Danish DPA (Datatilsynet) releases new cookie guidelines – here are the essentials.
What is consent?
According to the General Data Protection Regulation (GDPR), consent occurs when the data subject (the website user) voluntarily agrees that a data controller (the website) can collect and process the user’s data.
There are strict requirements on what constitutes valid consent. We will clarify these requirements in detail in the following sections, but here is a quick overview:
- Processing of personal data cannot begin until valid consent is obtained.
- Valid consent is any freely given, specific, informed and unambiguous indication of the user’s agreement to the processing of personal data.
- Consent is only valid if the user can withdraw it.
- There are special requirements for children, especially for social media and services with content specifically targeting children under 16.
- Consent must be stored for documentation (in case of inspection by the DPA).
With valid consent, the user must be properly informed about who processes the data and for what purpose; consent must be written in a clear and easy-to-understand language; and consent must be explicitly given.
If you own a website, you are the data controller and therefore responsible for collecting consent from your users (and visitors).
Example: What is valid consent on a website?
A person enters a website for the first time. The user is immediately presented with a cookie pop-up banner informing that the website uses cookies for processing personal data. Also, the user is informed about who processes data (first- and third-party services) and for what purpose. Finally, the user is presented with an option to accept or decline cookies. If the user wants more information, there will be a link to a cookie policy in the banner. Therefore, users’ consent to cookies and tracking will be informed, specific, and freely given. The website then stores the consent for 5 years. Only then will the consent be valid.
What are the requirements for consent?
There are many requirements for consent to be GDPR compliant. Time of data processing; the consent format; that has to be freely given, specific, informed, and an unambiguous indication of the user’s agreement to data processing.
Here we look at the most important:
1) No data processing before consent is obtained
Data processing may not start before consent is given for consent to be valid. This is called prior consent. The data controller’s responsibility (the website) is to collect the user’s consent to cookies before they are set and begin processing personal data.
That means that the website must prevent its cookies (first- and third-party) from collecting and processing the user’s data before giving consent to it in the cookie pop-up.
Example: What is prior consent?
A user visits a website for the first time and is presented with a cookie consent pop-up. The pop-up informs the user of cookies. A cookie Consent Solution implemented on the website makes sure that no cookies are set before the user has consented. Thereby, personal data processing only occurs if and when the user has given consent to it.
Link:
What is prior consent?
2) Consent must be freely given
The user must freely give consent. The whole purpose of giving consent is that the user has a choice, a choice to agree (consent) or not to personal data processing. Consent that is not freely given (no option to decline cookies) is not considered valid.
Consent is NOT freely given when:
- Consent is based on implicit consent, i.e.” “if you use the site, you accept cookie”.
- Any undue pressure on or influence on the user’s free will to consent.
- Silence, pre-ticked boxes, or inactivity are used to collect consent. This does not suffice as an unambiguous indication and therefore cannot constitute consent.
Furthermore, no website may hide behind a cookie wall, i.e. data for access model in which the user is not granted access to the site if it does not accept cookies.
Example: What is freely given consent
A website informs its user of cookies with a cookie pop-up. In the pop-up, users are given the option to accept or decline cookies either by an ‘‘accept” or ‘‘reject” button or by toggles to accept or reject specific cookie purposes (e.g., functional, statistical, and marketing). The option to decline cookies is as easy as it is to accept cookies.
3) Consent must be specific
Every purpose of data processing must be available for the user to accept or decline. In the case of cookie pop-ups, the user must be presented with the option to accept or decline functional cookies, statistical cookies, and/or marketing cookies. Therein lies the notion of specificity.
A user shall not agree or disagree all at once; consent must be given for each and every specific purpose.
In other words, consent must be concretized in such a way that it is clearly stated to what consent is given.
If the data controller (the website) afterward wishes to use the data for other purposes, new consent must be obtained.
Example: Consent must be specific
A website has a cookie pop-up. The user can accept or decline cookies by purpose, i.e., the user can freely decide which type of cookies (functional, statistical, marketing) should be set by the website. The user can easily toggle cookies by purpose on and off. Then the website’s cookie consent is specific.
4) Consent must be informed
The user has to be made aware of what consent is given to. The data controller (the website) should provide the user with information to ensure that the user can make a decision on an informed basis.
As a minimum, the information should contain:
- The identity of the data controller (the website).
