Skip to content

Google requirements for its customers in 2024, including the use of Consent Mode v2, introduces yet another layer to an already tall stack of user privacy requirements. This can be daunting for businesses that need tWhen a user visits a website, a cookie banner asks for consent to use cookies and basedo comply but don’t necessarily have a significant amount of time, money, or expertise to invest in doing so.

Fortunately, many of Google Consent Mode’s requirements overlap with those of the General Data Protection Regulation (GDPR), Digital Markets Act (DMA), and others, so meeting its criteria can move you toward privacy compliance with multiple regulations.

Adhering to the rules set requiring the use of Google Consent Mode will help ensure that you can still collect and use valuable customer data and retain access to all of the Google services features your business relies on, while operating with transparency and building trust with your users.

This in-depth guide will help you better understand what Google Consent Mode is, what Google’s requirements mean for your business, and how you can best meet those requirements in a way that enables your continued success.

The latest version of Google Consent Mode was designed to enable websites to communicate users’ cookie consent choices to various Google tags that help measure website and advertising performance.

The tool was initially used primarily for anonymized data tracking. However, its intent and use have evolved, and today Google Consent Mode v2 functions more as a signaling tool.

“Google Consent Mode allows websites to adjust the Google tag behavior based on user consent for ads and analytics, ensuring compliance with laws like the DMA. It dynamically manages data collection, using signals that can employ data modeling to fill gaps when consent is denied. Let’s use the cookie banner as an example: When a user visits a website, a cookie banner asks for consent to use cookies and based on the user’s choice, Consent Mode will adjust the behavior of Google tags”

Read about consent for ads now

Following the latest updates, website operators can continue to meet compliance requirements, integrate systems, and respect users’ consent choices automatically with a consent management platform (CMP) like Usercentrics CMP, which comes with Consent Mode integrated, or directly with the global site tag (gtag.js) or Google Tag Manager (GTM).

A user’s consent choices, recorded in the CMP, determine whether Google collects and processes their full data or anonymized data that can’t personally identify them.

One of the primary reasons to use Google Consent Mode v2 is to achieve or maintain compliance with global data privacy regulations, including the General Data Protection Regulation (GDPR).

The Digital Markets Act (DMA) only requires designated “gatekeepers” like Alphabet (which owns Google) to comply, but in order to do so the company needs to require the business customers using their services, and collecting users’ personal data, to also meet compliance requirements.

“The biggest adjustments are the additional storage types for more granular advertising options regarding whether user data can be used for advertising purposes. The more granular options support Google’s conversion optimization and with that monetization through ads in general”

User consent and online ads

User consent is a necessity for online advertising under many global privacy regulations, as it allows you to compliantly gather user data and use it to promote your product to customers who are already in your marketing funnel.

The data you collect enables you to deliver relevant, personalized ads to users to enhance their interactions with your brand and increase the effectiveness of your campaigns.

With the proper implementation of Google Consent Mode v2, you can ensure that your users have full control over their data and how it’s used across digital spaces. This will help you to build trust with your customers, making them more inclined to trust you with their data and personalization actions, while helping to enable compliance with data privacy regulations like the GDPR, DMA, and others.

What services does Google Consent Mode v2 support?

Google Consent Mode currently supports the following Google services:

It’s a simple, convenient customization tool and another way to stay one step ahead of evolving legal and technology needs for data privacy compliance.

Google Consent Mode has a multitude of features that can bolster compliance efforts and enhance your business operations. Here are some of its key advantages:

“It is important because without Consent Mode website operators’ tracking capabilities will be highly limited by Google. But there is not just a downside: Google also provides the upside of using AI to recreate conversions and therefore making analytics and advertising possible, even without full consent.”
Infographic showing how Google Consent Mode v2 works

Google tags are loaded onto web pages before the cookie consent banner appears, so Google Consent Mode enables websites to dynamically adjust the behavior of these tags once a user allows or rejects cookies. Measurement tools will only be used for specifically determined purposes if the user has given consent.

Google Consent Mode features two tag settings to manage cookie behavior based on user consent choices:

Google Consent Mode v2 introduced two additional tag settings that are based on the same trigger as ad_storage:

Video Preview
Video Preview

We need your consent to load the YouTube Video service!

We use a third party service to embed video content that may collect data about your activity. Please review the details and accept the service to watch this video.

powered by Usercentrics Consent Management Platform

Website owners can also leverage conversion modeling to gather insights from anonymized data collected from users who reject cookies. This feature helps businesses gather essential data and marketing insights to fill in data gaps and understand user behavior without compromising on privacy.

A consent management platform can enable you to seamlessly collect user consent preferences and transmit them to Google services for further processing.

With Usercentrics CMP, you can automate detecting and categorizing all cookies and trackers in use on your site. Then with that information in the CMP user interface, users can accept all cookies, reject all (except strictly necessary cookies), or accept some cookies while rejecting others.

Users’ privacy preferences are maintained at every step, and companies still have access to sufficient information to maintain their ability to make data-driven decisions.

Google CMP Partner

Basic vs advanced consent mode in v2

Google Consent Mode v2 introduces two levels of consent handling: Basic and Advanced. Each of these levels is designed to meet different operational needs and regulatory requirements.

Basic Consent Mode:

Advanced Consent Mode:

Google Analytics Consent Mode

Google Analytics Consent Mode for GA4 uses the analytics_storage tag to manage how GA4 cookies behave based on user consent.

When a user gives consent for analytics cookies, GA4 will collect full data from the user for statistical or analytical purposes.

Conversely, when a user rejects analytics cookies, GA4 limits the data it collects to information that can’t personally identify the user, including their browser or operating system and the referrer, or how the user came to the website.

Google Consent Mode v2 uses the ad_storage tag to manage how Google Ads cookies behave based on user consent.

If a user gives consent for advertising cookies, Consent Mode for Google Ads will collect full data from the user for marketing or advertising purposes.

Where a user rejects cookies for advertising purposes, Google tags will not use advertising cookies and any Google Ads the user sees will not be targeted or personalized based on their data.

What is conversion modeling?

Data from cookies is useful to help website owners track and identify users, study user behavior on their website and see the effectiveness of their ad campaigns and messaging in converting users to customers, among other things.

When users consent to cookies, gathering comprehensive data becomes straightforward and makes precise ad targeting and data analytics easier. When users reject cookies, these are a little harder to do so since the data collected is restricted and anonymized, causing gaps in the analytics.

Google uses Machine Learning to fill in the gaps with conversion modeling. It studies data and trends from users who consented to cookies and estimates the behavior of users who reject cookies with the help of this data.

Conversion modeling helps ensure that businesses using Google Analytics Consent Mode data can still gain valuable insights and optimize their marketing strategies, even when full consent data is unavailable.

To maintain access to all of Google’s analytics and advertising services, you need to implement Google Consent Mode on your website if you’re doing business in the EU, UK, or Switzerland. There are two options for how you implement it.

The most straightforward solution is to use a CMP with Google Tag Manager. Another option is to have your tech team integrate it directly into your website with the Interactive Advertising Bureau’s (IAB) Transparency and Consent Framework (TCF 2.2).

Google Consent Mode and Google Tag Manager

Google Consent Mode can be integrated with Google Tag Manager in two ways, depending on whether the website owner uses a CMP.

Once Google Consent Mode and Google Tag Manager are integrated, user consent choices in the CMP’s displayed consent banner are passed on to Google Tag Manager, which then governs how cookies behave for a user’s visit.

This integration helps ensure that all tags and tracking tools comply with user consent preferences to help businesses balance effective data collection and privacy compliance.

While integrating Google Consent Mode without a CMP allows for more flexibility, it demands more technical expertise and ongoing maintenance. Using Usercentrics CMP, on the other hand, simplifies this process by ensuring that user consent preferences are automatically communicated to Google.

Google Consent Mode v2 and the TCF 2.2

Google Consent Mode has been updated especially for websites where user consent is not obtained within the scope of the IAB Transparency and Consent Framework (TCF) with their CMP.

For companies actively using the IAB TCF 2.2, Google Tools will continue to read out and respect the IAB TC String. This means that all Google services, including Google Analytics and Google Ads, will honor the consent preferences specified in the String to help ensure that a user’s choices are applied across all integrated tools and services.

How to implement Google Consent Mode with the Usercentrics CMP

Implementing Google Consent Mode with the Usercentrics CMP solution as an alternative to prior blocking can be done in a single step. Existing customers and those with custom Data Processing Services should note the additional information below.

✔ Adjust the existing Google Tag Manager code by adding a few lines of code above your Google Tag Manager tag.

✔ If you are an existing customer, ensure the Google Consent Mode option is toggled ON in the Usercentrics Admin Interface.

✔ For new customers, Google Consent Mode is ON by default.

✔ If you have custom Data Processing Services, use the Usercentrics CMP events to signal the consent status via the Consent Mode API.

There is also a convenient feature that automates the process of enabling Google Consent Mode in Usercentrics CMP. Get it up and running in two easy steps.

Google CMP Partner

Google Consent Mode does not replace a CMP; it serves as a link between the CMP and Google services. This has become increasingly important since enforcement of the Digital Markets Act (DMA) began in the EU in March 2024, and the gatekeepers have levied stricter requirements on their business customers.

With Google (via parent company Alphabet) designated one of the seven gatekeeper companies under the DMA, to ensure end to end privacy compliance in its business ecosystem, third-party customer companies using Google services will need to achieve valid privacy compliance and signal consent to tracking, particularly for advertising purposes.

Google Consent Mode is an integrated tool that enables Google services to run on websites based on the types of consent collected from website users, without requiring Google to have direct access to personal data or denying companies access to information they need to drive conversions.

However, obtaining user consent remains the website operator’s responsibility, and Consent Mode doesn’t work as a standalone. With the help of a CMP, you can collect granular user consent for all cookies and tracking technologies in use on the site in accordance with the GDPR and other data privacy laws.

By pairing the Consent Mode API with the Usercentrics CMP, websites can indicate if the user has given consent for cookie usage related to analytics, advertising, or both. The supported Google tags will respect this signal and adjust their behavior accordingly, only using cookies if consent was granted for the specific purposes.

For example, if the website user decides to reject the use of cookies or trackers for certain marketing technologies, Google Consent Mode will react based on this consent status and will only display purely context-based advertising to that person on the website, without any personalization. This enables companies to meet regulatory requirements while still respecting users’ privacy choices.

Data privacy laws like the GDPR, Brazil’s LGPD, and more provide individuals online with protection and control over their personal data, who has access to it, and how it’s used. As technologies evolve, the average person creates more and more data online every day.

