Everything You Need to Know About Consent Banners and Cookie Compliance
Privacy & Compliance | March 15, 2023
What is Consent in the Context of Data Privacy?
In the broadest terms possible, consent is when a user gives an organization permission to collect or process their personal data. But, as noted above, not all consent is equal. Many laws, like the EU’s General Data Protection Regulation (GDPR), make a key differentiation between what is considered valid consent–i.e., consent that meets the legal basis for data processing–and implicit consent, which is considered consent gathered by illegitimate means.
What is Valid Consent?
Under the GDPR and many other data privacy laws, valid consent is consent that is informed, unambiguous, and given freely and explicitly by a user. In other words, the user must be informed exactly what they are consenting to and must be presented with a clear choice to opt-in or out of tracking and data processing without coercion. Equally important is that a user who had previously consented must be allowed to withdraw consent at a later time without penalty. It’s important to note that standards for valid consent vary slightly from law to law, but the GDPR takes the strictest approach to this topic and provides the best guidelines for compliance with all laws.
What is Implicit Consent?
Implicit consent is consent that is assumed without the explicit permission of the user. For example, a website that forces the user to accept tracking cookies to access content or which opts a user in when the user navigates away from the consent banner without accepting or denying cookies.
The Four Levels of Consent Banners
Your consent banner approach will largely depend on the regulatory jurisdictions your business operates in. Consent requirements vary widely between different nations, and even between different states. The GDPR in Europe and the PIPL in China have stricter requirements (and harsher penalties) than most. In the US, California’s CPRA is the strictest legislation but is still less stringent than GDPR on consumer consent.
For organizations operating internationally, or even transnationally, it’s a good idea to localize consent banners, so that users are always served a banner that is compliant with their local regulation. If localizing the consent experience is not an option, the best practice is to adopt the strictest requirements you are subject to for all users. For example, a business serving customers in the US and EU would adopt a GDPR-compliant consent experience, while a business serving customers in the US would adopt a CPRA-compliant one.
In general, consent banners can be separated into four categories which, listed from most to least relaxed, are: notice only, cookie wall, opt-out, and opt-in.
Cookie Wall Consent
A Cookie Wall, or a tracking wall, is very similar to notice-only consent but requires the users of a website to ‘agree’ or ‘accept’ cookies, tracking, and/or data processing in order to use the website. A cookie wall does not give the user an opportunity to reject tracking and data processing and is considered illegitimate consent under many regulations, such as the GDPR, under which cookie walls are a non-compliant approach to consent management.
An opt-out consent banner informs visitors of the cookies and tracking technologies your website uses and gives them an option to opt-out of either all or some tracking and data processing. Typically, the user is opted in by default and has to take manual action to opt-out. For example, they may need to uncheck several boxes to opt-out of different cookies and trackers. Opt-out consent banners are not compliant with the GDPR but are allowed under the CCPA and LGPD.
An opt-in consent banner informs your visitors of the tracking technologies in use by your website and gives them distinct options to either reject all non-essential cookies or accept all cookies. The user is opted-out by default and must take explicit action to consent to tracking or data processing. This consent model is compliant with the GDPR.
Consent Requirements of Leading Data Privacy Regulations
What Makes a Consent Banner GDPR Compliant?
The General Data Protection Regulation (GDPR) was the worlds first omnibus data privacy law, and the rules it set forth quickly became the basis for many subsequent privacy laws all over the world. The consent requirements set forth by the GDPR are relatively strict–especially in comparison to requirements in the US.
Under the GDPR, a user’s consent must be gathered before any cookies, aside from strictly necessary performance cookies, can be fired. Furthermore, the user must be given information about the specific purpose of each tracking cookie, as well as the data it collects, before granting consent. Once the user has granted consent, the data processor must document and store that consent and enforce the user’s wishes. Finally, it must be possible for the user to withdraw consent at any time.
To make a cookie banner GDPR compliant, website owners must provide users with a clear-cut choice between opting in or out of tracking, and refusing all cookies (except those strictly necessary) must be as easy as accepting them. The banner should be clearly distinguishable on the website, using bright colors or prominently displaying it in the middle of the page. Consent banners that deny access to a website if the user does not consent to cookies and trackers are not allowed.
Finally, website owners should record evidence of consent and be able to prove that users made an informed, affirmative choice in providing valid consent. The decision to opt-out must be duly recorded and enforced, and an opt-in may not be repeatedly solicited.
