Consent lies at the heart of all privacy regulations and data protection rules enforced by organizations and governments at a global level. In 2021, the identity landscape has become more complex than ever before, with a growing number of regulations being enforced worldwide.
As a result of the constant changes in the consent management environment, companies need to focus on implementing strong regulations to be able to collect, store, and use first-party and third-party cookies. One of the most important regulations that deals with consent management and third-party cookies is the world-renowned GDPR.
The General Data Protection Regulation (GDPR) is a data privacy law that governs the processing of personal data of individuals inside the EU. Websites must comply with it and secure the consent of users from this region before activating cookies and trackers on their domain that process personal data.
In this article, you’ll find complete answers to the questions listed below:
1. What is consent management?
2. How do you manage consent in GDPR compliance on your website?
3. What is valid consent according to the GDPR?
4. Do you need consent management on your website?
5. What consent management software can you use?
6. What is Tremend’s role in consent management implementation?
1. What is consent management?
Consent management is an act or process that gives a site users the ability to control and manage the usage of their personal data. This means that you can enable your site users to choose whether to opt-in and out of certain cookie categories (such as preferences, marketing, or statistics).
The end result of consent management is to put individuals in charge of their own data and to build trust between them and your organization. It also empowers your site users to exercise their own right to privacy, enabling them to feel in control, thus complying with all rules and regulations in place, such as GDPR (General Data Protection Regulation), CCPA (California Consumer Privacy Act), POPIA (South Africa’s Protection of Personal Information Act), LGPD (General Personal Data Protection Law in Brazil), and others.
A proper consent management system encompasses the following elements:
- The actual procedure for asking for consent from the website visitors by clearly disclosing the actual consent they are giving and how their personal data will be used.
- Postponing all the tracking cookies until proper consent has been given.
- Securely storing all the consent-related information and protecting it against cyber attacks.
- Giving the site users unrestrained access to withdraw their consent at any given time.
- The ability to renew consent annually. Nevertheless, according to some national or local data protection guidelines, the consent has to be renewed more often, at six or nine months. You should always check up with your local data protection guidelines for compliance.
2.Managing Consent for GDPR
The General Data Protection Regulation was enforced in Europe for the first time on 25 May 2018. This law affects all organizations, companies and websites, at a global level, that handle the personal data of EU citizens.
The GDPR definition of personal data is quite the opposite of narrow, including “any type of information relating to an identified or identifiable natural person”. In simpler terms, this regulation defines data as information that can be combined to build or single out a complete profile of a particular data subject.
Statistics (such as analytics cookies) and marketing cookies (like tracking cookies), which are commonly used by most websites out there, are subject to the GDPR. This means that, as a company either located in Europe or located in another country but having European-based site visitors, you need proper consent from your users in order to enable cookies and track their personal data.
Your site visitors have to be informed about all tracking cookies and should explicitly offer their consent before any data can be processed, according to the GDPR.
3.What is valid GDPR consent?
The European Data Protection Board (EDPB) is considered to be the leading supervisor of the GDPR in Europe, being responsible for directing all the national data protection authorities across European countries, ensuring the GDPR regulations are properly enforced.
EDPB released guidelines on valid consent in the EU, clarifying what constitutes proper, lawful user consent on websites for the processing of personal data.
These EDPB guidelines specify that:
- Cookie banners are not allowed to have pre-ticked checkboxes as a default. All cookies (except the strictly necessary cookies) must be deselected and deactivated by default so that people who enter the site can give their consent as a clear and affirmative action.
- Cookie walls (forcing users to consent to cookies in order to gain access to a website) are deemed unlawful. Users must be able to filter their consent and also give it freely.
- Continued browsing and scrolling on a website does not constitute valid consent.
Consent management is a key part of the GDPR. Inside the GDPR, the actual definition of proper consent is very clear, leaving a huge responsibility on the shoulders of website owners and operators.
According to Article 7 of the GDPR, the conditions for consent are detailed as follows:
- Where data processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to the processing of his or her personal data.
- If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner that is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.
- Any part of such a declaration that constitutes an infringement of this Regulation shall not be binding.
- The data subject has the right to withdraw his or her consent at any time.
- The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.
- Prior to giving consent, the data subject will be informed thereof. It must be as easy to withdraw as to give consent.
- When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
As a conclusion, real GDPR consent is thus informed, needs to be revealed prior to any processing of user data, is withdrawable from the user, and should never be given under the conditions of providing a service.
4. Do you need consent management for your website?
If your company’s website makes use of tracking or marketing cookies, you need to obtain consent from your site visitors before using their information in any way.
You also need consent management services if your website is hosted on WordPress, you use Google Analytics or other analytics tools, or you feature embedded content on your site, such as YouTube videos or social media buttons.
If you fall into one of these categories, then you need to implement a consent management platform to make sure that:
- all cookies are paused until proper consent has been obtained,
- the user gets transparent information on the cookies,
- and that he or she may withdraw his or her consent at any time.
The naked truth is that most websites today need consent management since all of them operate with the most basic tools in place, such as statistics, marketing or implementation of social media functions.
5. What consent management software platform should you use?
A consent management software platform is an automation tool that enables companies and websites to become compliant with consent management regulations, such as GDPR, CCPA, or LGPD. The role of these platforms is to collect and handle user consent, display consent pop-ups or banners, manage customer data, and fire tags for analytics purposes.
Some of the most common features offered by modern consent management software platforms include:
- Setting consent for specific purposes
- Personalization of banners and pop-ups
- Cookie whitelisting
- Reporting & dashboard
- Zero-cookie load
- Data subject widgets
- Secure cloud hosting
- Real-time geotargeting
- Language auto-detection
Below, you can find a list of the top consent management software platform available today, with detailed specs and feature information.
Being non-compliant with the GDPR rules & regulations is something quite dangerous, with fines that can reach €20 million or 4% of the annual global turnover of a company.
The great news is that you don’t have to worry about consent management implementation services. You can use the services of a consent management implementation company such as Tremend. We’re working with a multitude of consent management software platforms in order to enable our clients to become fully compliant with GDPR and other regulations.
Tremend has already implemented numerous consent management solutions, including One Trust & Cookiebot for Regina Maria, one of the largest private healthcare providers in Romania, and Avandor for the NN Web Platform, the world leader in research-based user experience.
Contact us to learn more about how we can help your company become compliant with GDPR and other consent management regulations.