Under the GDPR, consent has to be informed and given freely. That means that a data subject must have an informed choice as to whether data processing will take place or not. Furthermore, consent has to be concrete. General or broad consents do not constitute effective consent. Additionally, the GDPR requires consent to be explicit. A data subject has to consent actively – pre-ticked boxes and similar circumstances would make a given consent non-binding under the GDPR.
The GDPR also manifests the obligation to offer the possibility to withdraw consent at any time. Taking it even further, withdrawing has to be as easy as it was to give consent. Prior to giving consent, a data subject has to be informed thereof. The toughest requirement comes with Article 7 (1) of the GDPR, which places a controller under an obligation to prove that consent was given. This entails proving that it was given in an informed, free, concrete and explicit way, as well as being obtained prior to data processing (if the legal basis for processing is consent). This obligation inevitably leads to consent management in some form.
Consent management for websites
A simple situation that becomes complex under the GDPR is visiting a website. If a website has integrated tags, it needs the consent of the website visitor if its purpose is tracking, retargeting and profiling, as the data collected by tags is considered personal data under the GDPR. Obtaining and documenting the informed, free, concrete, explicit, prior and easy-to-opt-out consent of website visitors requires a technical solution. This can be done in-house, but as it is a whole product of its own requiring a lot of maintenance, monitoring of jurisdictions and entails high liability risks, it does make sense to outsource consent management to a specialised provider.
Criteria for selecting a consent management platform (CMP)
As CMPs for website technologies are a recent development, below are some objective criteria resulting from legal and technical implications that should be considered when selecting a CMP.
Documentation and servers. Resulting from the obligation to document and proof the consent, server-side and not client-side storage of consents is important. If possible, the consent data should be stored on servers in the EU. The CMP should also be able to offer on-premise hosting of consent data.
Voluntariness. The user should initially be given both the option of accepting and rejecting. A cookie wall that leaves the user with no other option but to agree does not comply with the requirements of freely-given consent.
Loading before opt-in and after opt-out. It should be possible to load the technologies that require consent, only after a valid opt-in. After opt-out, the technologies should not be loaded anymore, not even the opt-out itself. Sending the user to an external third-party provider website for an opt-out is not reasonable and does not constitute an easy withdrawal.
Granularity. The principle of concreteness can be interpreted as a requirement for granular consent to certain technologies used on the site. Also, resulting from the principle of minimalism, consent should only be obtained for technology that is actually in use on a website. Obtaining consent for a complete list of over 350 vendors, as the Interactive Advertising Bureau (IAB) solution imposes, is difficult to justify.
Piggybacking cases. The CMP should also detect and cover piggybacking cases, such as a tag on the website which automatically transfers data to other piggybacked tags that are not on the website themselves, e.g., affiliate tags, which are partially reloaded.
Not only cookies. The requirement of consent should not only be considered for tags, but also for other web technologies such as plug-ins and integrated content (e.g., embedded YouTube videos and Google fonts). The obligation to obtain consent might result from factors such as if they entail a data transfer to a third country, such as the US. In any case, are they subject to the information obligation pursuant to the GDPR?
Privacy by design. To prevent the CMP from becoming the next ‘data octopus’, client data should be stored separately during the processing. That can be retrieved by not tracking and connecting user agent data, meaning, if the identical user gives consent on one website, the CMP should by default not be able to map that consent to consent on another website, as this would be profiling pursuant to Article 21 of the GDPR, which itself requires consent.
IAB consent framework. The IAB transparency and consent framework is the first standard guiding how consent can be transferred globally. The selected CMP should support the IAB standard, as in the future personalised advertising will only be controlled with ConsentID in the bid request.
Compatibility. The CMP software should be developed agnostically, so that it is compatible with any tag management and website system.
Integration in privacy policy. As the controller has to comply with the information obligation, it is useful to be able to integrate the legally-relevant texts of the web technologies (automatically) into a general privacy policy, e.g., through an iFrame.
Design and UI/UX. The CMP should offer to customise the frontend, because this is the only way to ensure that website visitors do not feel irritated and annoyed by cookie popups and banners which would thwart the laboriously designed CI and UI/UX efforts.
Business purpose of the CMP provider. The sole business purpose of the provider should be to obtain consent so that the use of the CMP can be based on Article 6 (1)c of the GDPR. If a provider pursues further business purposes, it can be assumed that consent data will be used for business purposes. Therefore, either a proprietary development with a separate neutral company, or an external provider with privacy-by-design is recommended.
Flexibility. It is very important to be able to control and change the rules for loading tags. In some cases, a company might want to implement ‘soft’ settings – e.g., to load certain technologies such as pure web analysis tags without consent. However, if the verdict of a data authority is to prohibit that, a quick switch to a zero cookie load setting must be possible.
Is your organisation affected?
Organisations located in the EU and European Economic Area (EEA) need to comply with the GDPR, and rules on the use of cookies and similar technologies. However, under Article 3 of the GDPR, generally all websites globally have to comply with the GDPR where tracking or profiling technologies are applied to EU users. All organisations globally that use such technologies will need a consent management solution – either to comply with the GDPR or to block EU/EEA users and stay out of the GDPR.
Reviewing possible CMP providers and implementing solutions is the right step toward preparing for e-privacy regulation that will write the next chapter in the book of EU data protection reforms.
