We have already dealt with Consent Management in the second issue of our blog, now we go into the details and differences. Here's the short version again, so that everything is fresh in your mind:
Consent management ensures clarity and privacy protection for people who use digital services, such as websites, apps or smart (household) devices. Consent to the collection and processing of user data must be given by the user for these services and is valid until revoked or legally required renewal. Anyone who fails to obtain consent properly must expect to pay high penalties. There are now numerous companies specializing in consent management that can help prevent these fines and act in compliance with the law. However, this market focuses mainly on websites and, to a lesser extent, on mobile applications on smartphones or tablets. So what other devices need to be considered? Since the Telecommunications Telemedia Data Protection Act (TTDSG) came into force, all devices that are connected to the Internet have been regulated by law for the first time. This now also includes IoT (Internet of Things) devices, or smart devices such as Internet-connected speakers, lighting elements and vacuum cleaning robots. The expansion of the scope of consent management to include these devices means that the methods used to collect consent must also be changed. Whereas previously small code snippets were used to identify users on websites, a different solution is required for IoT. To make the difference a little clearer, in the next section we will look at the specifics of the application for websites and IoT devices.
Consent management on websites
In the blog post about the general information around consent management we already find some content about this topic, in this section we will deepen our knowledge even more. As soon as you visit a website, one of the first things you'll see is a consent banner that allows you to consent to the use of user-generated data for various purposes. However, if no Consent Banner is displayed at all, alarm bells should start ringing. Although there are actually a few websites that do not collect user data, this number is relatively manageable. If this is not the case, your data is most likely already being processed since you accessed the site (e.g. by setting and reading cookies), without you having any influence on it. For many websites, information on this is listed in a privacy policy, which, however, is often no longer sufficient for the applicable regulations. As already addressed, each person using the website must explicitly give their consent to the processing of their data and thus check the boxes themselves. Of course, this only applies if the data used is not essential for the functioning of the site.
If a Consent Banner is played out, this often contains several uses to which one can agree or which one can reject. These can be, among others:
Marketing
Optimization
Personalization
On many websites, however, users are only presented with the decision "accept all" or "settings" instead of being able to directly select the individual purposes of use. Visitors to a website must be clearly informed about the specific purposes for which their data will be used and then be able to choose between equally designed alternatives. Any additional service embedded on a website must be inactive until explicit consent is given by the person visiting the site. Apart from this, there are necessary services that collect and process data for the purpose of use, these do not need to be explicitly allowed, as they are necessary for the functioning of the website. So, all data that is considered necessary is collected without consent.
One of the most common mistakes in consent management is the following: accepting implicit consent. This happens when the cookie banner can be easily clicked away and a person simply continues to use and browse the website. Additional services anchored on the website are activated anyway, simply running from the beginning of the session and working under the premise that this person just agrees to all options, precisely because he or she continues to use the site. In order to comply with the applicable regulations, all data collection processes would have to be deactivated until the user gives his or her consent.
Consent Management on IoT Devices
Internet-connected devices such as refrigerators, coffee machines and lamps have not been comprehensively regulated for a long time, even though they collect and process a great deal of data about their owners. Even a smart TV, which has been in many living rooms for years, has become a collection point for third-party providers. Anyone who has ever used the online functions of these devices was usually not informed at all, or only in a very unclear and hidden manner, about the storage and processing of data. Opting out of the services also often proves difficult. As already mentioned at the beginning, however, the TTDSG has created a new legal basis for these devices. Smart devices are now not allowed to collect, store or access any data that is not essential for their functioning without explicit user consent.
But what distinguishes this situation from consent management on the web?
First of all, the same conditions apply - whoever uses data, whether personal (GDPR) or not (TTDSG), must ask for the consent of the users - unless this is necessary for the functioning. Failure to do so can result in fines of up to €300,000, an injunction (TTDSG), or penalties under the GDPR of up to €20 million or 4% of global annual revenue. Unlike websites, however, most networked devices do not have a screen through which users' consent can be given. The only screen users use to interact with their smart devices is the screen of their smartphone, which is often used to control the devices. In addition, the device and user are not associated via cookies stored in the browser, but rather data is sent directly to the provider and third-party provider - both via the smart device itself and via the control app on the smartphone. So there are actually two devices that continuously collect, generate and utilize data - although interaction is only possible with one of the devices - the smartphone.
It should also be noted that there are already drastic differences between the web and IoT at the code level. The most obvious difference here is probably the high variability of programming languages in the IoT area. While there are a few clearly defined programming languages on the web and for apps that have become established and can be used as the basis for seamless consent management, this is not the case for smart devices. Currently, the IoT market is still characterized by a high number of different programming languages and operating system variations. Thus, the technology of consent management must be highly variable and adaptive.
In order to be compatible with current data protection principles, a multi-part, code-based and adaptive system is needed in consent management that enables consent to be obtained on the smartphone, but at the same time allows the consent to be implemented directly on the device itself. And this before the device collects data for the first time in accordance with the TTDSG.
Let's now take a condensed look at the requirements for Consent Management for IoT devices:
Consent must be provided at setup
The technology behind the consent management solution must be compatible with various programming languages.
Users must be informed about the use of their data in a comprehensive and comprehensible manner and must be able to give their explicit consent if the data is not related to the basic function of the device.
This must be a data protection-compliant consent process in which users can select and confirm everything themselves
It is therefore clear that consent management in the area of IoT is a completely different technology from the usual consent management on websites. And apart from APOCRAT, there are currently no companies that deal with this problem and can solve it.
APOCRAT provides a remedy
If you don't have the resources to permanently deal with the latest regulations and rulings in data protection, you will sooner or later lose track between recommendations and requirements. APOCRAT offers the first and best solution for Consent Management in the Internet of Things and also supports you with a comprehensive arsenal of privacy-compliant tools.
Have we piqued your interest? We are looking for development partners to pilot product and design tests. Our Sales & Partner Manager is available for a consultation.
Contact
Partner & Sales Manager: Alexander Jürgens
E-Mail: office@apocrat.at
Mobile: +43 676 4025255