Updated December 15, 2021.
The GDPR is literally changing the landscape of the commercial Internet.
In this article, we compare different GDPR software solutions for your website to be compliant and self-defense technologies that end-users employ to protect their privacy.
Come with us into the sandboxes and become compliant with Cookiebot consent management platform (CMP).
GDPR software, quick summary
What are GDPR software?
The governments of the world are lawmaking in unison these years – from the pan-European GDPR to the Californian CCPA/CPRA and the Brazilian LGPD, data privacy laws are taking shape and emerging in a worldwide tech shake-up.
What most data privacy laws have in common is a clear placement of responsibility.
The EU’s GDPR is very clear: the legal responsibility for the lawful processing of personal data rests with the website owners and operators.
That’s why the technologies needed to meet the GDPR requirements have to be technologies that are implemented by the website owners, not the users – GDPR software that applies to the structural changes that the GDPR is creating, not band-aid solutions of self-defense for every individual user out there.
GDPR software (or GDPR compliance software or GDPR consent tools) are solutions that enable compliance with the GDPR.
GDPR software for consent and cookies
Consent management platforms are essential GDPR software.
If you have a website, you most likely need a consent management platform that functions as a GDPR scanning software to detect and control all cookies and trackers on your domain – especially the ones that process personal data and require end-user consent under the EU’s GDPR.
72% of cookies on websites are placed by other third-party cookies.
18% of cookies on websites are loaded within as many as eight other cookies.
50% of these hidden cookies change between visits.
Source: Beyond the Front Page, a 2020 study into website cookies and tracking.
A website in the EU or a website that processes data from EU citizens via cookies and trackers (regardless of where in the world that website is located) must comply with one of the conditions for lawful processing, specified in Article 5 of the GDPR.
Consent is the first condition for processing of personal information in the GDPR – it’s the most common legal basis for processing personal data in EU. This part of the GDPR specifies that websites have to obtain clear and unambiguous permission from their users before any collection and handling can take place of user data.
EDPB guidelines on valid consent in EU
The European Data Protection Board (EDPB) is the leading authority on GDPR enforcement in the EU.
Their adopted guidelines and decisions form the basis of how each national data protection authority in each EU member state apply and enforce the General Data Protection Regulation (GDPR).
The EDPB guidelines on valid consent adopted on May 4, 2020 clarifies in detail what is considered a valid consent in the EU – and thus, how your website should go about obtaining user consent in order to make sure that it is done in a fully compliant way.
EDPB guidelines specify that:
Your website must only process personal data on individuals inside the EU after it has obtained the freely given, specific, informed and unambiguous indication of the users wishes.
This means that pre-ticked checkboxes on cookie banners are invalid, i.e. cookies must be deselected so that the user can clearly and affirmatively select them in order to give their consent.
It also means that continued scrolling and browsing on your website cannot be considered valid consent.
Your website is likewise not allowed to use cookie walls (i.e. making consent conditional for access to your domain), as this is forced consent and not free (valid).
Cookiebot CMP as GDPR scanning software
Cookiebot CMP is a GDPR manager that websites use to obtain compliance with the EU GDPR, ePrivacy, and similar data legislation when it comes to cookies and tracking, to secure the privacy of their end-users and avoid the steep fines that follow non-compliance.
Cookiebot CMP is a simple plug-and-play solution that brings your website and your users’ privacy in balance – implemented directly from the cloud with no need for manual implementation or on-site deployment.
The unmatched Cookiebot CMP scanner examines the depths of your domain and finds all cookies and trackers in operation. Cookiebot CMP performs monthly scans that makes your cookie declaration up to date and reliable for your users.
Cookiebot CMP then auto-blocks all cookies and prohibits any collection, processing or sharing of personal data. This means that your users won’t have any private information harvested by big tech companies or processed and used for behavioral advertisement.
Cookiebot CMP then presents your users with a cookie consent banner that informs them of all trackers, their use and purpose, as well as letting them control the activation of cookies based on their choice of consent. Only Necessary cookies will always be pre-ticked and unable to be turned off by the user.
Cookiebot CMP GDPR software solution works through –
- A scanner that detects all cookies and tracking in operation on your website.
- Automatic blocking of all cookies until user consent is obtained.
- Granular consent that ensures the freely given, informed and specific choice of each user.
- Consent banners that let the users give or withdraw their consent to the trackers.
- Documentation of user consents.
- Asking for renewed consent regularly.