Laws like the GDPR require prior consent for access to and processing of that personal data, which can reveal a great deal about individuals — some of the information being quite sensitive. Without consent, people’s privacy could also be violated without their knowledge for the benefit of companies using their data.

This way, businesses can still obtain and use personal data, and in many cases do so to create better experiences for their customers, but only with individuals’ consent, and only within the parameters of what those people have agreed to or the law allows.

Consumers are also increasingly aware of the value of their data, their rights, and the collection and use of their data online by companies.

This means that companies that want to build and retain user trust and develop long-term engagement must give users choices around whether or not to be tracked using transparent, user-friendly notices about their privacy compliance and data collection practices, as well as employing compliant consent mechanisms.

Proactively embracing consent-based marketing helps protect companies’ revenue and brand reputation while helping to future-proof growth and helping them to get ahead of their competitors.

The future of digital marketing includes a focus on driving revenue by optimally leveraging technologies that address companies’ responsibilities and serve users’ needs. In an era when consumers have more and more choices and the ability to leave companies that don’t provide great experiences, companies can no longer rely on dominant market positions or limited alternative options.

Companies can evolve their marketing efforts with smart, data-driven decisions by using tools like Google Consent Mode v2 and integrating them with a robust CMP to help ensure compliance and use data effectively.

According to Google, if a user doesn’t provide consent to tracking via G4A (analytics_storage: denied), all data will be anonymized. Google will not collect any personally identifiable information when a user has denied consent, so the data will be captured without a client ID and recorded in aggregated form.

Additionally, if the placement or reading out of advertising cookies is prevented (ad_storage: denied), the main processing purposes for which user consent is usually obtained will no longer be active. This helps to ensure that any data collected is not used for personalized advertising, in line with the GDPR’s requirements.

Can these technologies be used without user consent?

Anonymized data — like the information that Google tags collect when a user rejects tracking — is not considered to be personal data under the GDPR and therefore can be used without consent.

Here, it’s important that website operators ensure that users are able to easily reject tracking and also guarantee that data collected after this rejection:

Google Consent Mode v2 ensures that if a user denies consent, only non-identifiable information is collected. Data is anonymized and aggregated to provide a generalized view of user behavior rather than specifics. Plus, the tool prevents the transfer of data to third parties and countries, unless express consent is given.

These factors help to ensure that Google Consent Mode v2 complies with the provisions of the GDPR, enabling companies to collect data from anonymous users even without consent.

Google CMP Partner

With valid consent collection from website users, advertisers can continue to optimize opt-ins, measure conversions, and retrieve analytics insights with Google Consent Mode v2 while achieving and maintaining GDPR compliance.

Google Consent Mode seamlessly combines the protection of users’ data with companies’ and the advertising industry’s interests, so you can collect customer data to enhance your marketing efforts while protecting user privacy.

The simplest way to obtain granular, GDPR-compliant user consent for the use of cookies and other tracking technologies is via a CMP.

Usercentrics CMP gives users granular control over their data privacy preferences via a brand-aligned consent notice, helping you to comply with major privacy regulations while building customer trust.

Overview

Consent Requirements

Read about fadp vs gdpr now

Unlike the GDPR, the FADP allows entities to process personal data without a specific legal basis, unless the processing meets certain criteria. Consent is required for:

The FADP does allow for other legal bases for processing besides consent (like the law or overriding public interest), but fewer than the GDPR does. When consent is required, it must be obtained before or at the point of data collection. Like the GDPR, user consent under the FADP must be granular, informed, and voluntary.

A consent management platform enables compliant user notification, e.g. populating a privacy policy page, as well as collecting and storing compliant consent. Multiple configurations can be used with geolocation to ensure compliance with multiple regulations with different requirements, like the GDPR and FADP, depending on user location.

Notification Requirements

Data subjects must be informed at all times prior to data collection, even if consent is not required for the intended data processing.

Companies need to clearly communicate the following information to users, e.g. in a privacy policy page on the website. These are the same notification criteria required for consent to be valid:

Data subjects’ rights

Data subjects have the following rights under the FADP:

Checklist for FADP compliance

The DMA came into force in November 2022 and has been applicable since May 2023. Designated gatekeepers have until March 6, 2024 to comply with the Act’s requirements. This means that the companies that do business in the EU/EEA and UK and use the gatekeepers’ platforms and services also need to comply. Gatekeepers in violation of the DMA can be fined up to 10% of annual global turnover, or up to 20% for repeated infringements.

The DMA’s requirements are similar in many respects to those of the GDPR, but are broader in some ways, addressing additional access to and uses of end users’ personal data. The DMA aims to help ensure healthy competition from smaller, non-gatekeeper companies, and more open digital markets.

Read on to learn about:

Read about wordpress cookie consent now

1) What companies have been designated as gatekeepers under the Digital Markets Act?

Under the DMA, the European Commission (EC) has designated seven “gatekeeper” organizations: Alphabet, Amazon, Apple, Booking.com, ByteDance, Meta and Microsoft.

The gatekeepers have to ensure that their platforms comply with the DMA by March 6, 2024, else they risk substantial fines. By extension, these requirements also mean that the many companies that use the core platform services from these entities must comply if they want to keep using the platforms and services.

This includes companies that collect and process user data for their own operations, or access data collected by the gatekeepers.

Companies that collect and use the personal data of users in the European Union must ensure they obtain valid prior consent (opt-in) from online users of these platforms and services. This includes gatekeepers and third parties that use their platforms, services, and data. If your organization is one of these, e.g. advertising on one or more of the platforms, you need to comply with the DMA. Companies operating in the EU may also need to comply with additional data privacy regulations, like the GDPR.

That means you need a consent management solution to ensure that you are obtaining valid consent from users on these platforms before collecting and/or processing their personal data.

2) What are the gatekeepers’ core platform services?

The gatekeepers provide 23 identified core platform services (CPS) that are required to comply with the DMA due to their enormous reach, audience, and data generated:

Third parties that use these CPS also need to comply with the DMA or risk losing access to gatekeepers, their platforms and services, and the data and revenue they generate.

3) How does the Digital Markets Act impact user privacy and consent?

User privacy and consent under the DMA follow the same requirements as the General Data Protection Regulation (GDPR) and ePrivacy Directive (ePD). Consent must be freely given, specific, informed, unambiguous, and obtained before any personal data is collected.

Users must also be able to change their consent preferences or withdraw consent at any time, and companies must be able to prove consent in the event of an audit by data protection authorities.

To achieve this, a consent management platform (CMP) enables companies to notify users about the collection and use of their data, provide consent options, and store this information securely. Companies using Google services must also support the most up-to-date version of Google Consent Mode.

The DMA requires the gatekeepers, and by extension those companies using the CPS, to obtain prior user consent if they:

 

4) What are third-party companies’ rights under the Digital Markets Act?

In addition to the DMA’s requirements regarding the rights and protections afforded to end users, there are a number of requirements that the gatekeepers must meet regarding third-party companies that use their CPS.

Some of the key requirements are:

See the EC’s published list of “do’s and don’ts” for gatekeepers

5) How can companies obtain and store valid consent under the Digital Markets Act?

Per the DMA’s requirements, conditions for valid consent are:

Explicit: Active acceptance required, e.g. ticking a box or clicking a link.

Informed: Who wants to collect what data, why, for how long, and who will it be shared with, etc.?

Documented: You have the burden of proof of consent in the case of an audit.

In advance: No data can be collected before consent is obtained, e.g. cookies cannot be set on your website before the user has consented to them.

Granular: Individual consent for individual purposes, i.e. consent cannot be bundled with other purposes or activities. The second layer of a CMP can display all cookies/tracking technologies in use and their purposes to enable highly granular consent choices.

Freely given: Equally accessible and easy to use “Accept” and “Deny” options, e.g. buttons all on the first layer of the CMP. Do not manipulate users’ choices via design.

Easy to withdraw: Changing consent or opting out is as easy to do as opting in, e.g. available on the same layer of the CMP.

On websites, in apps, and on other connected platforms, the GDPR requires consent to be obtained for the use of cookies and other tracking technologies. This has made cookie banners or similar consent management tools a common sight. But many companies with EU users are still not compliant with the GDPR. This also means they won’t be compliant with the Digital Markets Act, and risk access to the gatekeepers’ platforms and services, including advertising with Google.

A consent management platform can be implemented on websites, apps, and other platforms in minutes, and customized for your company branding, the cookies and other tracking technologies you use, and more.

Usercentrics has Europe’s leading CMP that enables stringent regulatory compliance, including with the Digital Markets Act, right out of the box. It’s built on state-of-the-art technology that scans deeper for cookies and has automated functionality to help you maintain compliance without having to dedicate a lot of tech or legal resources. It also enables companies to meet consent management requirements to maintain access to the gatekeepers’ platforms and services without disruption.

6) Why do you need a CMP that is ready for Digital Markets Act compliance?

European authorities have shown they are serious about data privacy compliance and regulatory enforcement, and the DMA will extend that commitment. The European Commission can impose fines for Digital Markets Act violations on gatekeepers of up to 10% of the company’s annual global turnover, 20% in cases of repeated infringement. The Commission can also require violating gatekeepers to sell parts or all of a business, or ban them from acquisitions that would be related to violating activities.

Third-party companies using gatekeepers’ services can lose access to the platforms, data, customers, and revenue if they are found to be noncompliant with the Digital Markets Act. Additionally, Digital Markets Act violations would also quite possibly violate other privacy laws, like the GDPR, which come with a whole additional set of penalties. The likely result would be a serious hit to brand reputation and customer trust, which would negatively affect revenues and future growth.

7) How do you implement a CMP that’s ready for the Digital Markets Act?

Your implementation will depend on your platform, CMS, and tools used, e.g. GTAG, Google Tag Manager, etc. However, Usercentrics CMP integrates into all the leading web and app platforms, like WordPress, Magento, Wix, Squarespace, Shopify, Prestashop, and more.

Read about wix cookie banner now

Read about shopify cookie banner now

  1. Select a flexible, reliable consent management platform that can be customized to your needs and will be easy to maintain by technical or non-technical staff
  2. Implement the CMP according to your website setup—via direct integration, head tag, Google Tag Manager, etc.—and the tools you have integrated, including those of the designated gatekeepers under the Digital Markets Act
  3. Customize the CMP for your branding, messaging, relevant regulations, and cookies or other tracking technologies in use (or use an out-of-the-box template and only do the basics)
  4. Activate Google Consent Mode signaling
  5. Ensure that you set up the CMP to block all third-party trackers (unless consent is obtained)
  6. Start collecting Digital Markets Act-compliant consent from users

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

The General Data Protection Regulation (GDPR) has been in effect in the European Union since May 2018. Any organization that handles the consumer data of EU residents needs to take GDPR compliance seriously.

