approach requires a thorough understanding of the essential components and legal implications of such agreements. And it’s crucial to include key sections, such as licensing and restrictions of use, termination clauses, limitation of liability, disclaimers of warranties, and copyright infringement policies.
Regardless of the method you choose, it’s important to ensure that your EULA is clear, concise, and easily understandable. Avoid using complex legal jargon and make sure it covers all necessary aspects of your software’s usage and licensing.
Where to display a EULA?
Users need to agree to a EULA before they purchase a software or app and begin using it. Therefore, there are two moments during which you can display a EULA:
- Before a person downloads or installs your software: This is the most common and recommended approach. You can display it on your product’s download page, in the app store listing before purchase or download, or during the installation process, before the software installation is completed.
- After downloading or installation: You can also display a EULA when the application first launches or within the application’s settings or “About” menu.
What happens if a EULA is violated?
If a user violates a EULA, this can lead to several serious consequences.
One of the most immediate repercussions is the termination of the software license, which means the software provider can revoke a license, cutting off access to the software and any associated services.
Legal action is another possibility. The provider can initiate legal proceedings against an individual, seeking damages or injunctions, which can result in hefty fines and legal costs.
Financial penalties are also a possibility, and individuals may be required to pay for any damages caused by the breach, including compensation for lost revenue.
In severe cases, especially those involving piracy or unauthorized distribution, a person can face criminal charges, potentially leading to imprisonment.
The EULA’s limited scope
It’s worth noting that EULAs aren’t all benefits and there can be downsides. EULAs are intended to establish users’ responsibilities, but they aren’t given choices. EULAs also lack contract specifics, like addressing identifiable buyers or specifying a time frame for purchase. They may also be contrary to federal or state laws.
For example, if a user copies and sells a company’s software, a common violation of EULA terms, the company can seek recourse. The license to use the software can be revoked. The user’s account could be locked down, preventing access. The company can also sue for damages.
However, even if the user’s license to use the software has been revoked, the user could retain access to certain assets that they created using the software, like images or video.
Can a EULA be bad for users?
Some terms of EULAs can be of concern regarding user privacy. Some software includes monitoring for Digital Rights Management (DRM) violations or requires the user to agree to automatic monitoring. Both of these require the software to access users’ systems and enable the software to connect with third-party networks, commonly without notifying the user. Typically, users don’t have a way of knowing how secure those third parties’ systems are, how much user data they can access, or what they might do with it.
In addition, some EULA agreements enable software from third parties to be downloaded onto users’ devices without requiring separate agreements or consent.
Lastly, certain EULA terms preclude users from publicly criticizing the product. This can mean that the user can’t complain publicly if the software doesn’t work or causes damage, thus skewing online reviews and misleading potential customers.
Understand EULAs to protect your software
EULAs are so common in our online work and life activities that we rarely think about them. But they have significant implications in people’s use of software, and can also be at odds with privacy rights and the law. Understanding how EULAs are constructed, and for whose benefit, can enable people to be more educated consumers.
EULAs are so common in our online work and life activities that we rarely think about them. But they have significant implications in people’s use of software, and can also be at odds with privacy rights and the law. Understand how EULAs are constructed, and for whose benefit, can enable people to be more educated consumers.