Home Privacy Types of Consent Banners | GDPR, CCPA Compliant Consent Banner

Types of Consent Banners | GDPR, CCPA Compliant Consent Banner


Legal definitions of consent vary by law and jurisdiction. But in the context of data privacy and data rights, similarities emerge across legal frameworks. In the broadest terms possible, consent is when a user gives his or her permission for tracking or data processing. However, many laws, like the GDPR, differentiate between valid consent, which is necessary for data processing, and implicit consent, which is considered illegitimate.

Valid consent must be informed, unambiguous, and given freely. In other words, the user must be informed exactly what they are consenting to and must be presented with a clear choice to opt-in or out of tracking and data processing, without coercion. Equally important, a user who had previously consented must be allowed to withdraw consent at a later time without penalty.

Implicit consent is consent that is assumed without the explicit permission of the user. For example, a website that forces the user to accept tracking cookies to access content, or which opts a user in when the user navigates away from the consent banner without accepting or denying cookies.

Four Kinds of Consent Banners

Your consent banner approach will largely depend on the regulatory jurisdictions your business operates in. Consent requirements vary widely between different nations, and even between different states. The GDPR in Europe and the PIPL in China have stricter requirements (and harsher penalties) than most. In the US, California’s CCPA is the strictest legislation but is less stringent than GDPR on consumer consent.

For organizations operating internationally, or even transnationally, it’s a good idea to localize consent banners, so that users are always served a banner that is compliant with their local regulation.

We can break down the primary methods of consent delivery into four categories:

Notice-Only Consent

Notice-only consent banners inform users that your website uses cookies, and may or may not inform them of the purpose of the cookies in use, but does not offer the user the ability to opt-out. By continuing to use your website, users are submitting their implicit consent to tracking. This approach is popular in the United States but is not compliant with the consent requirements set forth in the GDPR and similar regulations like the PIPL.

Cookie Wall Consent

A Cookie Wall, or a tracking wall, is very similar to notice-only consent but requires the users of a website to ‘agree’ or ‘accept’ cookies, tracking, and/or data processing in order to use the website. A cookie wall does not give the user an opportunity to reject tracking and data processing and is considered illegitimate consent under many regulations, such as the GDPR, under which cookie walls are a non-compliant approach to consent management.

Opt-Out Consent

An opt-out consent banner informs visitors of the cookies and tracking technologies your website uses and gives them an option to opt-out of either all or some tracking and data processing. Typically, the user is opted in by default and has to take manual action to opt-out. For example, they may need to uncheck several boxes to opt-out of different cookies and trackers. Opt-out consent banners are not compliant with the GDPR but are allowed under the CCPA and LGPD.

Opt-In Consent

An opt-in consent banner informs your visitors of the tracking technologies in use by your website and gives them distinct options to either reject all non-essential cookies or accept all cookies. The user is opted-out by default and must take explicit action to consent to tracking or data processing. This consent model is compliant with the GDPR.

What Makes a CCPA Compliant Consent Banner?

The California Consumer Privacy Act (CCPA) gives California consumers the right to know when their data is being collected, what information is being collected, and how that data is being used but does not require opt-in consent. However, the CCPA requires organizations to provide a “Do Not Sell” button that gives users the option to opt-out of the sale of their personal data.

What Makes a GDPR Compliant Consent Banner?

The General Data Protection Regulation (GDPR) has a much stricter set of consent requirements. A user’s consent must be gathered before any cookies, aside from strictly necessary performance cookies, can be fired. Furthermore, the user must be given information about the specific purpose of each tracking cookie, as well as the data it collects before granting consent. Once the user has granted consent, the data processor must document and store that consent, and enforce the user’s wishes. Finally, it must be possible for the user to withdraw consent at any time.

Beyond Consent: Enforcement is Key

Consent is a crucial piece of global privacy laws like the GDPR, CCPA, LGPD, and PIPL, but compliance doesn’t end with consent. In order to maintain compliance, user preferences must be upheld and enforced. That means if a user opts out of tracking, no tracking cookies may be fired, whether first or third-party. Likewise, in GDPR jurisdictions, tracking may not occur prior to opt-in.

Unfortunately, there are many Consent Management Platforms that fall short of this requirement. Most commercial CMP solutions employ a series of APIs that rely on the orchestrated cooperation of third parties to ensure that a user’s privacy selections are respected.

This complex network of transmitting preferences is often in and of itself non-compliant as it relies on sending information about a user and their opt-in/opt-out preferences. In our research, we’ve discovered that many CMP implementations often allow first or even third-party cookies to fire even after a customer has opted-out of tracking. This is a clear violation of GDPR guidelines on consent management.

Robust Consent Enforcement with Ensighten CMP+

Truly compliant solutions should work autonomously, with no dependencies on other systems, to enforce the privacy choices of users.

Ensighten’s CMP+ takes control of a website, app, or digital asset and fundamentally changes how the page is rendered based on the users preferences.

If a user has opted out of having her data used for the purposes of analytics, Ensighten does not attempt to integrate to the analytics platform that would otherwise receive data. It does not drop a cookie signaling that the user would prefer not to be tracked.

Instead, Ensighten disables and renders useless any traffic to the analytics company at all, making it impossible for mistakes to happen or for a company to leak information to a third party due to integrations not performing as expected. 

With Ensighten Consent Management Plus (CMP+), you can set up geo-targeted consent banners and give your customers a clear-cut choice on how their data is used, or whether it is collected. And you can enforce those preferences.

Request a demo to see how Ensighten can help your organization meet its compliance goals





Source link

RELATED ARTICLES

What is Cookie Piggybacking? | Cookie Syncing, Tag Piggybacking

Cookie piggybacking, also referred to as cookie syncing and piggybacking tags is a term used to describe a common web development practice that...

Understanding the New CCPA/CPRA Amendments in AB 694

On October 5th, California Governor Gavin Newsom signed Assembly Bill 694 (AB 694), an omnibus bill from the Committee on Privacy and Consumer...

Saudi Arabia’s New Data Protection Law – What you need to know – Privacy Matters

The Middle East’s data protection regulatory landscape is complex, and continues to develop with Saudi Arabia’s (KSA) newly published Personal Data Protection Law...

Most Popular

‘Critical Severity’ Warning for Malware Embedded in Popular JavaScript Library

Security responders are scrambling this weekend to assess the damage from crypto-mining malware embedded in an npm package (JavaScript library) that counts close...

Popular NPM Package Hijacked to Publish Crypto-mining Malware

The U.S. Cybersecurity and Infrastructure Security Agency on Friday warned of crypto-mining malware embedded in "UAParser.js," a popular JavaScript NPM library with over...

Recent Comments