two hands clasping

Coach Consent

Reading time: 7 minutes

Read now
27. January 2023

Inhaltsverzeichnis

  1. Keep your friends close, but your data closer
  2. Voluntary lasts longest
  3. Tell me why
  4. Yes, I do...want to inform
  5. No misunderstandings allowed
  6. The proof
  7. I don't want to, and that's okay

Visiting a website tends to start with a race. A race that is not accompanied by cheering, but by the quiet whirring of a desktop. A race that is not contested with running shoes, but with an ergonomically adapted mouse. A race whose winner will never be apparent. It is a race for the fastest click on the "reject all" button, which, for the sake of suspense, is grayish in color in the lower right corner of any cookie banner. This scene is estimated to take place like this, or at least similar to it, millions of times a day in European households. In the process, the powerful tool of consent, which offers consumers a choice and operators a means of communication, is unnecessarily turned into Indiana Jones Part 6: In the Shoals of the Second Layer. With so many guidelines, laws, and regulations, as well as differing opinions from data protection authorities, it is not surprising that there is confusion about the design of a consent banner. APOCRAT wants to counteract this, which is why we hired Coach Consent specifically to share his 7 steps to best practice consent success with you in this post.

Summary:

  1. Get an overview of the data you process

  2. Give your users a real choice

  3. Define the purposes for which the data will be processed

  4. Provide sufficient information about the purposes for which the data will be used

  5. Allow for a clear affirmative action

  6. Be aware of your obligation to provide proof

  7. Allow for the possibility of revocation

Dear Readers,

the process of obtaining, enforcing and documenting consent is not without reason. It allows lawful processing of (personal) data in addition to fulfilling a contract or legal obligation. It also builds trust and, if implemented properly, shows users in a simple and clear way why it needs to process their data for their benefit. This dialogue of information and acceptance can be conducted at eye level, and today I would like to show you how this can be done:

Keep your friends close, but your data closer

Before you can worry about effective consent management, you need an overview of the data your company collects. This is the only way to ensure that you map all purposes on your Consent Banner. Distinguish between personal, sensitive and non-personal data.

Personal data is any information that relates to an identified or identifiable natural person. Examples include the name, location data or specific physical characteristics of users. Throughout the European Union, according to the GDPR, processing, i.e. collecting, recording, organizing, storing, reading and using personal data, requires one of six legal bases, including consent.

The processing of sensitive data, i.e. data revealing ethnic origin, political opinions, religious or philosophical beliefs, or genetic data, biometric data uniquely identifying a natural person, health data or data concerning the sexual orientation of a natural person is prohibited in the EU under the GDPR. This is only not the case if the data subject has explicitly consented (special case).

While non-personal data is not covered by the GDPR in the EU, in Germany it is covered by the TTDSG in conjunction with terminal equipment such as networked toys. If the storage of or access to non-personal or personal data takes place in the terminal equipment, the consent of the users is required. The requirements for consent are aligned with the GDPR. The TTDSG applies to all terminal equipment sold or manufactured in Germany.

Voluntary lasts longest

Now that you have an overview of the data collected in your company and the regulations associated with your site, it's time to set up a legally compliant Consent Banner that is suitable for the public. Start with the principle of voluntariness.

Give your users a real choice. Don't push them to consent by making consent a non-negotiable part of the terms and conditions. That's not allowed and it's not effective. Give data subjects the ability to refuse consent just as easily as they can accept it or withdraw it without negative consequence. Pay particular attention to the processing purposes you include in the consent for the performance of a contract or the provision of a service. Therefore, in order to ensure the effectiveness of consent, avoid influencing data subjects.

Giving your users an easy way to refuse data collection probably sounds a bit daunting at first. After all, there's a reason why data is considered the gold of our time, without which many companies take a huge economic risk. However, don't forget that processing data based on voluntariness is an immense confidence booster in your company. So use the dialog of consent to bind your customers to your company with data transparency.

Tell me why

Now define the purposes for which the data is to be collected or processed. For each individual purpose, the data subjects must have a choice. The purpose must be clear and legitimate, so that data subjects are protected from the gradual expansion or mixing of purposes. However, a purpose may include multiple operations for which consent is not specifically sought from users. Examples of purposes for which data may be used include marketing, optimization, and statistics.

Yes, I do...want to inform

In the next step, provide your Consent Banner with information to enable data subjects to give consent "in an informed manner". For the question of the type of information, you can be guided by the opinion of the European Data Protection Board. This provides that:

  • the identity of the controller (your company)

  • the purpose of each processing operation for which consent is sought

  • the (type of) data that will be collected and used

  • the existence of a right to withdraw consent

  • Information about the use of the data for automated decision-making, if applicable

  • information on possible risks of data transfers without the existence of an adequacy decision and without appropriate safeguard can be found.

How you provide the information is up to you. However, make sure that you use clear and simple language to be consistent with the average citizen. The only prohibition is that you do not clearly separate the information on consent from other facts, which makes information in the GTCs invalid, for example.

No misunderstandings allowed

Consent according to the GDPR requires an unambiguous confirming action by the data subject or a declaration. Thus, consent is only effective if it is given by an active act. This means, for example, a written or an oral declaration, which can also be made electronically. However, the ticking of a box or the selection of technical settings also apply. In turn, boxes that have already been checked are not permitted, nor is the inclusion of consent in the consent process of the GTCs or a contract.

The proof

In order to avoid possible penalties, it is particularly important to be able to prove that consent has been obtained. Only then is consent really valid. You are free to choose which method you use for this. For the sake of effectiveness, be sure to record when you obtained consent, what information you provided to the data subject, and what work processes took place.

I don't want to, and that's okay

Make absolutely sure that users of your website or app can revoke consent at any time and that revocation is just as easy as giving consent. So if you allow data subjects to consent electronically via a mouse click, swipe, or keystroke, the same must be true for revocation. The same applies to electronic interfaces of an Internet of Things device or app. Also ensure that revocation is done without disadvantages for the data subject. This includes, but is not limited to, fee-free revocation or maintaining the level of service. 

"Phew, there's a lot to consider," you'll say quite rightly at this point. To help you on your way to consent success, I'd like to apply the above principles to the first and second levels of a Consent Banner for you at the end of this blog post.

Level 1 should include the following information:

  • The identity of the controller (= your company).

  • The exact description of the purposes of the processing

  • The legal basis of the data processing

  • The reference to the possibility of withdrawal

  • The place where the consent can be revoked

  • The link to the privacy policy

  • The type of data being processed

  • The process of processing

  • The "accept all" and "reject all" buttons

  • The clear way to get to the second level

Level 2 should include the following information:

  • The identity of the processing parties

  • The purpose of the processing of the parties

  • The process of processing the parties

  • The contact at the parties and its address

  • The storage period of the data

  • The possibility of granular deselection according to the party and the purpose of use

Best Practice Consent Banner

With this, dear readers, I may already say goodbye to you. But before I do, I give you my consent to implement the above steps.

Yours
Coach Consent

Contact
Partner & Sales Manager: Alexander Jürgens
E-Mail: office@apocrat.at
Mobile: +43 676 4025255