Cookies – What is compliant consent under the GDPR?
Consent is one of the six legal bases mentioned in the GDPR for personal data processing activity.
The GDPR defines the conditions under which consent must be obtained. What are they? A valid consent is active, specific, free, unambiguous and informed. Find out more in this blog post.
What is the GDPR?
The GDPR is the General Data Protection Regulation. The European legal framework that sets guidelines for the collection and processing of personal data.
It is essential to know the main principles of processing personal data accordingly to the GDPR.
Among these principles, the GDPR requires any entity to process personal data only on a lawful basis:
- the legitimate interest of the company, or of a third party;
- a legal obligation;
- the performance of a contract with the data subject;
- the consent of the individuals whose data is being processed.
- the vital interest (a rare processing activity that could be required to save someone’s life);
- the public interest (a processing activity that would occur by a government entity or an organisation acting on behalf of a government entity).
Consent allows data subjects to exercise real and effective control over the processing of their personal data.
The notion of consent applies, for example, to:
- registration to a commercial newsletter database, by e-mail or SMS;
- the deposit of non-essential cookies (cookies that are not necessary for the functioning of a website), such as the advertising for example;
The GDPR gives a unitary definition of the criteria for a valid consent to be respected.
Collection of consent, what are the rules?
Consent, unambiguous indication of wishes (by statement or clear affirmative action)
It must be obvious that individuals have consented, and what they have consented to. This requires more than just a confirmation that they have read terms and conditions.
There must be a clear signal that users agree. If there is any room for doubt, it is not valid consent. The GDPR is clear that consent requires clear affirmative action.
This action can take many forms:
- signing a form;
- ticking a box;
- oral consent;
In practice, many websites have a cookie consent banner. Through the cookie consent banner, end-users can click on an “accept” button or tick a box to agree to the deposit of cookies on their devices.
Silence or inaction will not be considered valid consent.
When you launch a website, navigating from page to page, or scrolling down a screen does not mean that users agree to the deposit of cookies on their devices either.
Freely given – when consent is given without compulsion to agree
Consent must be freely given. In other words, when you ask for your end-users’ permission, they should have a genuine choice and be able to answer yes or no. If users have no real choice, consent is not freely given and it will be invalid.
The GDPR is clear that consent should not be bundled up as a condition of service unless it is necessary for that service.
However, this format is still legal in some cases. It has the advantage of encouraging the user to make a choice regarding cookies. Provided that the banner is compliant and that it includes a button to accept and to refuse.
Be aware that your users must also be able to go back and withdraw consent easily at any time.
Since consent is free, it is easy to withdraw. This is a fundamental condition that is part of the users rights under the GDPR.
Specific, consent given for a specific purpose
Consent needs to be specific, per purpose. On top of being legitimate the purpose of processing needs to be specific.
Therefore, for a processing operation that includes several purposes, individuals must be able to consent for each of these purposes. Users must be free to choose the purposes for which they consent to the processing of their data.
A controller that seeks consent for various different purposes should provide a separate opt-in for each purpose, to allow users to give specific consent for specific purposes. For consent to be valid, users must be able to consent freely and separately for each processing operation.
In addition, if you have consent for a specific purpose and want to process data for a new purpose consent needs to be asked again as the explicitly given consent no longer applies.
Informed, when consent means being informed
Consent is given with full knowledge of the facts. Consent is informed only if at least the following information has been provided to the data subject:
- the controller’s identity;
- the purpose of each of the processing operations for which consent is sought;
- the type of data that will be collected and used;
- the existence of the right to withdraw consent;
- the information on the use of the data for automated decision making;
- the potential risks of data transfers to third countries outside the EEA.
With regard to cookies, this information is often given in several parts.
The cookie consent banner provides three first levels of information provided in an easy to read and to understand.
- The introductory text
- The see more link: to have a detailed view of the list of cookies and tracking technologies organised by category of cookies, as well as the owner of the cookie, the name and the purpose. The user will be able to consent to individual categories of cookies.
Layered and granular information can be an appropriate way to deal with the two-fold obligation of being precise and complete on the one hand, and understandable on the other hand.
Proof of consent, an obligation of the GDPR
The GDPR clearly outlines the explicit obligation of the controller to demonstrate a data subject’s consent.
This means that the data controller must keep a record of consent statements received.
According to the CNIL, the proof of consent must contain three elements:
- who has consented;
- how consent was obtained;
- when consent was obtained.
The controller shall also be able to show that the data subjects were informed and the controller´s workflow met all relevant criteria for a valid consent. This proof is essential to achieve GDPR compliance of your personal data processing and must be made available to the regulatory authorities in the event of an audit.
Conclusion: ready to collect your users valid consent?
Make sure you act transparently and provide your users with everything they need to truly consent, starting with transparent information about what they are consenting to.
In practice, for cookies you will install a consent management solution on your site that will take care of:
- displaying a cookie banner and a consent management interface on your site;
- collecting and storing each given consent.
This will not only help you being compliant, but is a real opportunity to build trust with your audiences, as well as a higher level of engagement.
Fortunately, you can rely on Admeet solutions to manage your cookies in full compliance.