- The purpose of data processing.
- Which data is being processed.
- Information about how to withdraw consent.
The user should also be notified if data are sent to/shared with unsecured third countries (countries outside EU/EEA countries).
The crucial issue here is to create transparency for the user about data processing. Therefore, information should be written in a clear and simple language.
Example: What is informed consent?
A website has a cookie pop-up that informs the users of all the data processing taking place by first and third-party cookies, which process the data, and what they use it for. The user is informed about the name of data processors, who provides the service, for which purpose data is processed, and when the cookie/data processing expires.
5) Unambiguous consent
The consent of the user must be given in the form of an unambiguous statement. This means that the content of the consent cannot give rise to doubt.
Such disclosure may consist in the fact that the user, by a statement or by active action, clearly indicates an acceptance of the processing of personal data about him.
All-purpose acceptance of general terms and conditions cannot be taken as a clear affirmation whereby the user consents to the processing of personal data.
Example: Unambiguous consent
A user enters a website and sees the cookie pop-up, which informs about cookies. The pop-up includes sufficient information about who processes the data and for what purpose. The user can now decide based on informed consent and explicitly choose to give consent (or not) by clicking a button to accept or reject cookies and data processing.
6) Documentation of consen
Consent is only valid if it is stored and can be documented. According to the GDPR, consents must be stored for 5 years.
If need be, a specific consent can always be retrieved and forwarded to the Data Protection Authorities. This requires a Consent Solution that actually stores the consent for the website. Typically, no freemium services online provide this security.
What is the right to withdraw consent?
The user may withdraw consent at any time. It is the data controller’s responsibility (the website) to ensure that users can withdraw consent to cookies in a simple and easy way.
It must be as easy to withdraw consent as to give it.
However, when a website has a valid cookie consent solution with a GDPR valid cookie pop-up, the user can simply reject/decline cookies by reopening the cookie pop-up. Thus the consent to cookies is withdrawn (hence no cookies are further set in the browser).
Is information not sufficiently provided on how to withdraw consent, it is not considered valid consent. Referring to browser settings for deleting consent (or cookies) is not valid under the GDPR.
Example: How to withdraw consent?
A user has given consent to cookies on a website. However, the user now wants to withdraw this consent. She opens the cookie pop-up, goes to data processing by purpose, and deselects all cookies set by purpose (functional, statistical, and marketing). By deselecting all cookies, data processing will no longer occur as all cookies are now blocked from being set in her browser. She is no longer tracked by third-party trackers.
How about children and consent?
Children should be offered special protection under the General Data Protection Regulation. Children are often less aware of the risks and consequences that may be associated with the processing of personal data. Such special protection should apply in particular to the use of children’s personal data for marketing purposes, when creating user profiles, or using services provided directly to children.
When a website wants to process personal information about a child, it must consider whether the child is able to give consent by itself or whether the consent should be obtained by a parent (or guardian).
Whether the child can give consent depends on a specific maturity assessment. Generally, a child of 15 years will be mature enough to consent on their own behalf.
When children use social media or other information technology services
The GDPR holds additional strict requirements for obtaining consent from children using social media (e.g., Snapchat, Instagram, YouTube, Facebook) or e-commerce and online games directly targeting children (or which provide access to children).
First, the special requirements apply simultaneously as the standard requirements for obtaining consent under the GDPR.
As a general rule, if the child is below 16 years, a parent or guardian must give consent. The age limit can vary across Europe but never descend below 13 years of age.
Websites providing social media services or other services directed at children must endure protection by incorporating mechanisms. So children below the age limit are excluded from giving consent (and thereby protected from tracking cookies), e.g., when creating a user profile or using social media.
If the child is below the set age limit, the service provider must make reasonable efforts to verify that the guardian has given their consent based on the available technology.
Example: Consent for children under the GDPR
A child of 10 wants to surf a website with services specifically for children. The website checks the users’ age before the child is let into the website. When the child selects an age below the age limit (say 10), they will be directed to a part of the website, a tracking-free zone, i.e., no tracking of personal data occurs. Only strictly necessary cookies are present. Thus, the child is excluded from giving consent and protected from tracking
All third-party cookies (or tracking cookies disguised as first-party cookies) must be prevented from being set in this setup. This also applies to any third-party service the website uses, including Google Analytics and all social media cookies.