GDPR compliance is also valuable for those doing business in the United States, among other countries that have since introduced data privacy laws. California, for example, borrowed heavily from the GDPR when drafting its data privacy regulations. This has since influenced data privacy legislation drafted by other states.

Achieving GDPR compliance puts U.S. companies ahead of the game in ensuring state-by-state compliance at home. By adopting its more stringent best practices, you’re set up to avoid future disruptions as more regulations are passed in the U.S. and other countries.

The following information will help clarify your company’s GDPR compliance requirements. Please note that due to differences in implementation and enforcement among EU countries, we strongly recommend that you consult with a lawyer specializing in data protection and privacy.

GDPR in the U.S.: Does your company need to be compliant?

One of the first questions asked by U.S. companies is, “Does the GDPR apply to us?” If your company does business in the EU that involves collecting and processing user data, then yes, you do need to be GDPR-compliant.

This can mean you sell products or services in the EU, work with partners or customers there, or receive web traffic from visitors located there.

Note that the GDPR is extraterritorial. This means it applies to organizations that process EU residents’ personal data whether or not those entities are actually located in the EU. It only matters that the personal data being used belongs to people in the EU.

In July 2023, the EU-U.S. Data Privacy Framework introduced a new adequacy agreement between the two regions, which had been without one since the Schrems II decision struck down the previous EU–U.S. Privacy Shield framework in 2020.

The EU-U.S. Data Privacy Framework does not apply GDPR requirements to the U.S., though it is a legal agreement and does apply certain standards to data protection and international transfers. The framework also outlines data subjects’ rights, responsibilities and requirements for certified companies, redress mechanisms for complaints, and requirements and restrictions on US intelligence services.

GDPR requirements for U.S. companies

The GDPR’s requirements differ from data privacy regulations in the U.S., so you need to understand the distinctions. These include the following.

Scope of jurisdiction

Data privacy laws passed to date in the U.S. are all at the state level, each one only applies in the state where it was enacted. The U.S. does not yet have a federal data privacy regulation, so companies need to check if there’s a law for each state where they do business, and what its requirements are.

Scope of protection

Privacy laws in the U.S., like the California Consumer Privacy Act (CCPA), are centered around consumer protection, whereas the GDPR regulates data protection more comprehensively. That includes the B2C and B2B sectors.

Dedicated roles

In many instances, the GDPR requires organizations to appoint a data protection officer. This isn’t the case under the majority of U.S. state-level laws passed to date.

Opting in and opting out

Under the GDPR, individuals must provide explicit opt-in consent prior to having their personal data collected and processed. The U.S. uses an opt-out model in all privacy laws passed to date, meaning you can collect and use data in many cases without obtaining consent (with the common exception of children’s data or that categorized as “sensitive”), You do have to provide a way for people to opt out of data collection and/or processing for various purposes (these vary by state law).

Terms and definitions

While the GDPR refers to “personal data,” the term “personally identifiable information” (PII) is more common in the U.S. The specific requirements for data to be “sensitive” also vary. We explain these differences in depth: Personally Identifiable Information (PII) vs. Personal Data — What’s the difference?

Under the GDPR, you need a legal reason that can be proven to collect and process customer data. Valid consent is one of the six legal bases listed in Art. 6 GDPR. The conditions for consent to be valid are outlined in Art. 7 GDPR.

You need to document and clearly communicate to site visitors, customers, app users, etc. what personal data you want to collect, for what purpose(s), who may have access to it, and several other requirements. If the purpose for processing user data changes, you must obtain new consent from users.

Data controllers (e.g. companies collecting data from visitors to its website), can use any of the legal bases for data processing if they can prove the necessity of doing so. You can’t simply choose or change a legal basis because a business need a change or one method (like obtaining valid consent) is more work.

U.S. GDPR compliance checklist

✅ Keep data privacy and protection top of mind in all aspects of your business, especially the customer-facing parts. It’s cheaper, more efficient, and less resource-intensive to build compliance into your system from the beginning using a privacy by design approach, rather than retrofitting it. Especially when considering the risks of violations if efforts are not comprehensive enough.

✅ Create an internal security policy for employees, partners, and contractors to ensure security measures are adequate, and keep it updated. Ensure it’s clear and covers all operations and specific roles within the organization where accessing personal data is necessary.

✅ Know what a data protection impact assessment is and have a process to carry it out. These are legally required under some regulations, but a good idea regardless.

✅ Wherever possible, when personal data is collected, anonymize, pseudonymize, and encrypt it.

✅ In the event of a data breach, have a process in place to notify data subjects and the correct authorities within the required time frame. Where possible, act as quickly and thoroughly as possible to provide information, cooperate with authorities, protect affected users, and mitigate and repair damage from the breach.

Data subjects’ privacy rights

It must be clear and easy for customers, users, and visitors to:

✅ object to collection and/or processing of their personal data

✅ request and receive all the data you have about them in a timely manner

✅ request a correction or update to inaccurate or incomplete data

✅ request that their personal data be deleted in a timely manner (with some exceptions)

✅ have you stop collecting and processing their data if they withdraw previous consent

✅ receive a copy of all of their personal data to be transferred to another entity

✅ have processes and policies in place (and user access to them) to protect their rights if you make decisions about them based on automated decision-making processes

Operations

Requirement Key actions Details
Know what data you collect, store, and use Conduct an information audit to learn and document:

  • what data you collect
  • why it’s collected
  • who has access to it (including third parties)
  • how and where it’s stored/protected
  • how long it’s kept
  • how it’s expunged or returned
Organizations with 250+ employees, or that conduct higher-risk data processing, must keep an up to date and detailed list of their processing activities, which can be shown to regulators on request.

Companies with fewer than 250 employees should still do these audits and maintain this information.

Have a legal basis for data processing activities
  • Determine which legal basis you process data under
  • Determine what additional conditions may apply
  • Document the rationale for your organization’s chosen legal basis and be prepared to present it to regulators
Legal basis is determined based on the six conditions under Art. 6.
There are additional provisions relating to children and special categories of personal data in Arts. 7–11.Be aware of the extra obligations if consent is your chosen legal basis.
Appoint appropriate officers and representatives to manage data privacy and protection initiatives.
  • Designate a privacy/compliance officer in your organization
  • Appoint a representative within the EU if your organization is outside (e.g. United States)
  • Determine if your organization needs a data protection officer, and appoint one if required
The internal data protection officer needs to be able to understand the needs of ongoing compliance, work on drafting, reviewing, implementing and enforcing the policies.

EU member states require a representative in each country who can communicate on your behalf with data protection authorities.

A data protection officer is needed if the organization:

  • is a public authority
  • has large-scale data processing as a core activity
  • has large-scale data processing of special categories of data as a core activity
Create and use a data processing agreement with third parties. Any third parties that process data on your behalf need to sign a data processing agreement that clearly outlines how data is to be transferred, stored, protected, used, and erased. This can include email hosting, cloud services, advertising or marketing partnerships, analytics software, etc.

Ensure the rights and obligations of both parties are clear.

Reputable services should have a data processing agreement for review on their websites.

Users and customers

Requirement Key actions Details
Duty to provide information Provide clear notification that you are using cookies or other tracking technologies on your website.

Explain what the tracking technologies are doing and why, and what data they collect.

Include this information in a Privacy Policy that’s easy to find, read, and understand.

Review and update the Privacy Policy at least every 12 months.

Include the following information in the Privacy Policy:

  • Name and contact of data controller
  • Purpose of data processing/tracking technologies
  • Categories of people and personal data processed
  • Transfers of personal data to third countries
  • Time limit for deletion of personal data
  • General description of security measures
Obtain explicit user consent Obtain individuals’ informed and explicit consent to use tracking technologies and to store cookies on their device(s). Consent must be:

  • Explicit: Active acceptance, e.g. ticking a box or clicking a link
  • Informed: Communicate the who, what, why, and for how long of data collection
  • Documented: You have the burden of proof in the case of an audit
  • In advance: No data is to be collected before opt-in, e.g. cookies cannot be set on your website before an individual has consented to them
  • Granular: Individual consent for individual purpose, i.e. consent cannot be bundled with other purposes or activities
  • Freely given: E.g. the “Accept” and “Reject” options are equal size, prominence, and accessibility
  • Easy to withdraw: Opt out is available and is as easily accessible as opt in later if the person changes their mind

Exception: These rules don’t apply to strictly necessary cookies (aka essential cookies), but there are restrictions regarding which kinds of cookies can be categorized as essential.

Setting cookies Collect and process personal data via cookies only with valid consent. Loading: Ensure cookies are not loaded until the person has given consent

User refusal: If someone rejects cookies, no cookies can be set. But the user must still be able to use your website/access your service as much as possible without the cookie use.

Legally compliant documentation Document and store consents received from users whose data you’re processing. Data protection authority (DPA) audit: Comply with documentation obligations and store evidence of consent in case of an audit by data protection authorities or a data subject access request in accordance with users’ legal rights.
Opt out Rejecting the use of cookies or other tracking technologies must be as easy to access and use as consenting. Easy access: It must be as easy for individuals to withdraw their consent — at any time — as it is for them to give it.

External links: Linking to a separate page for opt-out is not sufficient.

After opt-out: Ensure no further data is collected, processed, or forwarded from the moment the consent request is rejected or rescinded, i.e. the opt-out must also be technically linked to the cookie and, ideally, documented.

Ensuring consent is GDPR-compliant

For an individual’s consent to be GDPR-compliant, you need to meet seven criteria. See our article 7 criteria for GDPR-compliant consent for detailed information on those criteria and what that means for consent banners on your website.

Data protection and regulation of children’s data

Under the GDPR, you’re generally only able to process personal data for children aged 16 and older. Parental or guardian consent must be obtained for data processing requests for children under 16.

Some EU member states reduce the age limit to 13, but not all of them do. As confirming an individual’s age can be ambiguous on some websites, we recommend obtaining explicit consent from all users.

Kickstart GDPR compliance with a data privacy audit

As mentioned, the precise implementations and interpretations of GDPR vary among member states. But you’ll need to complete a full data audit before you’ll know exactly how GDPR requirements apply to your organization and customers.

