When it comes to data protection, marketers are also greatly concerned about the issue of consent management. Especially for internationally orientated companies and their marketing departments, it is often not easy to obtain an accurate overview of applicable data protection regulations in different countries. One thing is clear: the GDPR is the benchmark in this area.
We are also going to take a look at the different interpretations of the GDPR, as well as the data protection regulations applicable in Germany, France, Italy and the UK.
Consent is the new hub for data-driven marketing
The topic of consent continues to gain momentum and the relevance of consent obtained in compliance with data protection regulations and the correct handling of it is still growing. Companies and their marketing teams cannot avoid dealing with this topic. They have to find solutions to manage the consent obtained and even to be able to provide proof of this in an emergency.
In this regard, companies have to face the problems and issues relating to the topic of consent. How can the apparent contradictions of performance-driven online marketing and the special protection of personal data be mitigated by privacy-compliant opt-ins? The brands which operate internationally are also faced with the challenge of having to comply with relevant local regulations.
- How does the Federal Supreme Court interpret data protection in its case-law in Germany?
- What does Germany’s new Data Protection Act include?
- What is the CNIL all about in France?
- What has decided Italy?
- How is data protection regulated in non-EU Member States such as the UK?
By answering these questions and focusing in particular on data protection in marketing departments, the foundation can be laid for an online marketing activity which is not only performance-driven, but also regards consent management as a key consideration.
Consent Management in Germany
In Germany, data protection and the associated consent management are based on the right to informal self-determination granted in the Basic Law. In this context, on 20 May 2021, the Bundestag (German Parliament) adopted a draft law entitled the “Telecommunications and Telemedia Data Protection Act” (TTDSG), which aims to amend the Telecommunications Act (TKG) and the Telemedia Act (TMG), thereby adapting both laws within the meaning of the ePrivacy Directive of the EU to the GDPR. This procedure is necessary, among other things, based on the judgment issued by the Federal Supreme Court on 28 May 2020, according to which the EU Cookie Directive has not been fully transposed into applicable law. The TTDSG is due to come into force on 1 December 2021. Breaches of it will be punished by fines of up to EUR 300,000.
With regard to consent management, the opinion of the Bundesrat (German Federal Council) concerning Article 24 of the draft TTDSG is extremely interesting: While the stronger alignment of § 24 of the draft TTDSG with Article 5(3) of the ePrivacy Directive is welcomed, at the same time the simple design of the cookie banners with two buttons “Consent” and “Reject” is recommended as “expedient”. This is fascinating in that Article 5(3) of the ePrivacy Directive requires that, “[…] to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information […] has given his/her consent.” In this sense, the CJEU also ruled in 2019 in the Planet49 judgment, making it clear that explicit consent is not given with a pre-ticked checkbox or using generalised and multi-cookie information banners, such as “Continue browsing and enjoy the benefits of our website”.
It therefore remains to be seen whether and in what form the recommendation of the Bundesrat fits in with a tendency towards a strict interpretation of the explicit opt-in by the CJEU and the Federal Supreme Court, as well as the discussion about an explicit opt-in also for technical cookies and how this opinion could be implemented. The German Federal Ministry for Economic Affairs and Energy explains this in a press release as follows:
“With regard to cookies, the TTDSG is also intended to achieve user-friendly and competitive consent management, which should include recognised services, browsers and telemedia providers. The detailed design of these new structures is to be carried out by means of a government regulation, the successes of which will be monitored and evaluated by the Federal Government (§ 26 TTDSG).”
The “nudging” issue or even: playing tricks with the opt-in banners
The term “nudging” describes the attempt to influence website visitors in order to persuade them to give consent. These little tricks in the visual design of banners are currently possible in light of the fact that there is (still) no clear legal regulation or case-law on this.
