Criteria for GDPR-compliant consent
Home Resources Articles 7 Criteria for a GDPR-compliant Consent

7 Criteria for a GDPR-compliant Consent

by Usercentrics
Jul 26, 2019
Criteria for GDPR-compliant consent
Table of contents
Show more Show less
Book a demo
Learn how our consent management solution can improve privacy and user experience for your users.
Get your free data privacy audit now!

A legally binding and GDPR-compliant consent must fulfil numerous criteria, which must then also be applied to the usecase of websites and apps. The perspective of the user and what he can rationally expect and understand is always what is held as crucial-

In the following, we have outlined all criteria required for GDPR-compliant consent and clarify exactly what they mean.

Criteria for GDPR-compliant consent

Freely

“Accept” and “Reject” button

Consent is voluntary if the person has genuine freedom of choice in his or her decision. It is precisely this voluntary nature that is interpreted narrowly by the courts and the authorities in favour of consumers. Barring a user’s access for the website just because the user has not given his consent to marketing technologies is unlikely to exist in practice.

What does this mean for your cookie banner?

There must be an “Accept” and a “Reject” button. The user must have the possibility to refuse data processing and still use the service or website.

Informed

Who, what, why, how long?

Consent is given when the person affected is aware of all circumstances relating to the data processing and knowingly consents to them.

What does this mean for your cookie banner?

The following information should be directly visible to the website visitor:

  • Who receives my data?
  • What is the purpose of collecting my data (e.g. Analysis, Retargeting etc.)?
  • What data is being collected (z.B. IP-address, Cookie ID, etc.)?
  • What is the legal basis on which my data is collected?
  • How long is the data stored?
  • In which country is data collected?
  • Will the data be forwarded to third parties?
  • Where do I find the privacy policy of each tech provider?

Explicit

Yes, I want to!

The user must actively agree.Pre-checked boxes are therefore not enough. This means that an implicit consent “by further surfing”, which is often discussed, is not considered compliant if technologies are loaded immediately when visiting the website.

What does this mean for your cookie banner?

Make sure to include an “Accept Button” which will activate the cookies.

Granular

Consent for all?

The consent must be tag or cookie-specific. This means that the user must know at a granular level for which data record and for which third-party provider they are granting or withdrawing their consent.

What does this mean for your cookie banner?

General consent “I agree to cookies” does not fulfill this requirement.

In advance

No data to be collected before opt-in

Obviously, data may only be collected once consent has been given. So, there must be a technical link between the “cookie banner” and the cookies on the website. Otherwise, data will be processed without a valid legal basis which constitutes a breach according to Article 83 Paragraph. 5 lit. a) of the GDPR.

If the user does not give consent, it must be ensured that no data is collected or passed on from that point onward.

What does this mean for your cookie banner?

A dynamic loading of cookies must be implemented. That functionality has to be developed by inhouse engineers or solved by implementing a Consent Management Platform software.

Documented

Burden of proof in the case of an audit

According to Art. 7 paragraph. 1 GDPR all consents must be documented.

According to the GDPR , website operators are subject to burden of proof and, in the event of a warning or an audit by the data protection authority, must be able to provide the complete consent history.

What does this mean for your cookie banner?

In order for the consent to withstand an audit, various data points should be recorded, for example timestamp, user agent or the version of the consent texts. URL calls made should also be logged in order to prove that no cookies were played before the consent was obtained.

Easy-to-withdraw

Opt-out on the page

The user has the right to revoke the consent at any time and without justification. The revocation must be as simple as the granting of consent.

What does this mean for your cookie banner?

Applied to technologies, this means that the user must be able to view and revoke his consent to individual technologies at any time with just a few clicks. However, it cannot be expected that the user that he first has to search for the respective opt-out option in the data protection provisions and that he may be redirected to a third-party site for this purpose.

It cannot be expected that the user must search for the respective opt-out option in the data protection stipulations and potentially be redirected to a third-party website. A click-out in the data privacy statement which is linked to an opt-out on a third-party website is not technically sufficient in any case. The reason for this is that the further passing on of data from the website operator must be prevented should the user revoke their consent. Reading out the cookie ID – even for the purpose of establishing the opt-out – already represents an unauthorized transmission of data to third parties (in this case to the processor). The tag may no longer be activated after consent has been revoked. Consequently, this means that the combination of OK banner and opt-out notice in the data privacy statement does not satisfy the GDPR, neither legally nor technically.

Related Articles

California Privacy Rights Act (CPRA) and the future of privacy law

California Privacy Rights Act (CPRA) enforcement is starting: what you need to know

The California Privacy Rights Act (CPRA) has been in effect since January 1, 2023. CPRA enforcement was delayed due...

DMA Marketer

Implementing consent for Google ads personalization: A comprehensive guide to the Google Ads compliance alert

Google Ads’ notification to "implement consent for ads personalization" isn't just a policy change.