How Businesses Fall Short of Consent Enforcement Compliance
Privacy & Compliance | February 27, 2023
Since the introduction of the GDPR in 2018, many organizations have gone headfirst into consent management–standing up cookie banners to capture user consent and maintain compliance with global regulations–or at least maintain the appearance of compliance.
But the truth is, while capturing consent is a crucial piece of complying with global privacy laws like the GDPR, it’s just one part of the process. Despite what cookie consent plugins or unscrupulous marketers would have you believe, compliance doesn’t end with consent. Equally important is what happens before–and after– your site visitors hit that cookie banner.
The Consent Enforcement Challenge
In order to maintain compliance with laws like the GDPR and PIPL, the user preferences captured in consent must be upheld and enforced, and the user’s rights must be upheld before and after they’ve made a consent decision. That means if a user opts out of tracking, no tracking cookies may be fired, whether first or third-party. Nor can tracking occur prior to opt-in. Essentially, if you don’t control which cookies fire on your website and when, a consent banner is just window dressing, not a measure of compliance.
To address this, most commercial Consent Management Platforms (CMPs) employ a series of APIs that rely on the orchestrated cooperation of third parties to ensure that a user’s privacy selections are respected. Unfortunately, this solution falls short of true GDPR compliance.
The nature of relying on third parties for preference enforcement means that real-time enforcement is not possible, and the timeline for enforcement is murky at best. But, per article 18 of the GDPR, any data processing related to marketing must cease immediately when a user objects or opts out. Any lag between opt-out and the cessation of tracking is non-compliant with the law. For true compliance, a solution that can unilaterally block cookies from firing before consent is granted is necessary.
In this article, we’ll explore the cookie preference enforcement requirements of five major data privacy laws–The GDPR, CCPA/CPRA, PIPL, POPIA, and PDPA–and help you determine what capabilities you need from a consent management platform.
How Consent Enforcement Works in Various Regulations
EU General Data Protection Regulation (GDPR)
The GDPR is clear that consent is required before any data processing. This includes collecting the data in the first place. Article 6 of the GDPR specifically says processing based on consent is only lawful where the person “has given consent” – note the past tense.
Note also that consent does not apply retroactively. You cannot carry out data processing, then ask for consent and consider that data processing to now be lawful because you got the consent. “It’s better to ask forgiveness than permission” is not a motto that works with the GDPR.
Unlike with some data protection laws around the world, there’s no waiting period or deadline when users give or withdraw consent under the GDPR. One reason for this principle is the law’s insistence that “It shall be as easy to withdraw as to give consent.”
Per article 18 of the GDPR, any data processing related to marketing must cease immediately when a user objects or opts out. Any lag between opt-out and the cessation of tracking is non-compliant with the law.
If you rely on consent as a lawful basis and then process data before somebody has given the relevant consent or after they have withdrawn it, that processing is immediately unlawful and breaches the GDPR.
Penalties for noncompliance: For severe violations, EU regulators can levy fines up to 20 million euros, or 4% of the offending businesses’ total global turnover of the preceding fiscal year, whichever is higher. For less severe violations in Art. 83(4) GDPR sets forth fines of up to 10 million euros, or up to 2% of its entire global turnover of the preceding fiscal year, whichever is higher.
California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA)
The California Consumer Privacy Act (CCPA) is the most stringent consumer consent law in the United States—it gives data subjects the right to know when their data is being collected, what information is being collected, and how that data is being used–but it does not require opt-in consent. However, the AB 694 amendment expanded the law’s definition of consent, and the upcoming CPRA, which supersedes the CCPA in July 2023, will require consumer consent in special circumstances.
Under the CPRA, businesses are not only required to give consumers the option to opt-out of selling their data via a “Do Not Sell” button, they must also give the option to opt-out of data sharing, via a “Do Not Share My Information” button or by recognizing “opt-out preference signal[s]” that are sent with the consumer’s consent. In essence, if a company obtains opt-in consent from a consumer through a consent banner, then the company is not required to post a Do Not Sell or Share My Personal Information link and is also not required to comply with opt-out preference signals.
However, as the CPRA, by and large, only requires “opt-out consent,” there is no penalty for firing tracking cookies or processing data before a user has opted out.
Link to Text: CPRA
Penalties: $2,500 for each unintentional violation and $7,500 for each intentional violation.
China Personal Information Protection Law (PIPL)
Under China’s Personal Information Protection Law (PIPL), consent forms one of the six legal bases for processing data, which personal information processors may rely on when processing personal information. Articles 14 and 15 of the law clarify that consent is only valid if users voluntarily and explicitly provide such consent and with full knowledge of the details of the personal information processing. Users also have a right to withdraw consent, and businesses must provide individuals with a convenient means of doing so.
Article 13 of the law states that processing and handling of personal data may only take place if legal bases are met, and thus, processing, or even capturing personal data before consent is granted is non-compliant with the law.
Link to Text: PIPL
Penalties: Penalties include a fine of up to RMB 50 million (about $7.8 million) or 5 percent of the past year’s turnover, whichever is higher. Alternatively, a business can be suspended and business leaders can be fined up to RMB 1 million (about $157,000).
South Africa Protection of Personal Information Act (POPIA)
South Africa’s Protection of Personal Information Act is, by and large, very similar to the GDPR. As such, it is reasonable to take the same steps necessary to comply with the GDPR to comply with POPIA.
Under POPIA, consent is necessary to process data, and data subjects have the right to object to processing and withdraw from said processing. In such a case, processing of the subject’s data must cease immediately.
Link to Text: POPIA
Penalties: In civil cases, a data subject or, at the request of the data subject, the Regulator, may institute a civil action for damages in a court having jurisdiction against a responsible party for breach of POPIA. In criminal cases, non-compliance with POPIA can result in prison sentences not exceeding 10 years.
Singapore Personal Data Protection Act (PDPA)
Under Singapore’s PDPA, an organization may only collect, use or disclose personal data for purposes to which an individual has given his/her consent. Furthermore, organizations may only collect, use or disclose personal data for the purposes that a reasonable person would consider appropriate under the given circumstances and for which the individual has given consent. That is to say, new consent is required to use personal data for new purposes.
Like in the text of the GDPR, the use of the past tense implies that consent must be collected before tracking or processing can commence, and retroactively deleting data is not compliant with the law.
On the subject of consent withdrawal, Singapore’s PDPA is not quite as strict as European law. Organizations must allow data subjects to withdraw consent–with reasonable notice. The time period that constitutes reasonable notice, however, is not set forth by Singapore lawmakers. Once consent is withdrawn, businesses must cease to collect, use or disclose the individual’s personal data, as under the GDPR.
Link to Text: PDPA
Penalties: 10% of your organization’s revenue. To be clear, that’s 10% on your turnover, not on your profits.
Enabling Consent Enforcement with CHEQ Privacy
A truly compliant Consent Management solution should work autonomously, with no dependencies on other systems, to enforce the privacy choices of users.
CHEQ Privacy Compliance Enforcement takes control of a website, app, or digital asset and fundamentally changes how tracking technologies are managed based on the user’s preferences—so you don’t have to rely on third-party analytics platforms to uphold your GDPR compliance.
With CHEQ Privacy Compliance Enforcement you can set up customizable banners and give your visitors a clear-cut choice on if and how their data is collected and used. You can quickly add CHEQ to every iteration of your website with a simple line of code, audit your website to understand which cookies are in use and where, and identify potential compliance issues.
To see how it works and learn more about consent management and enforcement, contact us to request a demo.