Visiting a website tends to start with a race. A race that is not accompanied by cheering, but by the quiet whirring of a desktop. A race that is not contested with running shoes, but with an ergonomically adapted mouse. A race whose winner will never be apparent. It is a race for the fastest click on the "reject all" button, which, for the sake of suspense, is grayish in color in the lower right corner of any cookie banner. This scene is estimated to take place like this, or at least similar to it, millions of times a day in European households. In the process, the powerful tool of consent, which offers consumers a choice and operators a means of communication, is unnecessarily turned into Indiana Jones Part 6: In the Shoals of the Second Layer. With so many guidelines, laws, and regulations, as well as differing opinions from data protection authorities, it is not surprising that there is confusion about the design of a consent banner. APOCRAT wants to counteract this, which is why we hired Coach Consent specifically to share his 7 steps to best practice consent success with you in this post.
Get an overview of the data you process
Give your users a real choice
Define the purposes for which the data will be processed
Provide sufficient information about the purposes for which the data will be used
Allow for a clear affirmative action
Be aware of your obligation to provide proof
Allow for the possibility of revocation
the process of obtaining, enforcing and documenting consent is not without reason. It allows lawful processing of (personal) data in addition to fulfilling a contract or legal obligation. It also builds trust and, if implemented properly, shows users in a simple and clear way why it needs to process their data for their benefit. This dialogue of information and acceptance can be conducted at eye level, and today I would like to show you how this can be done:
Keep your friends close, but your data closer
Before you can worry about effective consent management, you need an overview of the data your company collects. This is the only way to ensure that you map all purposes on your Consent Banner. Distinguish between personal, sensitive and non-personal data.
Personal data is any information that relates to an identified or identifiable natural person. Examples include the name, location data or specific physical characteristics of users. Throughout the European Union, according to the GDPR, processing, i.e. collecting, recording, organizing, storing, reading and using personal data, requires one of six legal bases, including consent.
The processing of sensitive data, i.e. data revealing ethnic origin, political opinions, religious or philosophical beliefs, or genetic data, biometric data uniquely identifying a natural person, health data or data concerning the sexual orientation of a natural person is prohibited in the EU under the GDPR. This is only not the case if the data subject has explicitly consented (special case).
While non-personal data is not covered by the GDPR in the EU, in Germany it is covered by the TTDSG in conjunction with terminal equipment such as networked toys. If the storage of or access to non-personal or personal data takes place in the terminal equipment, the consent of the users is required. The requirements for consent are aligned with the GDPR. The TTDSG applies to all terminal equipment sold or manufactured in Germany.
Voluntary lasts longest
Now that you have an overview of the data collected in your company and the regulations associated with your site, it's time to set up a legally compliant Consent Banner that is suitable for the public. Start with the principle of voluntariness.
Give your users a real choice. Don't push them to consent by making consent a non-negotiable part of the terms and conditions. That's not allowed and it's not effective. Give data subjects the ability to refuse consent just as easily as they can accept it or withdraw it without negative consequence. Pay particular attention to the processing purposes you include in the consent for the performance of a contract or the provision of a service. Therefore, in order to ensure the effectiveness of consent, avoid influencing data subjects.
Giving your users an easy way to refuse data collection probably sounds a bit daunting at first. After all, there's a reason why data is considered the gold of our time, without which many companies take a huge economic risk. However, don't forget that processing data based on voluntariness is an immense confidence booster in your company. So use the dialog of consent to bind your customers to your company with data transparency.
Tell me why
Now define the purposes for which the data is to be collected or processed. For each individual purpose, the data subjects must have a choice. The purpose must be clear and legitimate, so that data subjects are protected from the gradual expansion or mixing of purposes. However, a purpose may include multiple operations for which consent is not specifically sought from users. Examples of purposes for which data may be used include marketing, optimization, and statistics.
Yes, I do...want to inform
In the next step, provide your Consent Banner with information to enable data subjects to give consent "in an informed manner". For the question of the type of information, you can be guided by the opinion of the European Data Protection Board. This provides that:
the identity of the controller (your company)
the purpose of each processing operation for which consent is sought
the (type of) data that will be collected and used
the existence of a right to withdraw consent
Information about the use of the data for automated decision-making, if applicable
information on possible risks of data transfers without the existence of an adequacy decision and without appropriate safeguard can be found.
How you provide the information is up to you. However, make sure that you use clear and simple language to be consistent with the average citizen. The only prohibition is that you do not clearly separate the information on consent from other facts, which makes information in the GTCs invalid, for example.
No misunderstandings allowed
Consent according to the GDPR requires an unambiguous confirming action by the data subject or a declaration. Thus, consent is only effective if it is given by an active act. This means, for example, a written or an oral declaration, which can also be made electronically. However, the ticking of a box or the selection of technical settings also apply. In turn, boxes that have already been checked are not permitted, nor is the inclusion of consent in the consent process of the GTCs or a contract.
In order to avoid possible penalties, it is particularly important to be able to prove that consent has been obtained. Only then is consent really valid. You are free to choose which method you use for this. For the sake of effectiveness, be sure to record when you obtained consent, what information you provided to the data subject, and what work processes took place.
I don't want to, and that's okay
Make absolutely sure that users of your website or app can revoke consent at any time and that revocation is just as easy as giving consent. So if you allow data subjects to consent electronically via a mouse click, swipe, or keystroke, the same must be true for revocation. The same applies to electronic interfaces of an Internet of Things device or app. Also ensure that revocation is done without disadvantages for the data subject. This includes, but is not limited to, fee-free revocation or maintaining the level of service.
"Phew, there's a lot to consider," you'll say quite rightly at this point. To help you on your way to consent success, I'd like to apply the above principles to the first and second levels of a Consent Banner for you at the end of this blog post.
Level 1 should include the following information:
The identity of the controller (= your company).
The exact description of the purposes of the processing
The legal basis of the data processing
The reference to the possibility of withdrawal
The place where the consent can be revoked
The type of data being processed
The process of processing
The "accept all" and "reject all" buttons
The clear way to get to the second level
Level 2 should include the following information:
The identity of the processing parties
The purpose of the processing of the parties
The process of processing the parties
The contact at the parties and its address
The storage period of the data
The possibility of granular deselection according to the party and the purpose of use
With this, dear readers, I may already say goodbye to you. But before I do, I give you my consent to implement the above steps.
Partner & Sales Manager: Paul Jelenik
Mobile: +43 676 4636255