Because of these core functions, some of which are pioneering and unique in the privacy industry, Usercentrics is able to offer Cookiebot CMP as a simple and automatic compliance solution for website to meet the world’s new data privacy landscape.
Try Cookiebot CMP free for 30 days… or forever if you have a small website.
GDPR software in detail
Other GDPR software
GDPR software range to cover different GDPR provisions such as –
- Data minimization
- Anonymization and pseudonymization
- Data breaches
- Secure data storage
- Record of processing activities
- Integrity and confidentiality
An example is the GDPR’s Recital 26 that states that the principles of data protection does not apply to anonymized or pseudonymized data, which cannot be traced back to an identifiable individual. In other words, the GDPR does not concern anonymous information – e.g. for statistical or research purposes.
Examples of GDPR software that specialize in this aspect are:
- Boxcryptor – that encrypts data from popular cloud services like Google Drive and Dropbox
- Tokenex – Cloud-based tokenization for data security and regulatory compliance.
This way, companies and organizations can secure GDPR compliance in their work with sensitive personal information.
Another example is the GDPR’s requirement in Article 35 for companies to conduct data protection impact assessments, when a type of processing is likely to result in risks to the rights and freedoms of EU citizens.
GDPR software specializing in compliance with this part of the GDPR are:
- PrivIQ who do secure data storage for protection requirements,
- Logicgate, who do secure data storage for protection requirements, as well as handle a company’s response to data breaches (concerning Article 33).
Privacy is not users’ responsibility
We all love technology. It improves our lives in so many ways and we are not willing to give it up. That’s why that friend who quits Facebook usually returns again shortly after.
Technology is not a trend. It shapes new digital infrastructures that are transforming how we connect, meet, speak, eat, sleep, live and die.
Most website users don’t have time or the technical skills to inform themselves of their self-defense options, which is why we’ve argued that self-defense tools (like privacy enhancing browsers or ad blockers) are not a viable solution to the structural change needed compared to GDPR privacy software.
Most users aren’t ready to ditch the technology they dis, which results in this weird limbo where users rightfully fear for their privacy yet carry on using the same technologies that instill this fear in them to begin with.
Self-defense Privacy Tools versus Privacy by Design
Tools that empower users to take privacy protection into their own hands are not hard to find on the Internet.
They include –
- Privacy enhancing browsers, such as Tor, Epic, Brave and Firefox.
- VPNs (virtual privacy networks) that mask users’ IP addresses.
- Ad blockers or browser extensions, like Ghostery and AdBlock, that blocks trackers.
These are helpful and their intentions are good: enabling people to opt out of the pervasive tracking and data abuse abundant on the web.
The problem is that these self-defense tools don’t really push back on the tech giants, trackers and data abusers.
Instead, they push forward the idea that it is up to the users to opt out of being tracked, rather than opting in.
This goes against the notion of privacy by design in the GDPR that mandates companies to develop software that has privacy as the default setting, so that users have to opt in to marketing cookies and other tracking technologies – not opt out of them to begin with.
“The more indispensable an internet connection becomes, the less choice we have, which means we have less and less autonomy, a key element in being capable of exercising control over our lives. It’s difficult to expect someone to gain control over something they’ve never had the option to control in the first place” – Colin Horgan, writer for the tech magazine OneZero.
Not obeying the privacy by design clause in the GDPR, but letting the responsibility fall on the end-users’ shoulders to opt out of being tracked is a big problem.
It frees the tech companies from changing practice and being held accountable, when users are left to fend for themselves.
Self-defense tools are also not thorough and solid in their protection. These tools often break websites and lessen the user experience and flow on a domain, exactly because they do not discriminate based on nuanced scanning technology.
That’s why self-defense tools are only band-aid solutions – something the end-users can utilize for extra protection, but unable to constitute real, structural change.
And that is where GDPR software and compliant consent solutions come in.
Cookiebot CMP by Usercentrics is in the world to protect the privacy of users across the web, all over the world. We do this because we believe a free, private future of the Internet is absolutely vital to ensure, and to fight for.
Cookiebot CMP enables the website owner to respect and protect their visitors from unwanted tracking. We do this because privacy laws are complicated and hard to understand for most website owners.
Try Cookiebot CMP free for 30 days… or forever if you have a small website.
GDPR software: surveillance on news sites in the US vs EU
A perspective of the GDPR’s impact on the privacy landscape of the Internet becomes clear when looking at how much tracking is taking place on news sites online in the US versus the EU.