Start with Usercentrics’ free data privacy audit that detects the cookies and trackers in use on your website, and can help you to see where your website might fall short of GDPR compliance.

While this audit will support your compliance efforts, it does not replace legal advice. To ensure your company’s GDPR compliance efforts are robust and compliant, we strongly recommend working with legal counsel that specializes in data protection and privacy, and appointing a Data Protection Officer.

If your company has customers in South Africa or plans expansion there, and you collect or process personal data, you need to comply with the Protection of Personal Information Act (POPIA).

POPIA received Presidential assent in November 2013. Sections of POPIA coming into effect have been staggered in the years since, with key remaining sections coming into effect on July 1st, 2020. Organizations had 12 months from that date to enact POPIA compliance requirements, and enforcement began on July 1st, 2021.

Data privacy regulations are complex.

Many businesses like yours, that have struggled with POPIA compliance, are finding out that working with us answers questions, relieves stress, and increases advertising revenue.

The good news is that if you are already compliant with the GDPR or LGPD, you have already done much of the work necessary to comply with POPIA.

To help you achieve POPIA compliance, follow these steps:

Step 1: Identify if your organization needs to comply

Step 2: Create a comprehensive Privacy Policy.

Step 3: Inform users about their rights.

Step 4: Inform users that you use cookies or other tracking technologies.

Step 5: Explain in the first layer of the privacy banner what your cookies or other web technologies are doing and why.

Step 6: Obtain users’ voluntary and informed consent to store cookies on their device(s) and enable refusal of consent or adjustment of preferences in the future.

Step 7: Collect and process data only after obtaining valid consent.

Step 8: Document and store consent received from users.

Step 9: After opt out, ensure that no further data is collected or forwarded

Cookies covered by POPIA

Identifiable data is protected by POPIA. Thus, cookies and other tracking web technologies – that collect data that can be associated with a natural person – are subject to privacy compliance obligations under the law. E.g. the information is linked or linkable to a particular user, IP address, device or other specific identifier.

The exception is anonymized or permanently de-identified data under Section 6, which is not considered personal data under POPIA.

Lawful Processing

Section 4 of POPIA outlines provisions for the parameters of restrictions on personal data collection and processing, how the Act applies to different population groups, and who is responsible for monitoring and enforcement.

For violations, POPIA has provisions for both monetary and carceral penalties. The maximum fine is ZAR 10 million (approx. EUR 500,000) and the maximum prison sentence is 10 years for certain responsible individuals and certain violations.

Requirements for POPIA (South Africa) Is Usercentrics compliant?
Freely given and informed consent is necessary
The purpose has to be provided (first layer of the privacy banner)
The recipient has to be named (second layer of the privacy banner)
Withdrawal of consent has to be possible (second layer of the privacy banner)
Options to grant or decline consent must be equal
Proof that consent has been given must be stored
The option to give or withdraw granular consent for each data processing purpose has to be provided

DISCLAIMER

These statements do not constitute legal advice. They merely serve to support and inform you about the current legal situation. Please consult a qualified lawyer should you have any legal questions.

Protecting your customer data is more than just good business practice, it’s a legal requirement under the General Data Protection Regulation (GDPR).

This regulation applies to all businesses with websites and applications that collect personal data from visitors who are based in the European Union (EU), regardless of the business’ location. It exists to protect those individuals’ privacy rights and mitigate the misuse of their data.

Simply adding a cookie consent banner to your website won’t automatically equal compliance. You’ll also need to implement specific technical and organizational measures to meet the GDPR’s stringent requirements.

Read about wordpress cookie consent now

Fortunately, there are a number of GDPR compliance software options that will help you to do just this. We’ll take a look at some of the best solutions out there.

Our top picks for GDPR compliance software:

  1. Usercentrics
  2. Osano
  3. OneTrust
  4. Didomi
  5. Cookie Information
  6. CookieYes
  7. Borlabs Cookies

GDPR compliance software options

Software Key feature Recommended for Price*
Usercentrics Extensive database of legal templates: Over 2,200 templates to help enable compliance and save time and resources Businesses of all sizes From USD 60/month after 30-day free trial
Osano “No Fines, No Penalties” Pledge: Receive compensation of up to USD 200,000 if you receive a fine related to data privacy while using Osano Medium-sized businesses Custom pricing, available on request
OneTrust Data intelligence: Identify sensitive data and understand data risks Large corporations Custom pricing, available on request
Didomi Site scanner: Obtain a Health Score for your website to determine GDPR compliance level Multinational companies Custom pricing, available on request
Cookie Information Website and app consent management: Collect user consent across different platforms Small businesses From EUR 15/month
CookieYes Cookie Policy Generator: Create a custom cookie policy in a few minutes Freelancers From USD 0/month
Borlabs Cookie Dashboard statistics: See the past 10,000 cookie consents on your website in one place Agencies From EUR 49/month

*As of July 2024

Why GDPR compliance software is a must in 2024

Failing to comply with the GDPR’s requirements will expose your business to significant risks, including hefty fines and reputational damage. Robust GDPR compliance software can help you streamline a variety of privacy compliance operations.

Our picks of the 7 best GDPR compliance software platforms

Meeting GDPR requirements is crucial for businesses that want to protect personal data to avoid penalties, develop their privacy-led marketing operations, and build trust with their customers.

We highlight the top 7 GDPR compliance software platforms to help your business continually meet the regulation’s requirements.

1. Usercentrics

Usercentrics offers market-leading compliance software that helps enable businesses to comply with the GDPR and other data privacy regulations. Organizations in 195 countries have relied on Usercentrics to effectively manage user consent requirements since 2012.

Usercentrics is available as an out of the box solution. However, it also enables extensive customization of visual elements, data processing services, and regulatory coverage for websites, apps, and other connected platforms.

Although mastering this consent management platform’s (CMP) advanced tools may involve a bit of a learning curve, say G2 users, the end result is invaluable for building trust with users.

Key features

Pricing

Pros Cons
Provides compliance notices in 60+ languagesAnalytics data only available for 90 days
2,200+ legal templates
Detailed analytics and reporting

Recent Reviews

2. Osano

Osano software advertises numerous features that help enable GDPR compliance, including the option to use Osano as a third-party, EU-based DPO, and to assess vendor privacy risk.

Osano also offers a bold pledge to pay any fine or penalty — up to USD 200,000 — that a business incurs due to noncompliance with data privacy regulations while using its CMP. However, this only applies to customers on Premium plans or higher who have implemented products in line with Osano’s documentation.

Key features

Pricing

Contact Osano for a custom quote.

Pros Cons
Free, self-service cookie consent available No A/B testing
Provides dynamically generated policies based on the location of each user
Easy to set up (G2 users report)

 

3. OneTrust

OneTrust comes with an extensive set of data privacy management tools for websites and apps, including cookie scanners, functionality for cookie consent management, and autoblocking functionality.

OneTrust also touts that it works with a network of lawyers and legal experts to provide relevant updates via the platform, to help enable and maintain GDPR compliance.

 

Key features

Pricing

OneTrust uses custom pricing based on user needs. Contact OneTrust for a quote.

Pros Cons
In-depth support and documentation via the Knowledge Base (G2 user reviews) Non-transparent pricing
Includes incident and breach management
A system for automating compliance assessments

 

4. Didomi

Didomi provides a cloud-based CMP that offers data privacy tools, including cross-device consent management, supporting over 50 languages. While it does support multiple data privacy laws and regulations, there are no self-serve solutions, and customers must go through a consultation process. Nonetheless, G2 users praise Didomi’s customer support.

 

Key features

 

Pricing

Pricing only available on request.

Pros Cons
Based in the EU No self-serve solution
Robust integration framework
Customer support via live chat and email

 

5. Cookie Information

Cookie Information enables businesses to deploy cookie banners that comply with the GDPR, Digital Markets Act (DMA), and the California Consumer Privacy Act (CCPA). Although the platform provides its customers with cookie policies and banners that can meet the latest regulatory requirements, it lacks features such as A/B testing.

 

Key features

 

Pricing

Pros Cons
Google-certified CMP partner No geotargeting
Personal account manager
Free 30-day trial

 

6. CookieYes

CookieYes aims to simplify the consent management process with a claim of “foolproof consent management” and a cookie banner that can be launched in just a few minutes. G2 users praise the platform’s intuitive interface that makes it easy to set up and manage consent banners. However, advanced features such as geotargeting are only available on the two most expensive paid plans.

 

Key features

Pricing

Pros Cons
Banners available in 30+ languages Geotargeting only available on two most expensive plans
Available as a WordPress plugin
Responsive support team (G2 user reviews)

 

7. Borlabs Cookie

A quarter of a million websites use Borlabs Cookie to display GDPR- and ePrivacy-compliant cookie banners. The platform comes with an extensive library of templates for popular services and compatibility patches for plugins, as well as automatic translation, and geotargeting. However, as a WordPress plugin, this tool does not provide cross-platform consent management.

 

Key features

Pricing

All Borlabs Cookie plans are priced per annum and come with one year of Borlabs Service (the license needed to use the library, geotargeting, IAB TCF, scanner, translation service), free updates and free support.

Pros Cons
Includes auto-blocking WordPress-only plugin
Geotargeting
Flexible pricing based on number of websites

Must-have features for GDPR compliance management software

To ensure your business is able to meet data privacy requirements — and help the person or team who is responsible for GDPR compliance to execute their duties effectively — your software must:

Maintain GDPR compliance with a top software solution

Understanding the capabilities of these GDPR compliance software solutions will help you to choose a platform that suits your budget and business needs and get you on a path to GDPR compliance.

Each platform that we’ve outlined in this article will help you to fulfill at least some of the GDPR’s requirements. However, if you’re looking for an all-in-one solution that helps streamline achieving and maintaining GDPR compliance, consider Usercentrics.

Trusted on over 2.2 million websites and apps by businesses in 195 countries, Usercentrics is a market-leading CMP that enables businesses to gain access to the data insights they need to bolster their marketing performance while staying on the right side of privacy law and building user trust.

The information presented in this article is provided for educational purposes only. Engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations when evaluating solutions is always recommended. This information is accurate based on these publicly available sources as of the date of publication. Details about products, features, pricing, etc. may change over time.

EU-WIDE REGULATIONS AND GUIDELINES

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) protects the personal data of residents of the European Union and European Economic Area. The law is extraterritorial, so it applies to organizations even if they are not located in the EU. Privacy regulation requirements for the GDPR must be applied in addition to country-specific requirements, such as for data subjects’ consent (i.e. online user, customer, visitor, gamer, etc.)

