Updated October 27, 2020.
The General Data Protection Regulation (GDPR) requires your website to ask for and obtain the clear and affirmative consents from users before processing any of their data.
So, what is consent management?
How do you manage consent in GDPR compliance on your website?
What is valid consent according to the GDPR?
And is there such a thing as a consent management software that can do it all for you?
You’ll find answers to all of these questions in this article.
What is consent management?
Consent management is the act or process of managing consents from your users and customers for processing their personal data.
In other words, consent management means to enable for your users the ability to opt-in and out of the specific cookie categories (preferences, statistics and marketing), to consent and to withdraw their consent again if they chose to.
Consent management is really all about empowering your users to exercise their right to privacy.
A proper consent management system encompasses the following:
- Asking for consent by clearly disclosing what the consent is being given to and how the data will be used.
- Holding back all tracking until proper consent has been given.
- Securely storing all consents as documentation that the consent has been obtained.
- Giving your users access to withdraw their consent at any time.
- Consent must be renewed annually. However, some national data protection guidelines recommend more frequent renewal, e.g. 6 months. Check your local data protection guidelines for compliance
A consent management software like Cookiebot consent management platform (CMP) does all of this automatically.
In doubt whether your website is GDPR compliant? Test with the free Cookiebot CMP compliance test.
Try Cookiebot CMP free for 30 days… or forever if you have a small website.
GDPR & Consent
The General Data Protection Regulation is an EU law that came into force on 25 May 2018. It affects all organizations, companies and websites, worldwide, that handle personal data of EU citizens.
The GDPR definition of personal data is very wide, and includes “any information relating to an identified or identifiable natural person”, including information that can be combined to single out or build a rich profile of a particular data subject.
Under this definition, statistics (analytics cookies) and marketing cookies (tracking cookies), as used by most websites, are subject to the GDPR.
This means that you need proper consent from your users prior to the setting of all cookies that track personal data. Your users must be informed about all tracking and consent to it before any data can be processed, says the GDPR.
EDPB guidelines on valid consent in the EU
The European Data Protection Board (EDPB) is the leading supervisor of the GDPR in Europe, responsible for directing the national data protection authorities in each EU country on how the GDPR is to be enforced.
On May 4, the EDPB released guidelines on valid consent in the EU, clarifying what constitutes a proper, lawful user consent on websites for the processing of personal data.
The EDPB guidelines specify that –
- Cookie banners are not allowed to have pre-ticked checkboxes as a default. Instead, cookies (except strictly necessary cookies) must be deselected and deactivated by default, so that users can give their consent as a clear and affirmative action.
- Cookie walls (forcing users to consent to cookies in order to gain access to a website) are deemed unlawful. Users must be able to filter their consent and also give it freely.
- Continued browsing and scrolling on a website does not constitute valid consent.
What is valid GDPR consent?
Consent management is a key issue in the GDPR.
The GDPR definition of proper or valid consent is very clear and leaves a clear responsibilities on the shoulders of website owners and operators.
Consent & GDPR go hand in hand –
Article 7 of the GDPR treats the conditions for consent, and lists the following:
- Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
- If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.
Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
- The data subject shall have the right to withdraw his or her consent at any time.
The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
- When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
Real GDPR consent is thus informed, prior to any processing of user data, withdrawable and not on conditions of providing a service.
GDPR consent management is best done with an all-in-one solution, so that you can be sure that your website is compliant and your user’s privacy protected.
Do I need consent management for my website?
You most probably do.
If your website makes use of tracking cookies, you need to obtain consent from your users first.
Is your website hosted, for example on WordPress?
Do you make use of Google Analytics or similar tools on your website?
Do you have embedded content on your site, such as YouTube videos or social media buttons?
If yes, then your website most likely sets third party tracking cookies on your users’ browsers – and you need to implement a consent management platform to make sure that:
- all cookies are paused until proper consent has been obtained,
- the user gets transparent information on the cookies,
- and that he or she may withdraw his or her consent at any time.
The truth is that most websites today need consent management, because almost no website operates without the most basic tools for statistics, marketing or implementation of social media functions.
But consent management is not something you have to sweat about doing yourself.
Being non-compliant with the GDPR is, on the other hand, something you should sweat about: fines can reach €20 million or 4% of the annual global turnover of a company.
ePR & GDPR consent management is our niche expertise here at Cookiebot CMP.
We take our responsibility of protecting privacy very close to heart, and our role as consent manager reflects this.
Cookiebot CMP, automatic consent management
There exists a vast range of consent management tools that offer to manage your website’s user consents.
However, make sure to do your research properly and take care to choose one that is fully compliant and meets all of the above requirements.
Many of the consent management tools available – even amongst those that claim to be fully compliant – are not.
Cookiebot CMP is a consent manager and fully compliant software-as-a-service that helps you scan, know and control your website’s cookies and other tracking. We offer granular consent and full transparency for yourself and for your users.
Once a month, Cookiebot CMP scans all of the pages of your website, by directing a number of simulated users, that activate and detect all cookies and other known tracking technologies in use on all of the pages of your website.
Try our free test that scans up to five pages of your website and sends you a report on the cookies and online tracking in use on these pages and gives you an indication of whether your website is GDPR/ePR compliant.
See if you need a GDPR consent management solution for you website and if Cookiebot CMP is the right consent manager for you.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a data privacy law that governs the processing on personal data of individuals inside the EU. Websites that have users from inside the EU must comply with the GDPR. The GDPR requires websites to secure the consent of users before activating cookies and trackers on their domain that process personal data.
What is GDPR consent management?
Under the GDPR, your website must inform its users of all personal data processing that takes place on the domain, ask for consent for the activation of cookies that process personal data, document and securely store the obtained consents and renew consent regularly.
What is a consent management platform?
A consent management platform (CMP) is a technology that helps websites become compliant with the GDPR’s requirement for lawful personal data processing. Consent management platforms scan websites to find the cookies and trackers that process persona data and enables the website’s users to give their consent to those cookies before they process personal data.
Try Cookiebot CMP free for 30 days… or forever if you have a small website.
Are cookie walls legal?
No, according to the European Data Protection Board (EDPB) and their guidelines on valid consent in the EU, cookie walls that make consent conditional for access to a website is an unlawful way of obtaining consent. Instead, consent must be granular and freely given. Users must be able to choose between some cookies and not others, when they give their consent.