View profile

How to Obtain Valid Consent to Use Cookies - Bite-Sized Legal #10

How to Obtain Valid Consent to Use Cookies - Bite-Sized Legal #10
By Bite-Sized Legal • Issue #10 • View online
Hello,
If you need to comply with the GDPR, having a privacy policy is not enough for compliance.
If you use any cookies or tracking tools, such as Facebook Pixel, Google Analytics, Quora Pixel, or the likes, you need to obtain explicit consent by your users before using them.
And that’s where many businesses fail.
Many also think they would just get by without getting any fines.
And that was true for some time, but now times they’re changing. NOYB, a non-profit dealing with online privacy goes after the cookie banner terror. They have some piece of software that tracks websites without compliant cookie banners and ask them to comply. If they don’t, NOYB submits a complaint to the data protection authority.

So, How Do You Comply?
You need a compliant cookie banner.
A compliant cookie banner requests for explicit consent. It doesn’t fire up cookies before obtaining explicit consent.
The consent is explicit if it meets the following criteria:
  • It is freely given. This means that it is not conditioned by anything. For example, you cannot tell the user that they have to give consent for data processing in return for providing access to content. That is forbidden. Such consent is not valid.
  • It is informed. Informed consent means that the user knows what data will be processed, why it will be processed, where the data will be transferred, etc. it is up to you to inform the user about that. You can do so by providing a link to your privacy policy. It is none of your business whether the user reads the privacy policy or not, but it is your business to provide them with the information. And it has to be in plain language.
  • It is unambiguous. This means that the consent is valid only if the user has clearly indicated that they consent to the use of cookies and data processing. A clear indication is when they click on ACCEPT button, or I’M OK WITH COOKIES button, or something like that. You also have to provide them with an opportunity to refuse cookies. This also means that implied consent is not valid. Implied consent is when you assume that the user gives consent just by staying on the website. Messages such as “By browsing this website, you agree to the use of cookies and our privacy policy” are utter nonsense according to the GDPR. That’s not consent.
  • It is easily withdrawn. The user should be able to withdraw the consent with the same easiness they have given it. If the user has given consent as easy as it can get by a cookie banner, you cannot require them to withdraw it by submitting a form via email. That’s just not as easy. If you have a consent and cookies preference centre on your website, that’s enough for compliance. A preference centre is a place on the website where you can go and withdraw the consent by simply unchecking a checkbox or moving a toggle.
  • It is specific. You need consent for each processing purpose. Let’s imagine that you collect and process data for analytics and marketing purposes. This means that you need to obtain one consent for the analytics processing and another consent for marketing processing. You can obtain consent with a single cookie banner. You just have to provide toggles, checkboxes, or another way to provide consent. Important: the default setting shall be OFF. The user has to check the boxes. Pre-checked checkboxes are not valid consent. On the image below you can see how unchecked consent checkboxes look like. That’s the basis for valid consent. If you pre-check the boxes for the user, that makes the consent invalid.
That’s about it.
Any questions?
Cheers,
Petar
Did you enjoy this issue?
Bite-Sized Legal

Legal for makers and freelancers, weekly, for free.

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue