Website consent management solutions under the GDPR
August 2018 | SPECIAL REPORT: TECHNOLOGY IN BUSINESS: STRATEGY, COMPLIANCE & RISK
Financier Worldwide Magazine
August 2018 Issue
Consent in daily life appears to be simple: it is a yes or no question. Consent in legal terms, and in particular the consent introduced by the General Data Protection Regulation (GDPR), is rather complex. Strict requirements are tied to a valid consent imposing practical challenges on what appear to be simple daily life situations.
Under the GDPR, consent has to be informed and given freely. That means that a data subject must have an informed choice as to whether data processing will take place or not. Furthermore, consent has to be concrete. General or broad consents do not constitute effective consent. Additionally, the GDPR requires consent to be explicit. A data subject has to consent actively – pre-ticked boxes and similar circumstances would make a given consent non-binding under the GDPR.
The GDPR also manifests the obligation to offer the possibility to withdraw consent at any time. Taking it even further, withdrawing has to be as easy as it was to give consent. Prior to giving consent, a data subject has to be informed thereof. The toughest requirement comes with Article 7 (1) of the GDPR, which places a controller under an obligation to prove that consent was given. This entails proving that it was given in an informed, free, concrete and explicit way, as well as being obtained prior to data processing (if the legal basis for processing is consent). This obligation inevitably leads to consent management in some form.
Consent management for websites
A simple situation that becomes complex under the GDPR is visiting a website. If a website has integrated tags, it needs the consent of the website visitor if its purpose is tracking, retargeting and profiling, as the data collected by tags is considered personal data under the GDPR. Obtaining and documenting the informed, free, concrete, explicit, prior and easy-to-opt-out consent of website visitors requires a technical solution. This can be done in-house, but as it is a whole product of its own requiring a lot of maintenance, monitoring of jurisdictions and entails high liability risks, it does make sense to outsource consent management to a specialised provider.
Criteria for selecting a consent management platform (CMP)
As CMPs for website technologies are a recent development, below are some objective criteria resulting from legal and technical implications that should be considered when selecting a CMP.
Documentation and servers. Resulting from the obligation to document and proof the consent, server-side and not client-side storage of consents is important. If possible, the consent data should be stored on servers in the EU. The CMP should also be able to offer on-premise hosting of consent data.
Voluntariness. The user should initially be given both the option of accepting and rejecting. A cookie wall that leaves the user with no other option but to agree does not comply with the requirements of freely-given consent.
Loading before opt-in and after opt-out. It should be possible to load the technologies that require consent, only after a valid opt-in. After opt-out, the technologies should not be loaded anymore, not even the opt-out itself. Sending the user to an external third-party provider website for an opt-out is not reasonable and does not constitute an easy withdrawal.
Granularity. The principle of concreteness can be interpreted as a requirement for granular consent to certain technologies used on the site. Also, resulting from the principle of minimalism, consent should only be obtained for technology that is actually in use on a website. Obtaining consent for a complete list of over 350 vendors, as the Interactive Advertising Bureau (IAB) solution imposes, is difficult to justify.
Piggybacking cases. The CMP should also detect and cover piggybacking cases, such as a tag on the website which automatically transfers data to other piggybacked tags that are not on the website themselves, e.g., affiliate tags, which are partially reloaded.
Not only cookies. The requirement of consent should not only be considered for tags, but also for other web technologies such as plug-ins and integrated content (e.g., embedded YouTube videos and Google fonts). The obligation to obtain consent might result from factors such as if they entail a data transfer to a third country, such as the US. In any case, are they subject to the information obligation pursuant to the GDPR?
Privacy by design. To prevent the CMP from becoming the next ‘data octopus’, client data should be stored separately during the processing. That can be retrieved by not tracking and connecting user agent data, meaning, if the identical user gives consent on one website, the CMP should by default not be able to map that consent to consent on another website, as this would be profiling pursuant to Article 21 of the GDPR, which itself requires consent.
IAB consent framework. The IAB transparency and consent framework is the first standard guiding how consent can be transferred globally. The selected CMP should support the IAB standard, as in the future personalised advertising will only be controlled with ConsentID in the bid request.
Compatibility. The CMP software should be developed agnostically, so that it is compatible with any tag management and website system.
Design and UI/UX. The CMP should offer to customise the frontend, because this is the only way to ensure that website visitors do not feel irritated and annoyed by cookie popups and banners which would thwart the laboriously designed CI and UI/UX efforts.
Business purpose of the CMP provider. The sole business purpose of the provider should be to obtain consent so that the use of the CMP can be based on Article 6 (1)c of the GDPR. If a provider pursues further business purposes, it can be assumed that consent data will be used for business purposes. Therefore, either a proprietary development with a separate neutral company, or an external provider with privacy-by-design is recommended.
Flexibility. It is very important to be able to control and change the rules for loading tags. In some cases, a company might want to implement ‘soft’ settings – e.g., to load certain technologies such as pure web analysis tags without consent. However, if the verdict of a data authority is to prohibit that, a quick switch to a zero cookie load setting must be possible.
Is your organisation affected?
Reviewing possible CMP providers and implementing solutions is the right step toward preparing for e-privacy regulation that will write the next chapter in the book of EU data protection reforms.
Lisa Gradow is co-founder and chief protection officer and Mischa Rürup is founder and chief executive at CMP Usercentrics. Dr Andreas Splittgerber is a partner at Reed Smith LLP. Ms Gradow can be contacted by email: email@example.com. Ms Rürup can be contacted by email: firstname.lastname@example.org. Dr Splittgerber can be contacted by email: email@example.com.
© Financier Worldwide
Lisa Gradow and Mischa Rürup
Dr Andreas Splittgerber
Reed Smith LLP