Who needs to comply with the GDPR?

Any organization (not just commercial enterprises) that collects and processes the personal data of residents of the EU/EEA. Unlike the United States, there are no thresholds for GDPR compliance, like company revenue or number of people whose data is processed in a year. There are some exceptions to GDPR compliance, like for journalists or law enforcement, but overall, there are few exceptions for companies and other organizations that need user data.

Legal bases for personal data processing under the GDPR

The GDPR provides six options for legal bases for processing of personal data. Consent is one of the options.

Organizations must be able to prove the necessity and validity of their choice of legal basis. A company cannot just choose legitimate interest to avoid the resource investment required to implement consent management, for example.

However, organizations that need to obtain consent must do so in a way that complies with the GDPR’s requirements, e.g. making consent choices clear and equal. They must also be able to prove — to data protection authorities or in the event of a data subject access request — that valid consent was obtained from users, including when and for what, and recording any changes to consent information over time.

Conditions for valid consent under the GDPR

Art. 7 GDPR outlines the conditions for legally valid consent. These requirements have been influential around the world on data privacy legislation and privacy guidelines.

In short: “Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data.”

ePrivacy Directive (ePD)

The ePrivacy Directive is considered the precursor to the ePrivacy Regulation. Passing of the latter continues to be delayed, though the ePD was significantly updated in 2009.

Colloquially known as the “cookie law”, the ePD influenced the adoption of consent banners. It addresses data privacy and protection in electronic communications and has several mandates:

The ePrivacy Directive requires incorporation into national laws of EU member states, as a result enforcement across EU member countries has varied.

The conditions for valid consent under the ePrivacy Directive (and eventual ePrivacy Regulation), and who is required to comply are the same as those for the GDPR.

Digital Markets Act (DMA)

The Digital Markets Act came into force in late 2022 as part of the Digital Services Act Package of regulations. Its goals are to promote fair and competitive digital markets in the EU, and to enhance privacy and protections for consumers’ personal data.

The DMA directly targets six large and influential tech companies, designated “gatekeepers”. However, for those companies to meet regulatory compliance requirements, they need to set their own compliance requirements for all the third-party organizations that rely on their platforms, e.g. for data, audience access, ecommerce, advertising, and more.

Importantly, that includes the requirement of obtaining valid user consent for collection and processing of personal data, and also signaling that consent information to the platform or service, e.g. for Google Ads or Analytics. To comply with this requirement, companies need to implement a consent management platform (CMP) that collects user consent, and then signals that information to the platforms. In Google’s case, it requires implementing a Google-certified CMP integrated with the latest version of Google Consent Mode.

DMA compliance requirements for obtaining consent align with the requirements of the GDPR and ePrivacy Directive, which are also required in the EU.

EU-WIDE FRAMEWORKS AND POLICIES

IAB Europe Transparency & Consent Framework v2.2

Publishers serving ads on websites or in apps in the EU/EEA or UK are now required to have the latest version of the IAB’s Transparency & Consent Framework (TCF) implemented via integration with a consent management platform (CMP).

The TCF originally set industry standards to ensure transparency with users online regarding the collection of data for targeted advertising, as well as provide them control and enable valid consent mechanisms. The framework also standardizes working with vendors, reduces data privacy risks and enables compliance with regulations like the GDPR and ePrivacy Directive.

The update to the TCF v2.2 in late 2023 addresses criticisms and is designed to better meet the needs of regulators and users. Updates include:

Google’s EU user consent policy was introduced in 2015 and is a key component in their data privacy requirements for third parties using their platforms and services for marketing, analytics, etc. The policy aligns with the requirements of the GDPR (it was significantly updated when the law came into force) and ePrivacy Directive.

Google’s EU user consent policy applies to companies that operate websites and/or apps meeting the following criteria:

Websites or apps that serve non-personalized ads that only use contextual information are still subject to the policy if they use cookies or mobile identifiers where legally required. Organizations using third parties to collect and/or process data must also employ “commercially reasonable efforts” to ensure they comply with the policy.

The policy has four main criteria pertaining to consent. Companies must:

Noncompliance with the policy can result in suspension of access to Google’s services, or contract termination. Additionally, noncompliance with EU regulatory requirements for user consent can result in fines and other penalties.

All regulations and guidelines included are currently in effect in the countries listed.

Andorra data privacy laws and consent requirements

Andorra flag

Protected groups: Website users (or equivalent)

Relevant cookie use: All cookies and similar tracking technologies used on websites and in apps, as well as smart devices like TVs, video game consoles, voice assistants, network-connected vehicles, etc.

Consent definition: Any specific, informed and unambiguous expression of free will by which the data subject consents, by means of a statement or a clear affirmative action, to the processing of personal data concerning him or her.

Prior consent: Yes, in most cases, though that explicit wording is not used.

Consent withdrawal: Yes, users can withdraw consent any time, and it must be as easy to do so as to give consent.

Cookie duration:

Consent solution requirements in Andorra

  • must include an opt out button on the first layer
  • clear and complete information provided prior to requesting/receiving consent
  • users must receive equal information about all available consent options
  • pre-checked boxes in the second layer where users can make granular selections violate valid consent
  • consent must be obtained through a clear, explicit, positive action, passive actions like continuing to scroll do not constitute valid consent
  • use of manipulative design or other dark patterns may invalidate consent (e.g. confusing colors or interactive elements)
  • there must be a simple, persistent element available for withdrawal of consent
  • legitimate interest is not a valid legal basis for processing personal data collected via cookies

Austria flag

Protected groups: Website users

Relevant cookie use: All cookies and similar tracking technologies used on websites that collect personal data. Website operators using cookies or other tracking technologies are responsible for data privacy compliance with the use of those data processing services (with some exceptions) in accordance with Arts. 4 (7) and 26 GDPR.

Consent definition: Follows GDPR consent requirements, and consent must be obtained prior to setting all “technically unnecessary” cookies. Data collected by cookies should not be qualified as personal or non-personal by default and definitions will depend on each case.

Prior consent: Yes, in most cases.

Consent withdrawal: Yes, users can withdraw consent any time, and it must be as easy to do so as to give consent.

Cookie duration: No explicit guidelines.

Consent solution requirements in Austria

  • cookies can be grouped based on duration (e.g. session and persistent cookies) or by the domain to which they belong (e.g. first-party and third-party cookies)
  • website operators can design to their preference, but consent requirements of Art. 4 (11) and Art. 7 GDPR must be followed for privacy compliance
  • must be clear to data subjects that they are giving consent, hidden consent buttons, confusing colors or other elements, etc. that are hard to find or that could be selected accidentally, or other manipulative design
  • mechanisms (“nudging” or “dark patterns”) do not constitute valid consent
  • passive actions like continuing to scroll do not constitute valid consent, the consent action must be explicit and positive
  • pre-checked boxes or other elements are not permitted in the banner
  • consent must be voluntary and not coerced, there cannot be the threat of discrimination or disadvantage to data subjects who do not give consent, e.g. denial of access to the website
  • the banner must clearly and precisely describe where and how consent can be revoked, and doing so must be as simple as giving consent
  • it must be as easy to decline consent as it is to give it
  • clear and complete information provided prior to requesting/receiving consent
  • paying for access to a website (e.g. “pay or ok”) can be a viable alternative to consent (the current data protection authority view as there is no case law from the CJEU yet) if:
    • all data privacy compliance requirements are met
    • the price is reasonable and not prohibitively high
    • if the user accesses the website via the payment method, no personal data can be collected or used for advertising purposes
    • website operator is not an authority or public body
    • website owner does not have a monopoly position in the market
    • no content or service exclusivity that non-consenting users cannot access

Belgium flag

Protected groups: Focuses on privacy in device use, so not explicitly user-focused, but all users of devices from which data can be tracked/collected.

Relevant cookie use: All cookies and similar tracking technologies used on devices, so all companies doing tracking via devices

Consent definition: Follows GDPR and ePrivacy Directive consent requirements for prior consent for use of all but strictly necessary cookies (includes cookies which are absolutely necessary to provide a service that the user has expressly requested and/or to send a communication via an electronic communications network)

Prior consent: Yes, in most cases.

Consent withdrawal: Yes, users can withdraw consent at any time, and it must be as easy as giving consent. Users should also be informed about the ability to withdraw when initially requested to provide consent.

Cookie duration: Cookies cannot be kept beyond the time necessary to fulfill the expressed purpose. No cookies can have an indefinite retention period. Cookies exempt from requiring consent must have a duration directly related to the expressed purpose for use and be configured to expire as soon as no longer needed for that purpose.

Consent solution requirements in Belgium

  • the data protection authority recommends providing the ability to select granular-level consent as best practice; this ability is also a legal requirement
  • cookies should be categorized according to purpose, e.g. audience measurement, statistical, etc.
  • consent must be obtained through a clear, explicit, positive action, having been fully informed prior to the consent request
  • passive actions like continuing to scroll do not constitute valid consent
  • pre-checked boxes or other elements are not permitted
  • use of browser settings to indicate consent is not valid
  • cookie walls that block access to the website are not valid as they prevent consent from being freely given
Czech flag

Protected groups: Data subjects, e.g. website users

Relevant cookie use: All cookies and similar tracking technologies used on websites.

Consent definition: “Consent should above all be free, specific, informed, and unequivocal. The data subject must have the simple option of not giving consent, without this implying harm for him (e.g. unavailability of website content).”

Prior consent: Yes, in most cases, though that explicit wording is not used. Consent is not required for the use of technical cookies, but that exception only applies to the storage and reading of cookies in the user’s browser.

Consent withdrawal: Data subjects can revoke consent to personal data processing at any time, and doing so must be as easy as giving consent. If consent is granted via a consent banner, for example, requiring withdrawal of consent via a different format, e.g. sending an email cannot be required. Ideally, changing or withdrawing consent should be accessible via an easy to find and use button or link.

 

Read about email marketing laws now

“Consent to the processing of personal data can be revoked by the data subject at any time, and the withdrawal of consent must be as easy as giving it. In the case of granting consent via the cookie bar, it cannot be accepted that the withdrawal of consent is only possible, for example, by telephone. Ideally, there should be an easily accessible button or link on the website with which consent can be withdrawn.”

Cookie duration: The data protection authority considers a lifespan of six months to be reasonable in principle. That period can be shorter if one or more processing purposes significantly change or the website operator can no longer monitor previous consent (or rejection) preferences, e.g., due to the user deleting cookies on their device.