To learn more about consent and the GDPR, check out our GDPR Cookie Compliance 101 blog.
What Makes a Consent Banner CCPA Compliant?
The California Consumer Privacy Act (CCPA) was the first state-level privacy law in the United States, and gave California consumers the right to know when their data is being collected, what information is being collected, and how that data is being used. The consent requirements of the law, however, were relatively relaxed compared to contemporaneous laws across the world. The CCPA did not require opt-in consent for data collection and processing, and strictly-speaking, it didn’t require a consent banner at all, although many organizations adopted them as part of their compliance strategies. Instead, the CCPA built its consent guidelines around the opt-out consent model. Specifically, the CCPA required websites to include a readily accessible and conspicuous link that allows site users to access a page with various Data Subject Access Requests (DSARs), including a “Do Not Sell” button that gave users the option to opt-out of the sale of their personal data. As of 2023, the CCPA has been amended by the CPRA, which put in place some stricter controls on consent management.
What Makes a Consent Banner CPRA Compliant?
The California Privacy Rights Act (CPRA) is a data privacy law that was passed in November 2020 and went into effect on January 1, 2023, with enforcement slated to begin in July 2023. The CPRA expands upon the California Consumer Privacy Act (CCPA) and includes additional provisions related to data protection and consumer privacy.
Perhaps the biggest change of all, as far as consent banners go, is a new definition of consent under California law. Following in the footsteps of the GDPR, the CPRA now defines consent as “any freely given, specific, informed, and unambiguous indication of the consumer’s wishes by which he or she, or his or her legal guardian, by a person who has power of attorney or is acting as a conservator for the consumer, such as by a statement or by clear affirmative action, signifies agreement to the processing of personal information relating to him or her for a narrowly defined particular purpose.” That’s a lot of legalese, but the important part is that consent is defined as “freely given, specific, informed, and unambiguous.” This language, which actually first appeared in AB 694, an earlier amendment to the CCPA that took effect on January 1st, 2022, closely mirrors the language of the GDPR and sets much tighter guidelines for what may be considered valid consent under California law.
Further guidance from regulators is necessary to determine the extent to which this language will be applied to consent banners and consent management in general, but we can gain some insight by comparing the language to definitions set forth by the GDPR. For example, under the GDPR, “freely given” consent would exclude the cookie wall consent model, whereas “specific” and “informed” consent requires that consumers are given a clear understanding of what they are consenting to, and granular controls for opt-out. Finally, “unambiguous” implies that certain behaviors, such as navigating away from a consent banner without making a choice, do not count as valid consent. However, it is unclear whether this would be the case under the CPRA’s opt-out consent model.
So the CPRA mirrors the language of the GDPR, but does it mirror its consent model? No. Well, mostly not.
The CPRA maintains the opt-out cookie consent framework of the CCPA, but it adds some notable exemptions which require opt-in consent. Below is a partial list of the major consent changes made by the CPRA:
- In addition to requiring a “do not sell my personal information” button, as mandated by the CCPA, the CPRA will require a “do not share my personal data” button, which will allow consumers to opt-out from having their data shared with third parties. If a consumer opts out, businesses are now responsible not only for what they do with customer data but also for what third-party partners do with the data. For example, if you post website ads from a third party, you must ensure they do not store customer data. The same requirement extends to services such as trackers, telemetry, online assistants, and shopping carts. You will need to monitor and control all data flows with third parties, and you will be responsible for any data leakage.
- Dark patterns, which California lawmakers define as “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice,” are also forbidden under the CPRA.
- CPRA covered businesses will also be required to honor universal opt-out signals like the Global Privacy Control (GPC), and treat them as a valid consumer request to opt out of the selling or sharing of personal information.
- Consumers have the right to opt-out relating to the use of their personal information in automated decision-making including consumer profiling. The CPRA defines profiling as “any form of automated processing of personal information … to evaluate certain personal aspects relating to a natural person, and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movement”.
- The CPRA requires organizations to obtain explicit (opt-in) consent from consumers before collecting, using, or sharing their sensitive personal information.
- The CPRA requires organizations to obtain explicit consent (opt-in) from consumers before sharing their personal information with third parties. Consumers must be given the option to opt-in to the sharing of their personal information.
- Organizations must obtain explicit consent (opt-in) from consumers before using their personal information for targeted advertising. Consumers must be given the option to opt-out of the use of their personal information for targeted advertising.
- Explicit consent (opt-in) from consumers us required before using automated decision-making technologies that have legal or significant effects on consumers.