A typical example of this practice is the use of banners with large green buttons for the “Accept all cookies” function and a smaller pale-grey equivalent for the “Reject cookies”. Another recurring practice is that visitors have to click through a series of settings to reject cookies, while the option to accept cookies is directly available.
However, some recent decisions by various courts have found that companies should not push this too far: According to a publication from the Lower Saxony supervisory authority, “excessive” nudging results in the invalidity of consent since the user is not given a real choice. A judgment from the Rostock Regional Court also supports this statement. However, there has been no word so far of either procedures or fines which specifically relate to the issue of nudging. There will certainly be further developments in this area in the future.
And what about newsletter tracking?
Another important topic in terms of consent management is the handling of data for sending newsletters. Using a double opt-in is now a familiar and widely accepted requirement. However, this raises problems when processing the data based on the newsletters sent, for example for analysis purposes.
The legal framework on the subject of tracking information such as opening the newsletter, clicking on links contained in it or opening documents contained in it has not yet been regulated in detail. What is clear, though, is that consent should also be obtained separately for these processing operations. On the other hand, it is unclear when the most sensible point is for obtaining this consent. The most practical option is currently to display a note text at the “first opt-in”, i.e. at the time when a user fills out the newsletter registration form. But a concrete solution has not yet materialised in practice. This topic must therefore also continue to be monitored by companies and their marketers in order to keep up to date with all regulations and jurisdictions, as with all questions relating to consent management.
Modern online marketing can no longer avoid the introduction of a consent management platform due to an increasingly complicated data protection environment. In this context, it is important to clearly keep the terms “privacy statement” and “consent management platform (CMP)” separate. While the privacy statement serves to fulfil the information obligations (Which data is collected and further processed? Whom they may be passed on to?), the CMP is concerned with obtaining active consent in compliance with data protection regulations. Therefore, a CMP helps website operators with the correct design and operation of opt-in banners.
Good to know:
A/B tests are an important ally when it comes to optimising your opt-in rates.
As you can already see, from a marketer’s point of view, the topic of consent management has a lot to do with making consent banners compliant with data protection regulations, on the one hand, and optimising them in such a way, on the other hand, to ensure that the opt-in rate is as high as possible. A/B tests are destined to feature in determining suitable opt-in banner formats. Leave nothing to chance and analyse, by playing different versions within a certain period of time, exactly which banner formats on your website generate the highest possible consent rate.
Our current privacy barometer shows, for example, that consent banners are most often displayed in the form of pop-ins (72%) to obtain a 100% explicit opt-in. In addition, we can give you five practical tips to make your consent banners as effective as possible. The good thing about this is that: These tips are based on the requirements of the French data protection authority CNIL, which even went one step further in interpreting an explicit opt-in than is currently the case in Germany.
Consent Management in France
The French data protection authority CNIL published a directive on cookies and other trackers in October 2020, which had to be implemented by all website operators by the end of March 2021. Key aspects which are explained in it are GDPR-compliant consent, the shutdown of opt-out mechanisms where, by definition, no explicit consent prevails, compliance with transparency requirements, a simple option for revoking opt-ins, as well as the verifiability of all opt-ins. This cookie and tracking directive is very detailed and provides information from the technical to the purely visual design of consent management on websites.
In its directive, the CNIL focuses in particular on the timeframes for storing cookies. For example, it recommends a duration for cookies (i.e. how long a set cookie can actively collect data) limited to a period of time that allows a relevant comparison of the target groups during this period, but mentions a maximum duration of 13 months. The maximum period for retaining the information collected via these cookies is set by the CNIL at 25 months. A new visit to a website by visitors who have already been tracked does not represent an automatic extension of this period. The duration and retention periods specified by the CNIL will be reviewed periodically in order to ensure that they are still appropriate.
The CNIL confirms its main principles, including the symmetry of consent
- User consent is better regulated. The Internet user must now give explicit consent. Simply continuing to browse a site can no longer be considered a valid expression of consent. Consent must be given by a “clear positive act” (e.g. clicking on the “I agree” button) in order to allow the trackers to be triggered. Without this, only essential trackers can be deposited.