Consent solution requirements in Czechia

  • appearance and colors of buttons must enable consent to be freely given (no manipulative design)
  • cookie walls are not acceptable as they make access to functions or services conditional
  • active user action is required for valid consent, e.g. clicking an “Accept” button, or closing the banner is not valid consent
  • pre-ticked boxes cannot be used for valid consent
  • user must be able to grant informed consent for individual purposes to individual administrators in the browser, so a list of individual cookies with their purposes needs to be clear and easily accessible to the user, e.g. via clicking a “more information” link
  • third-party tags cannot be loaded until consent is given, so must be integrated into the CMP
  • processing personal data with legitimate interest as the legal basis is allowed in some cases, but if the user does not consent to the storage and reading of cookies, no further processing of personal data can take place.

Denmark flag

Protected groups: End users of devices and technologies, including smartphones, computers, tablets, apps, SDKs, smart devices, and third-party content; children aged 15 and older can consent on their own behalf.

Relevant cookie use: All cookies and similar tracking technologies used on the listed types of devices and via relevant technologies.

Consent definition: “A freely given, specific, informed and unambiguous indication of the data subject’s wishes by which the data subject signifies his or her agreement to personal data relating to him or her being processed.”

Prior consent: Yes, in most cases. “Consent of the data subject(s) must be obtained before the controller starts processing the data to which the consent relates”. Only necessary cookies, e.g. those required for the website to function (e.g. shopping cart) can be set without consent.

Consent withdrawal: Yes, consent can be withdrawn at any time and it must be as easy as giving it, and once consent is withdrawn, data processing must cease immediately.

Cookie duration: Not addressed, though users must be provided information about when each cookie expires.

Consent solution requirements in Denmark

  • With the 2025 update, there are detailed rules for designs and interfaces to ensure that users are provided with real choice regarding consent, e.g. buttons must be equal, no dark patterns, and there is required first-layer information:
    • Who: controllers and partners
    • What: data types
    • Why: purposes
    • If third parties are involved
    • How to withdraw consent
  • Users must have equal consent and rejection options in the banner, so if there is only an “Accept” button and not a “Reject” one, consent is not valid; also, granularity in consent choices is now required and “Accept all” is not compliant
  • Transparency and granularity are required for consent to be considered voluntary, so sufficient information about data collected via which cookies, for which purposes, by whom, when they expire, etc. must be clear and accessible
  • Pre-ticked boxes cannot be used for valid consent
  • A click-through (consent is assumed if the user continues to use the website without actually interacting with the consent banner, for example) is not considered valid consent
  • “Nudging” or other manipulative design tactics/dark patterns cannot be used for consent to be considered “freely given” and valid
  • It must be as easy to reject consent as to give it, and it must be possible to opt out of all data processing/cookie use.
  • If a company wants to use a cookie wall, but a user does not want to consent to the processing of their data (to get access to the website), the company must provide a reasonable alternative to the user, such as access for a moderate fee (that still enables real choice) or access to similar functions or services
  • If offering the choice between consent to data processing and an alternative, the necessity of the consent request (the data and use purposes) must be demonstrable (so that it is reasonable for those not to be included if the user chooses the alternative)
  • If the user chooses not to consent to data use, but to access the functions or services account creation is needed, the company can process the personal data that is necessary to manage the user profile and provide the service in question, but no more

Finland flag

Protected groups: End users, e.g. for websites and apps

Relevant cookie use: This applies to cookies and similar technologies used by service providers when creating and operating websites or other electronic communications services, like mobile apps.

Consent definition: “Any voluntary, individualized, informed and unambiguous expression of will by which the data subject accepts the processing of his personal data by giving a statement expressing consent or by taking an action clearly expressing consent.” The conditions for valid consent are the same as for the GDPR.

Prior consent: Yes, in most cases. Consent is not required for “essential” cookies, but it’s recommended to include information about them and their use. Essential uses for cookies include:

Consent withdrawal: Changing or withdrawing consent (or refusing it in the first place) must be as easy to do as giving it.

Cookie duration:

Consent solution requirements in Finland

  • Cookies may not be set on the user’s device, e.g. browser, until the user has given valid consent. Consent via browser settings is not considered valid as they may not be configured or configurable to the user’s preference.
  • Consent must be an active expression of will, so it is not valid if you silence it, ignore consent requests/options, or do not take action.
  • Consent must be freely given, so pre-ticked boxes, activated sliders, etc. cannot be used.
  • Service providers must clearly inform users about the cookies or similar tracking technologies they use, the types, purposes of use, and duration of operation, and ask for your consent to store and use the information.
  • The service provider is responsible for requesting consent and doing so in a compliant way. The consent request mechanism should include at least the following information:
    • clear and thorough explanation of what cookies and other tracking technologies are in use and what data they collect
    • clear and thorough information about the purpose of the cookies in use and their period of duration
    • whether any third parties may process cookie data (and who those parties are and what the purposes are)
    • access to more detailed information, e.g. privacy policy

France flag

Protected groups: Focuses on privacy re. end user devices, so any computer, phone, etc. users on which companies use trackers.

Relevant cookie use: All cookies and trackers used on devices, e.g. websites, apps, etc.

Consent definition:

Prior consent:

Cookie duration:

Consent solution requirements in France

  • Clearly and accessibly include all purposes with short descriptions, categorized, including for personalized advertising, geo-specific advertising, sharing on other social platforms, etc.
  • Recommended to provide accept and reject buttons on the first layer of the consent banner.
  • Dark patterns cannot be used to manipulate user actions.

German flag

Protected groups: Focuses on privacy regarding end user devices, so any computer, phone, etc. users on which companies use trackers.

Relevant cookie use: All cookies and trackers used on devices, e.g. websites, apps, etc.

Consent definition:

Prior consent: Yes, in most cases, with conditions.

Consent withdrawal: Required, and should be as easy to withdraw as it is to give consent.

Cookie duration: Not explicitly stated, but cookie duration must be part of the information communicated to users, and consent renewal every 6 to 12 months is recommended.

Consent solution requirements in Germany

  • Bundled consent for the GDPR and TTDSG is acceptable, but the user must be informed about both distinct consent requests.
  • The legal basis for data collection/processing must be communicated to users.
  • If the banner’s “accept” option is placed on the first layer, all data collection/processing purposes must also be stated in the first layer. However, granular consent choices do not have to be provided in the first layer.
  • It must be as prominent, accessible, and easy to deny or opt out of consent as to give consent, i.e., in the banner. Browser settings changes are not enough, and dark patterns cannot be used to obtain consent.
  • Cookie walls are not explicitly prohibited, but the “deny/reject” option requirements must be met.

Greece flag

Protected groups: Focuses on privacy re. end user devices, so any computer, phone, etc. users on which companies use trackers.

Relevant cookie use: All cookies and trackers used on devices, e.g. websites, apps, etc., even if personal data is not collected.

Consent definition: Uses GDPR definition.

Prior consent: Yes, in most cases.

Consent withdrawal: Yes, consent can be withdrawn at any time, and it must be as easy to do so as to give it. It also must be as easy to deny consent initially (e.g., the same action or number of steps) as to give consent.

Cookie duration: Not explicitly stated, but cookie duration must be part of the information communicated to users, and consent renewal every 6 to 12 months is recommended.

Consent solution requirements in Greece

  • Accepting or rejecting the use of non-essential cookies or trackers must require the same amount of effort or number of clicks (e.g., you can’t enable accepting on the first layer of the banner but rejecting only on the second layer). Not giving users a reject option is not valid consent.
  • Cookie walls are not explicitly prohibited, but the “deny/reject” option requirements must be met.
  • Users who deny consent cannot be penalized in their website experience.
  • Dark patterns/nudging are prohibited.
  • The consent banner should reappear after the same period of time, regardless if the user consented or rejected it, e.g. if users who do consent see the banner again to renew consent after 12 months, then users who reject consent can also only see the banner again after 12 months, and not sooner.

Ireland flag

Protected groups: Focuses on privacy re. end user devices, so any computer, phone, etc. users on which companies use trackers.

Relevant cookie use: All cookies and trackers used on devices, e.g. websites, apps, etc.

Consent definition: Uses GDPR definition, and also ePrivacy Directive definition: “The law applies to any storage of information on a user’s device or equipment, as well as to access to any information already stored on the equipment – this means through the use of browser cookies or other technologies such as device fingerprinting or the use of pixels or similar devices. It is irrelevant whether the information stored or accessed consists of, or contains, personal data. The ePrivacy Regulations apply when any information is stored on or accessed from the device.”

Prior consent: Yes, in most cases, and its requirement for cookie use is explicit.

Consent withdrawal: Required, users must be informed how they can withdraw consent, and should be as easy to withdraw as it is to give consent. Also cannot be bundled, e.g. with terms and conditions.

Cookie duration: Six months for cookie use requiring consent. For other cookies, lifespan should be proportional to their purpose and no longer than necessary to fulfill the purpose.

Consent solution requirements in Ireland

  • As the six-month expiry requirement for some cookies is shorter than the common 12-month default, the configuration in the CMP needs to be updated.
  • It must be as prominent, accessible, and easy to deny or opt out of consent as to give consent, i.e. in the banner. Browser settings changes are not enough. Dark patterns/nudging to obtain consent cannot be used, nor can pre-checked boxes, etc.
  • A banner that only displays an “Accept” option does not enable valid consent.
  • A “Manage cookies” button, for example, could be used with an “Accept” button if the “Manage cookies” button immediately takes the user to a layer (of the banner) where they can directly accept or reject granular cookie category usage).
  • Users must be provided with information to reject non-essential cookies and/or request information about cookie use. The banner’s second layer must include information about the types and purposes of cookies used and third parties that will have access to/process the information the cookies collect.
  • Users must have easy access to the privacy notice or policy, which cannot be obscured, so without having to provide consent choices before accessing that information.
  • Implementing accessibility best practices in the design and implementation of the consent banner is recommended.
  • Having a specific cookie policy is recommended, while not explicitly required.

Italy flag

Protected groups: Focuses on privacy re. end user devices, so any computer, phone, etc. users on which companies use trackers.

Relevant cookie use: “all the entities providing their users with publicly accessible online services through electronic communications networks or else operating websites that rely on cookies and/or other tracking tools”

Consent definition: Uses GDPR definition.

Prior consent: Yes, in most cases, and its requirement for cookie use is explicit.

Consent withdrawal: Required, or modifying consent choices or providing consent after rejecting it. It must be provided in a simple, easy, and user-friendly way accessible via the website footer, and that is as easy as giving consent.