- Opt-in consent is required for data collection from minors under 16, while parental consent is required for minors under 13.
Beyond Collecting Consent: Enforcement is Key
Consent is a crucial piece of global privacy laws like the GDPR, CCPA, LGPD, and PIPL, but compliance doesn’t end with consent. In order to maintain compliance, user preferences must be upheld and enforced. That means if a user opts out of tracking, no tracking cookies may be fired, whether first or third-party. Likewise, in GDPR jurisdictions, tracking may not occur prior to opt-in.
Unfortunately, there are many Consent Management Platforms that fall short of this requirement. Most commercial CMP solutions employ a series of APIs that rely on the orchestrated cooperation of third parties to ensure that a user’s privacy selections are respected.
This complex network of transmitting preferences is often in and of itself non-compliant as it relies on sending information about a user and their opt-in/opt-out preferences. In our research, we’ve discovered that many CMP implementations often allow first or even third-party cookies to fire even after a customer has opted-out of tracking. This is a clear violation of GDPR guidelines on consent management.
Robust Consent Enforcement with CHEQ Privacy
Truly compliant solutions should work autonomously, with no dependencies on other systems, to enforce the privacy choices of users.
CHEQ Privacy takes control of a website, app, or digital asset and fundamentally changes how the page is rendered based on the users preferences.
If a user has opted out of having her data used for the purposes of analytics, CHEQ does not attempt to integrate to the analytics platform that would otherwise receive data. It does not drop a cookie signaling that the user would prefer not to be tracked.
Instead, CHEQ disables and renders useless any traffic to the analytics company at all, making it impossible for mistakes to happen or for a company to leak information to a third party due to integrations not performing as expected.
With CHEQ Privacy, you can set up geo-targeted consent banners and give your customers a clear-cut choice on how their data is used, or whether it is collected. And you can enforce those preferences.
Request a demo to see how CHEQ can help your organization meet its compliance goals.
Frequently Asked Questions
What is valid consent?
Valid consent is a freely given, informed, and explicit agreement by a user to the collection and processing of their personal data. The user must be fully informed about the data processing purposes and have a clear choice to opt-in or opt-out. Valid consent can be withdrawn by the user at any time without penalty.
What is implicit consent?
Implicit consent refers to consent that is assumed without the explicit permission of the user. It often occurs when a user’s actions or inactions are taken as agreement to data processing, even if they have not explicitly granted consent.
What is the purpose of cookie banners?
What is notice only consent?
What is cookie wall consent?
Cookie wall consent refers to a consent approach where users must agree to accept cookies, tracking, and/or data processing in order to access the website. Users are not given the opportunity to reject tracking and data processing. Cookie walls are considered illegitimate consent under some data privacy regulations, such as GDPR, and are non-compliant with those regulations.
What is opt-out consent?
Opt-out consent is a type of consent where individuals are presumed to have given permission for their data to be used unless they take specific action to indicate that they do not want their data to be used.
What is opt-in consent?
Opt-in consent is a consent model where users are informed about the tracking technologies used by a website and are given the option to either accept all cookies or reject all non-essential cookies. The user is opted-out by default, and they must take explicit action to consent to tracking or data processing. Opt-in consent is compliant with regulations like GDPR.
What are the consent requirements of the GDPR?
Under the GDPR, consent must be obtained before any non-essential cookies can be used. Users must be provided with information about the specific purpose of each tracking cookie and the data it collects before granting consent. Consent must be freely given, specific, informed, and unambiguous. Users must have the option to withdraw their consent at any time, and website owners should record evidence of consent and be able to prove that users made an informed, affirmative choice.
What are the consent requirements of the CCPA?
The CCPA does not specifically require opt-in consent for data collection and processing. Instead, it requires websites to include a conspicuous link allowing users to access a page with Data Subject Access Requests (DSARs), including a “Do Not Sell” button for opting out of the sale of their personal data. Opt-out consent is the primary model used under the CCPA.
What are the consent requirements of the CPRA?
The CPRA expands upon the CCPA and adds additional provisions related to data protection and consumer privacy. While it maintains the opt-out consent framework, it also requires explicit opt-in consent for certain data processing activities, such as the collection and sharing of sensitive personal information and the use of automated decision-making technologies with legal or significant effects on consumers. The CPRA also requires organizations to honor universal opt-out signals, such as the Global Privacy Control (GPC), and provide users with the option to opt-out of the sharing of their personal information or its use in targeted advertising.