The topic of consent continues to gain momentum and the relevance of consent obtained in compliance with data protection regulations and the correct handling of it is still growing. Companies and their marketing teams cannot avoid dealing with this topic. They have to find solutions to manage the consent obtained and even to be able to provide proof of this in an emergency.
In this regard, companies have to face the problems and issues relating to the topic of consent. How can the apparent contradictions of performance-driven online marketing and the special protection of personal data be mitigated by privacy-compliant opt-ins? The brands which operate internationally are also faced with the challenge of having to comply with relevant local regulations.
By answering these questions and focusing in particular on data protection in marketing departments, the foundation can be laid for an online marketing activity which is not only performance-driven, but also regards consent management as a key consideration.
In Germany, data protection and the associated consent management are based on the right to informal self-determination granted in the Basic Law. In this context, on 20 May 2021, the Bundestag (German Parliament) adopted a draft law entitled the “Telecommunications and Telemedia Data Protection Act” (TTDSG), which aims to amend the Telecommunications Act (TKG) and the Telemedia Act (TMG), thereby adapting both laws within the meaning of the ePrivacy Directive of the EU to the GDPR. This procedure is necessary, among other things, based on the judgment issued by the Federal Supreme Court on 28 May 2020, according to which the EU Cookie Directive has not been fully transposed into applicable law. The TTDSG is due to come into force on 1 December 2021. Breaches of it will be punished by fines of up to EUR 300,000.
With regard to consent management, the opinion of the Bundesrat (German Federal Council) concerning Article 24 of the draft TTDSG is extremely interesting: While the stronger alignment of § 24 of the draft TTDSG with Article 5(3) of the ePrivacy Directive is welcomed, at the same time the simple design of the cookie banners with two buttons “Consent” and “Reject” is recommended as “expedient”. This is fascinating in that Article 5(3) of the ePrivacy Directive requires that, “[…] to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information […] has given his/her consent.” In this sense, the CJEU also ruled in 2019 in the Planet49 judgment, making it clear that explicit consent is not given with a pre-ticked checkbox or using generalised and multi-cookie information banners, such as “Continue browsing and enjoy the benefits of our website”.
It therefore remains to be seen whether and in what form the recommendation of the Bundesrat fits in with a tendency towards a strict interpretation of the explicit opt-in by the CJEU and the Federal Supreme Court, as well as the discussion about an explicit opt-in also for technical cookies and how this opinion could be implemented. The German Federal Ministry for Economic Affairs and Energy explains this in a press release as follows:
“With regard to cookies, the TTDSG is also intended to achieve user-friendly and competitive consent management, which should include recognised services, browsers and telemedia providers. The detailed design of these new structures is to be carried out by means of a government regulation, the successes of which will be monitored and evaluated by the Federal Government (§ 26 TTDSG).”
The “nudging” issue or even: playing tricks with the opt-in banners
The term “nudging” describes the attempt to influence website visitors in order to persuade them to give consent. These little tricks in the visual design of banners are currently possible in light of the fact that there is (still) no clear legal regulation or case-law on this.
A typical example of this practice is the use of banners with large green buttons for the “Accept all cookies” function and a smaller pale-grey equivalent for the “Reject cookies”. Another recurring practice is that visitors have to click through a series of settings to reject cookies, while the option to accept cookies is directly available.
However, some recent decisions by various courts have found that companies should not push this too far: According to a publication from the Lower Saxony supervisory authority, “excessive” nudging results in the invalidity of consent since the user is not given a real choice. A judgment from the Rostock Regional Court also supports this statement. However, there has been no word so far of either procedures or fines which specifically relate to the issue of nudging. There will certainly be further developments in this area in the future.
Another important topic in terms of consent management is the handling of data for sending newsletters. Using a double opt-in is now a familiar and widely accepted requirement. However, this raises problems when processing the data based on the newsletters sent, for example for analysis purposes.
The legal framework on the subject of tracking information such as opening the newsletter, clicking on links contained in it or opening documents contained in it has not yet been regulated in detail. What is clear, though, is that consent should also be obtained separately for these processing operations. On the other hand, it is unclear when the most sensible point is for obtaining this consent. The most practical option is currently to display a note text at the “first opt-in”, i.e. at the time when a user fills out the newsletter registration form. But a concrete solution has not yet materialised in practice. This topic must therefore also continue to be monitored by companies and their marketers in order to keep up to date with all regulations and jurisdictions, as with all questions relating to consent management.
Modern online marketing can no longer avoid the introduction of a consent management platform due to an increasingly complicated data protection environment. In this context, it is important to clearly keep the terms “privacy statement” and “consent management platform (CMP)” separate. While the privacy statement serves to fulfil the information obligations (Which data is collected and further processed? Whom they may be passed on to?), the CMP is concerned with obtaining active consent in compliance with data protection regulations. Therefore, a CMP helps website operators with the correct design and operation of opt-in banners.
Good to know:
A/B tests are an important ally when it comes to optimising your opt-in rates.
As you can already see, from a marketer’s point of view, the topic of consent management has a lot to do with making consent banners compliant with data protection regulations, on the one hand, and optimising them in such a way, on the other hand, to ensure that the opt-in rate is as high as possible. A/B tests are destined to feature in determining suitable opt-in banner formats. Leave nothing to chance and analyse, by playing different versions within a certain period of time, exactly which banner formats on your website generate the highest possible consent rate.