Cookie duration: Not explicitly referenced, recommended to err on as short a period of time as is necessary to fulfill the purpose of the specific cookie type and/or processing operations.

Consent solution requirements in Italy

  • ”Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them.”
  • Users should be able to close the banner (i.e. via clicking the “X” at the top right of the banner UI) to maintain default settings and not provide additional consent. As a result, this should enable only essential cookies and does not provide consent for use of any others.
  • Users must be notified about the use of cookies, including those that can be used without consent (i.e. “technical” ones).
  • A link to the privacy policy must be easily accessible, or it should be included in the second layer of the banner.
  • Users must be able to select the cookie functions and/or third parties with access to their data at a granular level. These services and vendors in use must be kept up to date.
  • Use of pre-checked boxes is not allowed.
  • Use of cookie walls is not allowed as the requirement to accept all cookie use or not gain access to the website is not valid consent.
  • Continued scrolling by the user (e.g. ignoring the consent banner) does not constitute valid consent.
  • New consent must be obtained from users if the purposes for requesting consent change or if previous consent choices cannot be detected when the user revisits the website (e.g., they cleared their settings).

Latvia flag

Protected groups: Users who use services and whose data is collected on websites, etc.

Relevant cookie use: All cookies and trackers used on devices, e.g. websites, apps, etc.

Consent definition: Uses GDPR definition.

Prior consent: Yes, in most cases, and its requirement for cookie use is explicit.

Consent withdrawal: This is required. Users must be informed how they can withdraw consent, and it should be as easy to withdraw as it is to give consent.

Cookie duration: “There is no specific time limit for how long consent is valid. The length of time consent is valid depends on the context, the scope of the original consent and what the data subject expects. If the processing activities change or evolve significantly, the original consent will no longer be valid. In that case, a new consent must be obtained. If the processing activities change or evolve significantly, the original consent will no longer be valid. In that case, a new consent must be obtained.”

Consent solution requirements in Latvia

  • The first layer of the banner should include:
    • name of the controller (unless provided in other areas of the website like the “About” section or Contact Us page, etc.)
    • purposes of cookies used on the website
    • whether cookies in use are first-party only (controller) or third-party
    • types of data collected and used
    • where user profiling is carried out (e.g. analytical cookie use)
    • how users can accept, reject, or change consent for the use of cookies
    • a clearly visible link to the second layer, which contains more detailed information
  • Users must be provided with granular information and options re. cookie use purposes (so not necessarily for each specific cookie)
  • There can be no risk of negative consequences if users decline cookie use.
  • Users must have granular ability to accept or reject all cookies or use at a granular level, and must have easy access to comprehensive information about the cookies in use, their purposes, etc., as well as easy access to the cookie and privacy policy.
  • User-facing language must be clear and simple.
  • All options must be visually equal and accessible, nudging and dark patterns are prohibited.
  • Ignoring, scrolling, or closing the consent banner without making a consent choice cannot be construed as accepting cookie use, and no cookies except strictly necessary ones can be used.
  • Browser settings are not considered valid consent (per GDPR guidelines).

Netherlands flag

Protected groups: Users of websites, or equivalent, e.g. apps, etc.

Relevant cookie use: All cookies and trackers used on devices, e.g. websites, apps, etc.

Consent definition: Uses GDPR definition.

Prior consent: Yes, in most cases. Consent can be provided in writing, by ticking a box, clicking a button or link, filling out an electronic form, sending an email, providing an electronic signature or scanned document with a signature, or verbal consent.

Consent withdrawal: Yes, and it has to be as easy to withdraw consent as it was to give consent.
Cookie duration: No explicit time period is provided, but users must be notified about the duration of all cookies set.

Consent solution requirements in the Netherlands

  • The guidelines divide cookie types into Functional, Analytical, and Tracking. Users must be provided with information about the use of cookies in these categories.
  • Pre-checked boxes, use of cookie walls, and manipulating users into consenting (e.g. dark patterns, nudging, etc.) are all prohibited.
  • Ignoring the consent banner and continuing to scroll/browse or closing the banner without making a consent selection cannot be construed as having given consent.
  • Conditional consent is prohibited, e.g. users cannot be required to sign up for a newsletter in order to be able to provide or reject consent.
  • Website operators must maintain consent records and be able to prove consent was obtained, when, how, and what information they received before making consent choices, etc.

Spain flag

Protected groups: Users of websites, mobile applications, or other platforms. (Contractual agreements are also required with third parties.)

Relevant cookie use: All cookies and trackers used on devices, e.g. websites, apps, etc.

Consent definition: Uses GDPR definition.

Prior consent: Yes, in most cases. Cookies used for the purpose of obtaining traffic or performance statistics may be exempt from consent requirements under specific conditions:

Consent withdrawal: Required, at any time, as easily as it is to give consent, and users must be provided with information on how to do so.

Cookie duration:

Consent solution requirements in Spain

  • Consent options must be presented equally, at the same time, in the same place, e.g. on the same level of the consent banner.
  • Ignoring or closing the consent banner, scrolling, taking no action, or any other non-explicit action is prohibited from being construed as valid consent.
  • Use of pre-checked boxes, other default opt-ins, or cookie walls that block access to the website unless the user consents are prohibited.
  • Users must be able to consent at a granular level to cookie purposes. If a cookie is used for two purposes but the user only consents to one, the cookie can only be used for the consented purpose.
  • Users must be provided with information about the use of cookies and similar technologies – purpose, duration, third parties with access to the data, etc.
  • The first layer of the consent banner must present essential information and be displayed when users access the page or application:
    • identify the managing website editor/name of the publisher
    • purpose of the cookies in use
    • if cookies are owned by the website provider (or comparable) or are set by third parties
    • types of cookies and types of data that will be collected and used
    • options to accept, set up/configure, or reject cookie use
    • link to a second information layer to access more detailed information
  • The second layer must contain more detailed information:
    • more specific information about the cookies in use, purposes, third-party access, etc.
    • control panel or settings panel with info about how to save the selection
  • If cookies in use, purposes, or other factors affecting consent change, the user must be given the opportunity to provide or reject new consent.
  • Language must be simple and clear.
  • Dark patterns/nudging are prohibited.

Sweden flag

Protected groups: Users of websites, mobile applications, etc.

Relevant cookie use: All cookies and trackers used on devices, e.g. websites, apps, etc.

Consent definition: Uses GDPR definition, and granular consent options for specific purposes are required.

Prior consent: Yes, with no exceptions for necessary cookies.

Consent withdrawal: Yes, and it must be as easy as giving consent. Users must also be provided clear information on how to withdraw consent or otherwise change preferences. Revoking consent cannot have negative consequences for users, e.g., no longer being able to access the website.

Cookie duration: No explicit time period provided.

Consent solution requirements in Sweden

  • Conditional consent is prohibited, e.g. users cannot be required to sign up for a newsletter in order to be able to provide or reject consent.
  • Consent language must be clear and explicit, e.g. “I understand” is not the same as “I accept”.
  • New consent options must be provided to users if the purposes for cookie usage change.
  • Users must be provided with clear information about cookies in use, purposes, duration, third-party access to data, etc.
  • The use of pre-checked boxes is prohibited.
  • Cookie walls that block or restrict access to a site unless the user gives consent are prohibited.
  • Scrolling, browsing, ignoring the consent banner or closing it cannot be construed as valid consent.

Norway data privacy laws and consent requirements

Norway flag

Protected groups: Website users.

Relevant cookie use: All cookies and similar tracking technologies used on websites that collect personal data.

Consent definition: Follows GDPR definition and requirements. Storage and processing of information is not permitted unless the user is informed about, and has consented to, which information is processed, the purpose(s) of the processing, and who processes the information.

Prior consent: Yes, in most cases.

Consent withdrawal: Yes, at any time.

Cookie duration:

Consent solution requirements in Norway

  • Users must be informed about and be able to consent to cookie use at a granular level.
  • A consent banner or other consent solution must be clearly accessible on the site and clear about what it’s for.
  • Pre-checked boxes are prohibited. No guidelines on the use of cookie walls.
  • Scrolling, ignoring, or closing the consent banner without making a consent action cannot be construed as the user has given consent.
  • Browser settings to accept cookies are considered valid consent.

Switzerland flag

Protected groups: Swiss citizens.

Relevant cookie use: Yes, in some cases when personal data is collected and processed, and also if data is transferred across international borders.

Consent definition: Uses GDPR requirements.

Prior consent:

Consent withdrawal: Yes, at any time.

Cookie duration: There are no explicit guidelines, but data must be deleted or anonymized when the processing purpose has been fulfilled.

Consent solution requirements in Switzerland

  • Uses the principles of “privacy by design” and “privacy by default” by law, requiring companies to take data processing principles into account in the planning and design states of websites and applications (and not just seek to secure and protect data retroactively).
  • Default browser settings and similar mechanisms are not considered valid for consent for more processing than is absolutely necessary.
  • Consent must involve an explicit action, e.g. checking a box.
  • Consent banners are not legally required, but clear user notification is required about whether a legal basis is required for data collecting and processing, and about the parties involved, as is a user-friendly consent mechanism where data processing requiring consent takes place.

United Kingdom flag

Protected groups: Individuals whose personal data is processed.

Relevant cookie use: The cookie rules apply to the subscriber or user’s “terminal equipment” e.g. computer or mobile phone. The subscriber is the person who pays the bill for the use of an online service, and the user is the person who uses a device to access an online service.

Consent definition: Uses GDPR definition and requirements.

Prior consent: Yes, in most cases.

Consent withdrawal: Yes, users must be able to withdraw consent at any time as easily as they gave it, and receive information about how consent can be withdrawn, and how cookies already set can be removed.

Cookie duration: There are no explicit guidelines, but it will depend on the service and the purpose of the processing for the data the cookie collects (and for which user consent is required). It should be limited to the minimum time necessary to fulfill the purpose of processing. Cookie duration may also affect exemptions in Regulation 6(4).

Consent solution requirements in the UK

  • Users must be given clear and equal access to all consent choices. Dark patterns or nudging are prohibited (as is denying the option to reject cookies entirely).
  • Users should have access to information about cookie use and the opportunity to make consent choices as soon as they arrive on the website.
  • The privacy policy or notice must include full details about data collection and processing, third-party access, and other relevant details. It should be easily accessible via a prominent link in the site’s header or footer.
  • Use of pre-checked boxes is prohibited.
  • Inactivity, scrolling, ignoring, or closing the consent banner cannot be construed as valid user consent.
  • Users cannot be penalized for rejecting consent, e.g. lack of access to the website or features.
  • Browser settings do not constitute valid consent.
  • Consent cannot be bundled into terms and conditions or other documentation.
  • Cookie walls are not prohibited, but they must comply with GDPR standards. For example, users cannot be blocked from the site unless or until they give consent.