- Users should be able to withdraw their consent easily and at any time.
- Symmetry of consent. Gone are the days when you had to look hard for the “opt-out” button. From now on, it must be just as easy to refuse as to accept the deposit of cookies.
- Individuals must be clearly informed of the purposes of the trackers before they consent, and of the consequences of doing so. The identity of all companies using cookies subject to consent should also be easily accessible to the Internet user.
- Finally, if an Internet user requests proof of consent, the actors depositing the trackers must be able to provide valid proof of the user’s free, informed, specific and unambiguous consent.
Which cookies are currently considered as not requiring consent in France?
As already mentioned, a distinction can be made between technically necessary and analytics cookies (e.g. tracking or affiliate cookies). In general, according to the ePrivacy Directive, all technical cookies that are needed to operate a website do not require explicit consent. However, in order to find out exactly which cookies or trackers are classified as “technically necessary”, a closer look must be taken again at national interpretations and case-law. In France, the following types fall under the “not requiring consent” category:
- Trackers which record the decision made by the user
- Trackers for authentication when accessing a service and to ensure the security of the authentication mechanism, e.g. by limiting suspicious access attempts.
- Trackers designed to store the contents of a shopping basket on an e-commerce website or to invoice the user for purchased products.
- Trackers for customising the user interface (e.g. for choosing the language or view)
- Trackers which enable load balancing
- Trackers which allow paid websites to limit free access to content
- Specific trackers for measuring visitors
The CNIL still recommends that you also inform about cookies exempted from consent and their purposes, even if there is no general requirement for consent. Certain analytics cookies may also be exempt from the consent requirement in France. However, according to the CNIL, certain conditions must be met:
- Analytics cookies can be used without consent, the tracking of which serves purely to measure the number of visitors.
- No explicit consent is required either if there is no tracking across different applications or websites.
- Lastly, the CNIL mentions the quality of the data collected. It is permitted to analyse data without any opt-in if it is used exclusively for the purpose of creating anonymous statistical data, or if there is no comparison of the data with other processing operations and no disclosure to third parties.
Consent Management in the United Kingdom
We would also like to give a brief overview of the requirements for consent management according to a British interpretation. Despite its exit from the European Union, the United Kingdom is pursuing a course in terms of data protection law which is strongly orientated towards the EU and, therefore, towards the GDPR. Therefore, there are few differences to the EU, especially in connection with cookies, with the exception that the Information Commissioner’s Office (ICO) as a competent authority is not only financially strong, but is also considered to be much stricter and more active than is currently the case, for example, with German authorities.
For instance, the ICO accepts only a few exceptions to the clearly explicit consent requirement. Cookies which can also be set without any opt-in must therefore be “strictly necessary” according to the narrowest possible interpretation. Examples of this are cookies which allow a shopping cart to be stored for the next session, or which are used to ensure, for example, the security of online banking. This also includes cookies which are used to support the loading of websites. Clearly not included are analytics cookies, cookies for recognising certain website visitors or cookies which collect first-, second- and/or third-party data for advertising purposes.
Analytics services – a controversial aspect throughout Europe
Probably the most controversial aspect of consent management on websites at the moment revolves around the issue concerning the need for analytics services such as Google Analytics and, therefore, at the same time, the issue of whether these services require an explicit opt-in.
In this context too, the debate is based on the already mentioned Article 5(3) of the ePrivacy Directive, which stipulates the rules for handling cookies at EU level. However, two aspects are answered differently:
- Does Article 5(3) of the ePrivacy Directive also apply to “cookieless” technologies?
- Neither the Federal Supreme Court in Germany nor the CJEU have taken a position so far in this regard at European level.
- France and the United Kingdom consider that Article 5(3) of the ePrivacy Directive does also apply to “cookieless” technologies.