Our current privacy barometer shows, for example, that consent banners are most often displayed in the form of pop-ins (72%) to obtain a 100% explicit opt-in. In addition, we can give you five practical tips to make your consent banners as effective as possible. The good thing about this is that: These tips are based on the requirements of the French data protection authority CNIL, which even went one step further in interpreting an explicit opt-in than is currently the case in Germany.
The French data protection authority CNIL published a directive on cookies and other trackers in October 2020, which had to be implemented by all website operators by the end of March 2021. Key aspects which are explained in it are GDPR-compliant consent, the shutdown of opt-out mechanisms where, by definition, no explicit consent prevails, compliance with transparency requirements, a simple option for revoking opt-ins, as well as the verifiability of all opt-ins. This cookie and tracking directive is very detailed and provides information from the technical to the purely visual design of consent management on websites.
In its directive, the CNIL focuses in particular on the timeframes for storing cookies. For example, it recommends a duration for cookies (i.e. how long a set cookie can actively collect data) limited to a period of time that allows a relevant comparison of the target groups during this period, but mentions a maximum duration of 13 months. The maximum period for retaining the information collected via these cookies is set by the CNIL at 25 months. A new visit to a website by visitors who have already been tracked does not represent an automatic extension of this period. The duration and retention periods specified by the CNIL will be reviewed periodically in order to ensure that they are still appropriate.
As already mentioned, a distinction can be made between technically necessary and analytics cookies (e.g. tracking or affiliate cookies). In general, according to the ePrivacy Directive, all technical cookies that are needed to operate a website do not require explicit consent. However, in order to find out exactly which cookies or trackers are classified as “technically necessary”, a closer look must be taken again at national interpretations and case-law. In France, the following types fall under the “not requiring consent” category:
The CNIL still recommends that you also inform about cookies exempted from consent and their purposes, even if there is no general requirement for consent. Certain analytics cookies may also be exempt from the consent requirement in France. However, according to the CNIL, certain conditions must be met:
We would also like to give a brief overview of the requirements for consent management according to a British interpretation. Despite its exit from the European Union, the United Kingdom is pursuing a course in terms of data protection law which is strongly orientated towards the EU and, therefore, towards the GDPR. Therefore, there are few differences to the EU, especially in connection with cookies, with the exception that the Information Commissioner’s Office (ICO) as a competent authority is not only financially strong, but is also considered to be much stricter and more active than is currently the case, for example, with German authorities.
For instance, the ICO accepts only a few exceptions to the clearly explicit consent requirement. Cookies which can also be set without any opt-in must therefore be “strictly necessary” according to the narrowest possible interpretation. Examples of this are cookies which allow a shopping cart to be stored for the next session, or which are used to ensure, for example, the security of online banking. This also includes cookies which are used to support the loading of websites. Clearly not included are analytics cookies, cookies for recognising certain website visitors or cookies which collect first-, second- and/or third-party data for advertising purposes.
Probably the most controversial aspect of consent management on websites at the moment revolves around the issue concerning the need for analytics services such as Google Analytics and, therefore, at the same time, the issue of whether these services require an explicit opt-in.
In this context too, the debate is based on the already mentioned Article 5(3) of the ePrivacy Directive, which stipulates the rules for handling cookies at EU level. However, two aspects are answered differently:
The result shows that the use of analytics services without active consent is a highly controversial issue. Even though the situation is unclear, the use of analytics services without active consent also tends to be discouraged in Germany.
On June 10th, 2021, the Italian Data Protection Authority (Garante per la protezione dei dati personali) has published new guidelines for cookie usage. It comes after 6 months of public consultation on cookies topic.
Any website that have users based in Italy are concerned by these new guidelines.
The deadline to comply is set at January 10th, 2022.
The penalties if you do not comply with these new guidelines are as follows:
1. Precision of what is a Consent and how to collect it
2. About cookie banner
3. Analytics and technical cookies
4. Validity of consent
5. Proof of consent
Another important framework for consent management is IAB-TCF 2.0, which was introduced in September 2020. Consent management according to the Transparency & Consent Framework (TCF) of IAB Europe works by dovetailing processing purposes and vendors. The descriptions of these processing purposes are provided in precise detail. The TCF operates in layers. Therefore, the reproduction of the “legal full text” is mandatory. According to the regulations, however, it is sufficient to display the “user-friendly” text on a first level and the “legal full text” only on a second level of the consent banner. At no point can there be any deviation from the official text modules and their official translations.
In addition to the lists for publishers, content management systems (CMS), as well as advertisers and agencies, the vendor list for IAB-TCF 2.0 gives a precise overview of which e-commerce shops fall under TCF 2.0. Therefore, implementing the TCF should contribute to improving transparency in the provider jungle and to compliance with the GDPR. However, it is important to note that the TCF does not guarantee compliance with the GDPR on its own. Whether the GDPR is actually complied with when the TCF is implemented must be checked separately from a legal perspective and, if necessary, on a case-by-case basis.
Currently, TCF 2.0 is subject to a great deal of criticism. The focal point of this criticism is mainly varying requirements for cookie banners compared to the GDPR. You can find out more about this topic here.
We can see that the situation is complex. As a globally operating company, it is necessary always to be informed of the situation in order to act in compliance with data protection regulations in all markets and to take specific local requirements into account.
Would you like to rethink your approach to consent management and introduce a consent management platform in your company or receive specific suggestions on how to design your cookie banners?
We would like to thank Christoph Bauer from ePrivacy GmbH for his cooperation in the course of our joint webinar and in producing this article. Article initially written in July 2021.