The entry into force of the GDPR triggered a wave of data protection reforms. Personal data may now only be processed if the consent of the user has been obtained. Since the TTDSG came into force in December 2021, this need for consent now also applies when it comes to accessing and storing data in terminal equipment (more on this later). Of course, only if it is data that is not absolutely necessary for the fulfillment of a contract or basic functionality. On many websites, you are therefore confronted with so-called "cookie banners" or "consent banners" directly after calling up the page. Behind these banners often acts a Consent Management Software or also Consent Management Platform, in short CMP. Such CMPs ensure that users are informed about the processing of their data and can determine whether this processing is okay for them (permitted) or not (rejected). Finally, there are CMPs not only for websites but for all end devices and services that collect data - e.g. apps, OTT, CTV or for various smart devices.
How does consent management work?
The basis for Consent Management is the Consent Banner mentioned above. If you use a service that wants to process data, each user of the service must be told which services want to use which data for which specific purpose. This is precisely what the Consent Banner is for, and it forms the interface between the technical system in the background and the users as data subjects.
The users can now decide which services and uses are to be permitted and which are to be blocked. Often - and in line with best practice - there is also an option to reject all services and, if necessary, an "Accept all" button is also offered. Guidance on how such a consent banner should be designed is available in the following guide, among others: BVDW Guide "Consent Management - Consent Management in Practice".
However, it is important that the Consent Banner is designed in such a way that an "informed, voluntary, purpose-bound, justified, explicit (explicit), formulated in clear and simple language and revocable at any time" consent or rejection to data collection and processing is possible. So-called "dark patterns" - e.g., the color highlighting of the "Accept all" button, the hiding of the in-depth consent information, and an "opt-out" solution - hinder such informed, voluntary, and explicit obtaining of consent and significantly limit the validity of a consent. Even the simple scrolling on a web page or the further use of the service does not count as a valid Consent, as this is an implicit and not explicit consent. Moreover, it is becoming apparent that such practices will soon be banned outright by the Data Service Act. It is therefore not advisable to use such dark patterns.
Once a user has decided on a selection of services, this information must be permanently stored in the background - e.g., by a consent management platform. On websites, for example, a cookie is set with the respective consent information. In addition, the respective service (e.g., website) or the respective terminal device must consequently block all other services or the collection of those data that the user has not permitted.
Finally, such consent to the processing and collection of data is not valid indefinitely. Consent must be renewed at regular intervals and consequently the consent must be repeatedly queried via a consent banner. In addition, users can revoke their consent at any time.
All these changes in the consent are then documented again on the consent management platform in the background and can be retrieved by the operator of the service or the end device. This is necessary, among other things, for providing information to users and data protection organizations.
In a few words: Consent management ensures clarity and privacy protection for people who use digital services such as websites or apps. Consent must be given by the user and is valid until revoked or legally required renewal.
Why do I need consent management?
The GDPR has already been briefly described at the beginning. It is probably the most central reason for the necessity of Consent Management. Since 2021, however, there is a new regulation that must be observed. The Telecommunications Telemedia Data Protection Act (TTDSG) has been in effect since December 1, 2021, and tightens the safeguarding of privacy protection. Specifics about this law are covered in our blog post "The TTDSG and me: what smart home companies need to know". Violations of the GDPR or the TTDSG have been subject to high penalties since they came into force, depending on the type of violation and the number of offenses.
GDPR | TTDSG |
Processing of personal data | Storage of or access to data on terminal equipment |
Up to EUR 20 million or 4 % of the worldwide annual sales | Up to EUR 300,000 for violation against Section 25 (1) TTDSG (cf. § Section 28 (1) No. 13, (2) TTDSG) |
For the GDPR to apply to a matter, it must involve personal data. For the TTDSG, this requirement is not mandatory, as all data, both personal and non-personal, are regulated therein. The two laws differ mainly in that the GDPR deals with the processing of personal data, whereas the TTDSG regulates the storage of and access to data of a terminal device (smart vacuum cleaner, smart light bulb). However, both require explicit consent when collecting and using data that is not fundamentally necessary for the functioning of the service or end device.
For example, one needs a consent solution when collecting data via a terminal device that is used for advertising purposes. The consent granted then makes it possible to play out advertising based on the data collected and processed and, if necessary, to tailor it to the respective person. The more data there is for this purpose and the longer it is stored, the more lucrative it is for advertisers and the platforms on which they play out advertising material online.
A look at the practice
So much for the theory, but in practice, mistakes can happen during implementation that may affect the legal compliance of the CMP. For example, it must be ensured that no data is collected until consent has been given and stored. A 2020 study by e-dialog found that 76% of the companies it looked at had flawed consent management. The deficiencies described often involve collecting data even before consent has been given, and the design of the options is also criticized. In addition, consent is often given implicitly rather than explicitly, i.e., the continued use of the service, which is not legally compliant. Those who disregard these points and cut corners in consent management must expect consequences, as this involves a high legal risk.
Several companies now specialize in consent management and offer solutions for obtaining and securely managing user consent on websites, apps, and various devices (end devices). These solutions are usually more attractive for companies than setting up their own consent management system. One reason for this is the legal situation, which is currently subject to many changes. With the TTDSG, smart home devices as end devices are regulated by law for the first time with regard to data protection, which presents many manufacturers and vendors with new challenges in order to continue to act in compliance with the law.
Mit APOCRAT in best company
Smart devices in the home know much more about our everyday lives than we would like to admit. This knowledge is a valuable asset for manufacturers and other parties who benefit from this data. In the TTDSG, smart household devices are regulated for the first time in Article 25 when it comes to the collection, transmission and processing of data.
This means: When smart home devices are set up or put into operation, consent must also be obtained and the person using the device must be fully informed about the possibilities of using your data.
As a company, you can now avoid penalties for unlawfully processed data with little effort. If you are legally secure and know the current legal situation, you can easily obtain the necessary consents in compliance with the law. Particularly in the smart home sector, the situation is dynamic and can even end with the omission of their services for companies that do not work in compliance with the law. In order to prevent high penalties and a loss of image, it is worth looking for clean solutions. APOCRAT's solutions provide our customers with a toolbox to create personalized solutions that protect against penalties for improper data processing.
Have we piqued your interest? We are looking for development partners to pilot product and design tests. Our Sales & Partner Manager is available for a consultation.
Contakt
Partner & Sales Manager: Alexander Jürgens
E-Mail: office@apocrat.at
Mobile: +43 676 4025255