- Are analytics services to be regarded as “technically necessary” or “strictly necessary” under article 5(3)(2) of the ePrivacy Directive?
- Germany has not yet taken a stance on this.
- France considers “harmless” analytics services to be “technically necessary”, but without clearly explaining what exactly is meant by them.
- The UK takes the most stringent view and considers all analytics services to be strictly subject to consent.
The result shows that the use of analytics services without active consent is a highly controversial issue. Even though the situation is unclear, the use of analytics services without active consent also tends to be discouraged in Germany.
Consent Mangement in Italy
On June 10th, 2021, the Italian Data Protection Authority (Garante per la protezione dei dati personali) has published new guidelines for cookie usage. It comes after 6 months of public consultation on cookies topic.
What are the modalities ?
Any website that have users based in Italy are concerned by these new guidelines.
The deadline to comply is set at January 10th, 2022.
The penalties if you do not comply with these new guidelines are as follows:
- Omission or inadequate information : from 6000 to 36.000 euros
- Installation of cookies without consent : from 10,000 to 120,000 euros
What are the guidelines ?
1. Precision of what is a Consent and how to collect it
- The act of giving consent must be “free, specific, informed and unambiguous”
- Scrolling is not a clear, affirmative positive action from the user to collect consent.
- Cookie walls are not allowed.
2. About cookie banner
- “Accept” and “Reject” buttons are required.
- The user’s personal data storage period must be specified.
- The user must be able to give/withdraw consent granularly according to purposes and providers.
- Users must be able to access and edit their tracking preferences at any time after setting their initial preferences.
- New specifications for the accessibility of cookie information in relation to persons with disabilities;
3. Analytics and technical cookies
- Analytical cookies require consent (subject to certain conditions)
- Technical cookies do not require consent
4. Validity of consent
- Consents collected before the publication of the new Garante Guidelines on cookies, if they comply with the characteristics required by the Regulation, are valid as long as, at the time of their acquisition, they have been recorded and can therefore be documented.
- The banner may not be shown to users before 6 months have passed since the consent was collected.
5. Proof of consent
- You need to be able to prove that consent was obtained according to the standards of the GDPR.
European Cooperation: Transparency & Consent Framework 2.0
Another important framework for consent management is IAB-TCF 2.0, which was introduced in September 2020. Consent management according to the Transparency & Consent Framework (TCF) of IAB Europe works by dovetailing processing purposes and vendors. The descriptions of these processing purposes are provided in precise detail. The TCF operates in layers. Therefore, the reproduction of the “legal full text” is mandatory. According to the regulations, however, it is sufficient to display the “user-friendly” text on a first level and the “legal full text” only on a second level of the consent banner. At no point can there be any deviation from the official text modules and their official translations.
In addition to the lists for publishers, content management systems (CMS), as well as advertisers and agencies, the vendor list for IAB-TCF 2.0 gives a precise overview of which e-commerce shops fall under TCF 2.0. Therefore, implementing the TCF should contribute to improving transparency in the provider jungle and to compliance with the GDPR. However, it is important to note that the TCF does not guarantee compliance with the GDPR on its own. Whether the GDPR is actually complied with when the TCF is implemented must be checked separately from a legal perspective and, if necessary, on a case-by-case basis.
Currently, TCF 2.0 is subject to a great deal of criticism. The focal point of this criticism is mainly varying requirements for cookie banners compared to the GDPR. You can find out more about this topic here.
We can see that the situation is complex. As a globally operating company, it is necessary always to be informed of the situation in order to act in compliance with data protection regulations in all markets and to take specific local requirements into account.
Would you like to rethink your approach to consent management and introduce a consent management platform in your company or receive specific suggestions on how to design your cookie banners?
We would like to thank Christoph Bauer from ePrivacy GmbH for his cooperation in the course of our joint webinar and in producing this article. Article initially written in July 2021.