Timothy Libert, creator of the open-source tracking scanner webXray and faculty member in computer science at Carnegie Mellon University, used this tool to scan a New York Times article titled “Can An Abortion Affect Your Fertility?” in both the US and the EU.
The scan revealed that in the US, the article harbored over 100 third-party cookies with nearly 50 different ad tech companies present and ready to track the article’s readers, including companies like Oracle BlueKai, who amasses massive amounts of user data into sensitive categories (such as “health conditions” and “medical terms”), which they use to offer Cambridge Analytica-like services for targeted and personalized marketing campaigns.
But the scan also revealed a second significant find: the article, when loaded inside the EU, had “only” 28 third-party cookies from 16 different ad tech companies imbedded. This is still a lot for an article that is sensitive to reveal the readers’ political convictions or medical situation.
But it also shows the significance that the GDPR is bringing to the changing landscape of the Internet.
The GDPR is literarily changing that landscape, and the technology that follows must be GDPR software that supports these structural changes.
The Internet is a landscape, and it is changing
The Internet was one thing twenty years ago, it is now another thing entirely.
The universal spark that infused the Internet of the 90s has been replaced by dense commerciality and tiered structures, where users are the commodity of the great, hidden ad tech machinery at work in the countless levels underground, sucking out their data for profit and many other unknown purposes.
This evolution is perhaps most clearly visible when comparing Google’s original mission, formulated in the late 90s as –
“to organize the world’s information, making it universally accessible and useful”
– against the company in 2020 and its practices of behavioral advertisement and profiling – their main source of revenue that have been deemed unlawful and out-of-control by the British data protection authority ICO.
From the dream of an Internet that was equal, flat, infinite and universally democratic, we have entered a trance-like commercial Internet full of massive data abuse, breaches, misinformation and algorithmically controlled echo chambers.
From a flat, open landscape to a serrated, hazardous terrain, all users now walk with their self-defense tools in hand fending for themselves on steep cliffs and sharp rock faults, never knowing what dangerous creature might lurk in the next cave they pass, ready to devour their private, inner lives.
Usercentrics and the Internet to come
Usercentrics believes in balancing data privacy with data-driven business to build a sustainable online ecosystem that puts the user at its center.
In these hazardous, uneven digital lands we live in today, it is the responsibility of governments and lawmakers to regulate and force the tech industries to change their practices. It is their responsibility to carve out of the sharp, jagged rocks new structures that can protect the users, who travel through these landscapes.
The General Data Protection Regulation (GDPR) does just that, and the coming ePrivacy Regulation – with its specific focus on electronic communication – might go further.
The GDPR is unambiguous when it comes to settling the responsibility of protecting privacy – it is not up to the users themselves, but up to the website owners, operators, controllers, as well as the tech industry as a whole to develop privacy by design.
The privacy laws that are springing up all around the world mirror the GDPR. It is the website owners and tech companies who must shape a private future, not the users.
The technologies that push the Internet in the direction of privacy and autonomy, democracy and universality must then reflect these laws and the efforts they intent.
Exactly how the landscape of the Internet will come to look in ten or twenty years is very hard to say. But if we do nothing, it’s easy to imagine a landscape that is impenetrable to most, owned by few, costly and unsafe.
However, there are other possible futures for the digital lands. Usercentrics actively pushes towards these more sustainable internet economies through its product Cookiebot CMP. It is in our very DNA to work towards wider, freer, safer digital plains..
Ones where the hazards and inequalities have been tamed and leveled to, once more, reflect the early days of the terrains –flat, open and infinite. Ones where humanity can flourish in the sandboxes of the digital.
What is GDPR software?
How does GDPR software help my website with compliance?
The GDPR requires that your website obtains the freely given, specific, informed and unambiguous indication of a user’s wishes before you are allowed to activate cookies and trackers that process their personal data. GDPR software that manages consent and cookie control helps your website meet the GDPR requirements that protect users from unconsented data harvest by third-party trackers.
What are the GDPR requirements for cookies on websites?
The GDPR requires your website to inform users of the type of cookies and the type of personal data processed by these cookies, for what purpose, by which providers, and for how long they remain active. The GDPR requires your website to obtain user consent before activating any cookies that are not strictly necessary for the basic function of your website.
What is the GDPR?
The General Data Protection Regulation (GDPR) is an EU law that governs the processing of personal data by websites, companies and organizations around the world. If your website has users from inside the EU, you are obligated to first obtain their consent before activating cookies and trackers on your website that collect, process or share their personal data.