The Transparency and Consent Framework (TCF) version 2.0 of the Interactive Advertising Bureau (IAB Europe) has been officially in force since 15 August. 

The TCF 2.0 was intended to finally introduce a technical market standard that defines the retrieval and transmission of a user’s consent signals between publishers and third parties who have joined the framework (such as Google, Criteo, or Taboola). 

While some players in the digital advertising industry are celebrating the framework as a long-awaited standard to harmonize a heterogeneous market, critical voices are gradually becoming louder. But what exactly has happened?

 

According to the Belgian data protection authority, TCF 2.0 violates the GDPR

Only recently, the Belgian data protection authority (APD-GBA) published the preliminary results of a study on TCF 2.0 with a knock-on effect. The central message  was that, in their opinion, TCF 2.0 violates several points of the General Data Protection Regulation (GDPR). The report states:

The accusation that the TCF 2.0 makes the processing of especially sensitive data such as health data, information regarding sexual orientation etc. technically possible for advertisers in Real Time Bidding (RTB), with or without the user’s permission, weighs particularly heavily.

What does the IAB Europe say?

In response to the report, IAB Europe has already published a statement challenging the Belgian data protection authority. IAB Europe points out that these are only preliminary findings without any legal effect.  

IAB Europe also noted that although TCF 2.0 is a voluntary standard, it was developed in cooperation with European data protection authorities.

Source IAB: https://iabeurope.eu/all-news/iab-europe-comments-on-belgian-dpa-report/ 

 

To summarize, there is currently a lot of discussion on which TCF 2.0 CMP implementations are compliant and which aren’t. As the market is currently very dynamic, it remains to be seen what standards will prevail. 

End-user License Agreements (EULAs) are among the most frequently accepted yet least-read contracts in the digital world. These agreements play a crucial role in defining the terms and conditions under which users can access and use software. Yet, despite their importance, many users skim through them or accept them without a thorough understanding.

We demystify EULAs, explaining what they are, why they are essential, and how they can protect both software developers and users.

Understanding EULAs is essential for both consumers and software providers. For users, it’s about knowing their rights and obligations when using a piece of software. For developers, it’s about safeguarding their intellectual property and minimizing legal risks.

What is a EULA?

EULA stands for End-user License Agreement, and it’s a legally binding contract between a software provider and the end user that gives the individual or company the right to use a piece of software in a specific manner.

However, EULAs do not grant ownership rights to the software. The creator retains control and ownership rights, as the software is their intellectual property.

In the physical world, this type of license is akin to the use of a state or national park. These spaces are created and protected by governments. People pay a fee to use them for hiking or camping purposes and agree to abide by the rules. If people break those rules, they lose access to the park and may be fined for damages.

Is a EULA the same as “Terms of Use” or “Terms of Service” (ToS)?

A EULA is not the same as Terms of Use or Terms of Service (TOS), although both are legal agreements between providers and users.

EULAs specifically pertain to software usage, focusing on licensing terms, intellectual property rights, and usage restrictions. They typically apply to software that individuals or companies install or access on their devices.

In contrast, terms of use or terms of service are broader agreements covering a wide range of online services, including websites and platforms. ToS outline general rules for service usage, user behavior, privacy policies, and dispute resolution.

While EULAs are software-centric, ToS apply to various online interactions and services. Both documents serve important legal purposes but differ significantly in their scope, content, and application contexts.

What is the difference between a SLA and a EULA?

Although they might seem similar as they are both contracts related to software usage, EULAs and Software License Agreements (SLAs) serve different purposes and audiences.

EULAs are designed for individual users, focusing on software usage guidelines and protecting the vendor’s interests. They typically involve simple click-through acceptance, and the vendor retains full ownership.

SLAs typically cater to businesses, covering broader terms including deployment, maintenance, and support. They often involve negotiations, formal signatures, and may allow for more flexible ownership arrangements.

Ultimately, EULAs are generally simpler and standardized, while SLAs tend to be more detailed and customized, often including performance metrics and specific business terms.

Who needs a EULA?

A EULA is not necessary for all companies. Typically, the creator or licensor of a software product should implement a EULA if they want to:

This could apply to either individual, though in many cases it’s a company looking to cover their legal bases.

A EULA can help protect the software creator on two fronts. Primarily in their agreement with the end user, but also in relationships with third parties, like app platforms, through which the software is accessed. It protects your ownership rights, licenses your software effectively, restricts undesirable use, limits your liability, and safeguards your intellectual property.

Evolution of EULAs

Previously, EULAs were “shrink-wrap” licenses, requiring consumers to purchase and open software packaging to access the EULA. This posed legal issues, as consumers couldn’t read the EULA before purchasing software.

Today, software is typically downloaded or used online, with consumers required to agree to the EULA before installation by clicking an “agree” button. Often, a link to the EULA is provided, and completing the transaction implies consent. In some cases, the user is required to scroll down to the bottom of the page before the “agree” button is enabled, slightly raising the odds that they read the contents of the agreement.

With software moving online, the EULA is now called a “click-wrap” license. If consumers do not agree, they cannot use the software or complete the purchase.

Is a EULA required by law?

A EULA is not legally required. No law mandates software developers or publishers to provide an End-user License Agreement.

However, while not legally mandatory, having a EULA is highly recommended because it protects the ownership rights of your software, provides legal protection, limits your liability, and helps prevent copyright infringement.

This is because a EULA is a legally enforceable contract between you and the end user and can protect your intellectual property and copyright. Once the user gives consent, it’s as if they are entering into a contract with a software vendor.

Advantages of using a EULA

EULAs are essential tools for software developers and publishers, offering a range of benefits that protect their interests while setting clear expectations for users. Some key advantages of using a EULA are:

When should you use a EULA?

Infographic presenting the cases when you should use a EULA

To put it plainly, if your software is made available for public use, you should use a EULA to protect your company and define user responsibilities.

However, generally speaking, there are a few specific instances you should implement a EULA:

What components should be included in a EULA?

The main goals of EULAs are for the creator/licensor to retain full ownership of their product, and to prevent legal issues from arising. To make this a reality, a EULA must include certain core components, and then it can have additional elements depending on the software or product.

Core components of a EULA

Definitions: This section provides clear explanations of important terms used throughout the agreement to ensure both parties understand the terminology.
License grant: The license grant specifies the scope of the license, including whether it is personal, commercial, perpetual, or time-limited, and outlines the usage rights and restrictions for the end user.

Additional elements of a EULA

By including these core components and relevant additional elements, a EULA can provide a comprehensive legal framework for software usage, protecting both the licensor’s and the licensee’s interests.

How to create a EULA?

Creating a EULA for your software or application can be approached in several ways. The easiest and fastest method is to use a EULA generator. These tools enable you to create a customized EULA by answering questions about your app and business and are often backed by legal teams to help ensure comprehensive coverage of necessary clauses.

Another option is to use a template as a starting point. This method can be suitable for simple apps that only require a basic EULA. However, be cautious to ensure that all necessary elements are included and that the language is appropriate for your particular software and jurisdiction.

For those with legal knowledge or who want full control over the content, writing your own EULA is an option. But this approach requires a thorough understanding of the essential components and legal implications of such agreements. And it’s crucial to include key sections, such as licensing and restrictions of use, termination clauses, limitation of liability, disclaimers of warranties, and copyright infringement policies.

Regardless of the method you choose, it’s important to ensure that your EULA is clear, concise, and easily understandable. Avoid using complex legal jargon and make sure it covers all necessary aspects of your software’s usage and licensing.

Where to display a EULA?

Users need to agree to a EULA before they purchase a software or app and begin using it. Therefore, there are two moments during which you can display a EULA:

  1. Before a person downloads or installs your software: This is the most common and recommended approach. You can display it on your product’s download page, in the app store listing before purchase or download, or during the installation process, before the software installation is completed.
  2. After downloading or installation: You can also display a EULA when the application first launches or within the application’s settings or “About” menu.

What happens if a EULA is violated?

If a user violates a EULA, this can lead to several serious consequences.

One of the most immediate repercussions is the termination of the software license, which means the software provider can revoke a license, cutting off access to the software and any associated services.

Legal action is another possibility. The provider can initiate legal proceedings against an individual, seeking damages or injunctions, which can result in hefty fines and legal costs.

Financial penalties are also a possibility, and individuals may be required to pay for any damages caused by the breach, including compensation for lost revenue.

In severe cases, especially those involving piracy or unauthorized distribution, a person can face criminal charges, potentially leading to imprisonment.

The EULA’s limited scope

It’s worth noting that EULAs aren’t all benefits and there can be downsides. EULAs are intended to establish users’ responsibilities, but they aren’t given choices. EULAs also lack contract specifics, like addressing identifiable buyers or specifying a time frame for purchase. They may also be contrary to federal or state laws.

For example, if a user copies and sells a company’s software, a common violation of EULA terms, the company can seek recourse. The license to use the software can be revoked. The user’s account could be locked down, preventing access. The company can also sue for damages.

However, even if the user’s license to use the software has been revoked, the user could retain access to certain assets that they created using the software, like images or video.

Can a EULA be bad for users?

Some terms of EULAs can be of concern regarding user privacy. Some software includes monitoring for Digital Rights Management (DRM) violations or requires the user to agree to automatic monitoring. Both of these require the software to access users’ systems and enable the software to connect with third-party networks, commonly without notifying the user. Typically, users don’t have a way of knowing how secure those third parties’ systems are, how much user data they can access, or what they might do with it.

In addition, some EULA agreements enable software from third parties to be downloaded onto users’ devices without requiring separate agreements or consent.

Lastly, certain EULA terms preclude users from publicly criticizing the product. This can mean that the user can’t complain publicly if the software doesn’t work or causes damage, thus skewing online reviews and misleading potential customers.

Understand EULAs to protect your software

EULAs are so common in our online work and life activities that we rarely think about them. But they have significant implications in people’s use of software, and can also be at odds with privacy rights and the law. Understanding how EULAs are constructed, and for whose benefit, can enable people to be more educated consumers.

EULAs are so common in our online work and life activities that we rarely think about them. But they have significant implications in people’s use of software, and can also be at odds with privacy rights and the law. Understand how EULAs are constructed, and for whose benefit, can enable people to be more educated consumers.