How to manage consents in compliance with the GDPR

With the enforcement of the General Data Protection Regulation from May 2018, obtaining proper user consent before tracking any of their data is more important than ever.

But what does it take for your consent management to be compliant with applicable legislations on data protection and privacy?

What are the requirements, and how can you make sure that your management of consents is fully compliant?

What is consent management? | Definition

---

Consent management is the act or process of managing consents from your users and customers for processing their personal data.

A proper consent management system encompasses the following:

• Asking for consent by clearly disclosing what the consent is being given to and how the data will be used.
• Holding back all tracking until proper consent has been given.
• Securely storing all consents as documentation that the consent has been obtained.
• Giving your users access to withdraw their consent at any time.
• Regularly renewing the consent (the ePrivacy Directive says every 12 months).

Personal data in the GDPR

The General Data Protection Regulation is an EU law that came into force on 25 May 2018. It affects all organizations, companies and websites, worldwide, that handle personal data of EU citizens.

The GDPR definition of personal data is very wide, and includes “any information relating to an identified or identifiable natural person”, including information that can be combined to single out or build a rich profile of a particular data subject.

Under this definition, tracking cookies, as used by most websites, are subject to the GDPR.

This means that you need proper consent from your users prior to the setting of all cookies that track personal data.

What are the GDPR requirements for compliant consent?

Consent is a key issue in the GDPR.

Article 7 of the GDPR treats the conditions for consent, and lists the following:

1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
   
   
2. If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.
   
   Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
   
   
3. The data subject shall have the right to withdraw his or her consent at any time.
   
   The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
   
   Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
   
   
4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

Do I need consent management for my website?

You most probably do.

If your website makes use of tracking cookies, you need to obtain consent from your users first.

Is your website hosted, for example on WordPress?

Do you make use of Google Analytics or similar tools on your website?

Do you have embedded content on your site, such as YouTube videos or social media buttons?

Then your website probably sets third party tracking cookies on your users’ browsers, and you need to implement a consent management system, that makes sure that...

1. all cookies are paused until proper consent has been obtained,
2. the user gets transparent information on the cookies,
3. and that he or she may withdraw his or her consent at any time.

Cookiebot: A GDPR and ePrivacy compliant consent management platform for your website

There exists a vast range of software solutions that offer to manage your website’s user consents.

However, make sure to do your research properly and take care to choose one that is fully compliant and meets all of the above requirements.

Many of the offered tools, even amongst those that claim to be fully compliant, are not.

Cookiebot is a fully compliant software-as-a-service that helps you manage your cookies, offer granular consent and full transparency for yourself and for your users.

Once a month, Cookiebot scans all of the pages of your website, by directing a number of simulated users, that activate and detect all cookies and other known tracking technologies in use on all of the pages of your website.

The result of this audit is sent to you in a report, that can also be integrated on your website, for example as part of your privacy policy or cookie policy, thus ensuring that your information on the tracking activity is always up to date and accurate, as required by the GDPR.

Read about all of the functionality and features, on our Functions page on Cookiebot.com.

In doubt about what cookies are in use on your website?

Try our free test, that scans up to five pages of your website and sends you a report on the cookies and online tracking in use on these pages and gives you an indication of whether your website is GDPR/ePR compliant.

Resources

---

Insideprivacy: ePrivacy Directive

i-scoop: GDPR and consent

Performancefoundry: WordPress cookie consent notification plugins review